The Social-Engineer Podcast
Ep. 215 - Security Awareness Series - Do You Live in the City of NO with Jason Rebholz
This episode covers various topics related to social engineering, cybersecurity career paths, network fundamentals, key insights from experts, modern backup strategies, phishing simulations, building resilient systems, continuous training, recommended books, and a conclusion discussing future episodes. The episode features guest Jason Redpoles, Chief Information Security Officer at Corvus Insurance. The importance of social engineering training, cybersecurity certifications, and the role of cyber insurance in solving security at scale are highlighted. The episode also emphasizes the need for understanding network topology, focusing on basics in security, and exploring GRC roles for mid-career professionals. Key insights include prioritizing EDR, MFA, secure backups, and email security; using cybersecurity tools effectively; working with businesses to reduce risk; and the evolution of backup definitions. The importance of realistic phishing simulations, customization of backup plans, and building resilient systems while providing continuous training is discussed. The episode concludes with book recommendations on leadership, self-improvement, and storytelling.
Prioritize EDR, MFA, Secure Backups, and Email Security
Endpoint detection and response, strong multi-factor authentication, secure backups, and email security are the top priorities for cybersecurity.
Understand Network Topology and Focus on Basics
Having a good working knowledge of how networks are built and understanding network topology is crucial in identifying vulnerabilities. Focusing on basics can prevent many attacks.
Explore GRC Roles for Mid-Career Professionals
Mid-career professionals without technical backgrounds can break into cybersecurity by exploring governance, risk, and compliance (GRC) roles.
Use Cybersecurity Tools Effectively
It's important to use cybersecurity tools as intended and incorporate them into daily processes.
Reduce Risk to an Acceptable Level
Security professionals should work with the business to reduce risk to an acceptable level rather than aiming for complete elimination of risk.
Good MFA Includes FIDO2 Compliant Methods
Multi-factor authentication (MFA) should include FIDO2 compliant methods for better protection against phishing attacks.
Have a Robust Backup Plan
Having a robust backup plan is crucial in case of ransomware attacks. Regularly testing the viability of backups is recommended.
Build Resilient Systems and Provide Education and Training
Blaming users for security incidents is unfair. Instead, focus on building more resilient systems and providing education and training.
Continuous Training and Phishing Simulations
Annual security training is not enough. Continuous training and realistic phishing simulations are necessary to prepare employees for real-world threats.
Recommended Books on Leadership and Self-Improvement
The speaker recommends reading books on leadership and self-improvement, such as 'Atomic Habits', to build the right systems for success.
- Guest's Cybersecurity Journey
- Fundamentals of Security
- Entering the Cybersecurity Industry
- Key Insights
- Modern Backup Strategies and Phishing Simulations
- Building Resilient Systems and Continuous Training
- Recommended Books and Conclusion
00:03 - 06:19
- Podcast is hosted by Chris Haddanaghi and co-hosted by Ryan McDougal
- Training classes on social engineering offered by Social Engineer LLC
- Upcoming classes in Orlando and Bucharest announced on the website
- MLSE class to be opened for the first time, more information on the website
- Security awareness month approaching, book a speaker from Social Engineer's website
- Join the Slack channel for discussions on social engineering with over 1,500 members
- Job board available in the Slack channel for job seekers and employers
- Innocent Lives Foundation works with law enforcement to locate child traffickers and abusers
- Volunteer or donate to support Innocent Lives Foundation's mission
- Clutch rock band supports Innocent Lives Foundation through fundraisers
- Guest Jason Redpoles is a Chief Information Security Officer at Corvus Insurance
Guest's Cybersecurity Journey
05:57 - 12:48
- The speaker's career in cybersecurity started in high school when they stumbled into the security aspect of programming.
- They attended Rochester Institute of Technology, which had a focus on cyber security and provided a well-rounded base in networking and system administration.
- The speaker's first full-time job was at Mandian, where they learned forensics and investigated nation state threats and hacktivists.
- They developed a passion for financial crime and gained experience in investigating brick-and-mortar stores and e-commerce sites for credit card data theft.
- The speaker then worked for Cripcis Group, specializing in cyber insurance and responding to ransomware attacks.
- They co-founded MOTS 5, which focused on business recovery after ransomware attacks.
- Currently, the speaker is running internal security for Corvus Insurance, where they also lead the threat intelligence team and risk and response team to protect policy holders.
