In this episode of the podcast (#197), sponsored by LastPass, former U.S. CISO General Greg Touhill joins us to talk about news of a vast hack of U.S. government networks, purportedly by actors affiliated with Russia. In our second segment, with online crime and fraud surging, Katie Petrillo of LastPass joins us to talk about how holiday shoppers can protect themselves – and their data – from cyber criminals.
Every day this week has brought new revelations about the hack of U.S. Government networks by sophisticated cyber adversaries believed to be working for the Government of Russia. And each revelation, it seems, is worse than the one before – about a purported compromise of US government networks by Russian government hackers. As of Thursday, the U.S. Cyber Security and Infrastructure Security Agency CISA was dispensing with niceties, warning that it had determined that the Russian hackers “poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations”
On Russia Hack: What’s the Target?
The incident recalls another from the not-distant past: the devastating compromise of the Government’s Office of Personnel Management in 2014- an attack attributed to adversaries from China that exposed the government’s personnel records – some of its most sensitive data – to a foreign power.
Now this attack, which is so big it is hard to know what to call it. Unlike the 2014 incident it isn’t limited to a single federal agency. In fact, it isn’t even limited to the federal government: state, local and tribal governments have likely been affected, in addition to hundreds or thousands of private firms including Microsoft, which acknowledged Thursday that it had found instances of the software compromised by the Russians, the SolarWinds Orion product, in its environment.
How did we get it so wrong? According to our guest this week, the failures were everywhere. Calls for change following OPM fell on deaf ears in Congress. But the government also failed to properly assess new risks – such as software supply chain attacks – as it deployed new applications and computing models.
Greg Touhill, is the President of the Federal Group of secure infrastructure company AppGate. he currently serves as a faculty member of Carnegie Mellon University’s Heinz College. In a prior life, Greg was a Brigadier General Greg Touhill and the first Federal Chief Information Security Officer of the United States government.
In this conversation, General Touhill and I talk about the hack of the US government that has come to light, which he calls a “five alarm fire.” We also discuss the failures of policy and practice that led up to it and what the government can do to set itself on a new path. The federal government has suffered “paralysis through analysis” as it wrestled with the need to change its approach to security from outdated notions of a “hardened perimeter” and keeping adversaries out. “We’ve got to change our approach,” Touhill said.
The malls may be mostly empty this holiday season, but the Amazon trucks come and go with a shocking regularity. In pandemic plagued America, e-commerce has quickly supplanted brick and mortar stores as the go-to for consumers wary of catching a potentially fatal virus.
But all that online shopping carries its own risk: identity theft and fraud. And, as with the Coronavirus, too many Americans are failing to take adequate steps to protect themselves from harm.
In our second segment this week, Katie Petrillo of the firm LastPass joins us to talk about some of the threats waiting for online shoppers, and some simple ways to protect yourself from harm.
(*) Disclosure: This podcast was sponsored by LastPass, a LogMeIn brand. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
Episode 197 Transcript
[START OF RECORDING]
PAUL: This episode of The Security Ledger Podcast is sponsored by LastPass. For more than 47,000 businesses of all sizes, LastPass reduces friction for employees while increasing control and visibility for IT with an access solution that’s easy to manage and effortless to use. From single sign-on and password management to adaptive authentication, LastPass gives superior control to IT and frictionless access to users. Check it out at lastpass.com
Hello, this is The Security Ledger Podcast and I’m Paul Roberts, Editor in Chief at The Security Ledger. In this episode of the podcast, number 197…
KATIE: Every account that you create, entering your credit card, entering your e-mail address and your shipping address, all that information just helps to paint a picture about you. So, attackers are looking to steal anything they can, put it on the dark web, and then it sort of gets pieced together.
PAUL: What does holiday shopping season mean in the midst of a once-century pandemic? Lots and lots of e-commerce. But all that online shopping increases consumers’ cyber-risk. In part two of the podcast this week, we’re joined by Katie Petrillo of LastPass to talk about what online risks shoppers should be on the lookout for and how to up their password game in 2021. But first, every day this week brought new revelations about a compromise of US government networks by Russian government hackers. As of Thursday, the US Cybersecurity and Infrastructure Security Agency or CISA was dispensing with niceties, warning that it had determined that the Russian hackers quote “pose a grave risk to the federal government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”
The incident recalls another from the not-so-distant past, the devastating compromise of the government’s Office of Personnel Management in 2014, an attack attributed to adversaries from China that exposed the government’s personnel records, some of its most sensitive data to a foreign power. Now, this attack which is so big that it’s hard to even know what to call it. Unlike the 2014 incident, it isn’t concentrated on a single federal agency. In fact, the hack isn’t even limited to the federal government. State, local, and tribal governments have likely been affected in addition to hundreds or even thousands of private sector firms including Microsoft which acknowledged Thursday that it found instances of the software compromised by the Russians, the SolarWinds Orion product, in its own environment. How did we get it so wrong?