- Their goal is to solve security at scale by influencing security through cyber insurance education and mandated controls.
Fundamentals of Security
12:18 - 19:07
- Having a good working knowledge of how networks are built and how systems work together is fundamental for everyone in security.
- Defenders think in checklists while attackers think in graphs.
- Understanding network topology helps in visualizing an attack and identifying potential vulnerabilities.
- Compliance is important but not the sole focus of security; understanding how networks work is crucial.
- Background knowledge in system administration can be valuable for forensics, testing, and general security.
- Assumptions and overcomplication are common pitfalls in security; focusing on basics can prevent many attacks.
- Positioning oneself to be less vulnerable and making it harder for attackers allows time for detection and response.
- For mid-career professionals without technical backgrounds, exploring GRC (governance, risk, and compliance) roles can be a way to break into cybersecurity.
Entering the Cybersecurity Industry
18:54 - 24:35
- Breaking into a new industry can be challenging, but finding a small entry point can lead to success.
- Getting certifications like Security+ or A+ can help start a career in InfoSec.
- There are many unfilled positions in cybersecurity, and it's a great field to pursue.
- Cybersecurity offers opportunities related to various interests and passions.
- Being flexible and open to changing career paths is important.
- Planning ahead is good, but also focus on taking the first step and being adaptable.
- Having unexpected career paths is common in the cybersecurity industry.
- For companies looking to improve their security, focus on having the right tools like EDR, MFA, and secure backups.
24:19 - 31:00
- Key insights from the podcast transcript:
- The top four things to prioritize for cybersecurity are EDR (endpoint detection and response), strong MFA (multi-factor authentication), secure backups, and email security.
- It's important to use cybersecurity tools as intended and incorporate them into daily processes.
- Security professionals should work with the business to reduce risk to an acceptable level rather than aiming for complete elimination of risk.
- Good MFA includes FIDO2 compliant methods, while SMS authentication is considered less secure.
- App-based authenticators are widely used but can be bypassed by threat actors. FIDO2 compliant methods offer better protection against phishing attacks.
- Having a robust backup plan is crucial in case of ransomware attacks. Companies should regularly test the viability of their backups.
- The definition of backups has evolved, with redundancy and business continuity becoming key considerations.
Modern Backup Strategies and Phishing Simulations
30:48 - 37:27
- Modern backup strategies should follow the three to one rule: three copies of data, two different mediums, and one offsite backup.
- Regularly validate backups to ensure their integrity and effectiveness.
- Backup plans should include security measures to prevent hackers from deleting backups.
- Customize backup plans based on individual business requirements.
- Realistic phishing simulations are essential for training employees against actual threats.
- Focus on training users for sophisticated phishing techniques that are likely to bypass email security solutions.
- Increasing the difficulty level of phishing simulations is necessary to prepare employees for real-world threats.
- Punitive measures for failing security assessments can discourage employees from actively participating in cybersecurity efforts.
- Instead of blaming users, focus on building more resilient systems and providing education and training.
Building Resilient Systems and Continuous Training
36:58 - 43:49
- Blaming the victims in security is not productive; resilient systems should be built.
- Training users is a fundamental part of a security program.
- Humans are considered the weakest part of security, so plans should be made for when they fail.
- Learning from mistakes and protecting against future incidents is crucial.
- Placing the full burden of security on users is unfair and unrealistic.
- Reporting ratio is a more important metric than click ratio in measuring the success of security education.
- Annual security training is not enough; continuous training and fishing simulations are necessary.
- Mentors play a significant role in professional growth and development.
- 'Atomic Habits' is a recommended book for leadership and self-improvement.
Recommended Books and Conclusion
43:28 - 46:20
- The speaker prefers reading books on leadership and self-improvement rather than security books.
- The speaker's favorite book is 'Atomic Habits' because it discusses building the right systems for success, which applies to both personal and professional life.
- Having the right systems in place is crucial for running a successful security program.
- The speaker recommends reading books on storytelling to improve communication skills, especially for those interested in management or business roles.
- Effective storytelling can make even boring topics exciting and engaging.
- The podcast host suggests having another episode in the future to discuss getting into the cybersecurity industry, as they are passionate about education and hiring people from outside the industry.
- The tips shared by the speaker are considered phenomenal and wonderful by the host.
- The host expresses gratitude for having the speaker on the show and looks forward to meeting them in person someday.
- The podcast will feature another cybersecurity professional next month as part of their Security Awareness Series.