According to our guest this week, the failures were everywhere. Calls for change following the OPM hack fell on deaf ears in the US congress. But the government also failed to properly assess new risks such as software supply chain attacks that multiply as new applications and computing models were embraced across the federal government. Greg Touhill is the president of the federal group of the secure infrastructure company Appgate Federal. He currently serves as a faculty member at Carnegie Mellon University’s Heinz College and in a prior life, Greg was a brigadier general and the first federal chief information security officer of the United States. In this conversation, General Touhill and I talk about the hack of the US government that’s come to light, the failures of policy and practice that led up to it, and what the government can do to get itself back on a solid footing and a new path.
GREG: Hi, I’m Greg Touhill, president of Appgate Federal, a cyber-security and advanced technology company. I’m also a retired Air Force brigadier general.
PAUL: Greg, I’ll note in addition to your current role, you were former chief information security officer for the US government.
GREG: I was and before that I was at DHS as the deputy assistant secretary and concurrently serving as the director of the NCCIC, the National Cybersecurity and Communications Integration Center.
PAUL: Not to pile on, but you’re also a faculty member at Carnegie Mellon.
PAUL: So, obviously been slacking. A really great person to have on the podcast this week, general, to talk about the incident that’s come up and we’re reading about now with the attack, the compromise of SolarWinds, a large IT services provider to the US government that led to what appears to be a fairly widespread attack on US government agencies that use the SolarWinds Orion platform. I guess I’ll start it just as the high level of what were your thoughts on reading about this, given your past work at [00:05:00] senior levels of the US government?
GREG: Well, you know, in light of the revelations that Kevin Mandia brought forth on FireEye and his pen testing and hunting team, and now the Orion revelation; I can’t help but think that this is part of a broader campaign. I don’t think the adversary groups limited themselves only to FireEye and SolarWinds. I think that there’s a smoking gun, as it were, that would point that this is a supply chain campaign and other parts of the supply chain remain at risk and perhaps undetected. We work with an all-hands-on-deck response.
PAUL: You would think they wouldn’t stop with one vendor. This is coming about five years after the OPM attack and obviously there were lessons learned from that. Is this in your eyes failing to implement some of those lessons or is this just a whole new front that we now — federal IT needs to be mindful of maybe in a way that they weren’t previously?
GREG: I’ll say both actually, Paul, because frankly there’s a lot of lessons learned from OPM that we really have not capitalized on. I’ve been a proponent that we really need to rethink the federal IT strategy at large. We’ve got small departments and agencies that are underfunded and undermanned and outgunned, but yet we require them to do the exact same level of cyber-protections as we do — as we expect of the Department of Defence, DHS, and some of the large well-funded agencies that are out there. Our strategy I think is misaligned; how we appropriate dollars, how we architect for a successful defense of the people’s information. All of that we called for change during the aftermath of the OPM breach and frankly, I think it’s fallen on deaf ears in both congress and in the current administration right now.
PAUL: In this particular case, it seems like malicious actors probably affiliated with the government of Russia were able to obtain and then tamper with a software update for the SolarWinds Orion which is kind of a network management tool and basically implant the backdoor into a signed software update. This was, again, signed update from the vendor but with a Russian backdoor in it than then, of course, got distributed out to many different agencies. In fact, I think Ars Technica reported some 18,000 downloads of those compromised update files by organizations of all types. Gosh, where do you even start with that? Is there an easy fix to a problem like that where again, the malicious actors have actually inserted themselves into the software update process and implanted a backdoor and then signed the update from the vendor so that it’s gonna check out on the customer side?
GREG: Well, a — let me unpack that, Paul, for you. A couple things; first of all, anybody who says that oh, I got an easy fix for this has never actually had to do it. It’s like those folks who say oh, I’m a cyber-security expert. No, I have yet to meet a cyber-security expert. I’ve met a lot of highly-skilled people but it’s so broad.
PAUL: Right, right. It’s a big topic. Right, right.
GREG: Exactly. From our perch as a product company, upon the reports we went and we verified the integrity of our crown jewels, our code base, our development environments, and frankly we use Appgate SDP, our own product, to protect ourselves. We did not find any evidence of tampering with our review. But then again, we do not use that particular product that has been known to have been breached. But I think as you take a look throughout the community, we all have to assume there was a breach. Based on that, you have to hunt, you have to check and verify the integrity of your products and your capabilities to make sure that they’ve not been tampered with.
This is a time for the community to band together. I greatly appreciate the leadership of FireEye in sounding the alarm and sharing the information. It’s been very helpful thus far. It seems that CISA, with their conference call that they put out on Monday, that was helpful but there’s still a lot more information that we are hopeful that the government will share [00:10:00] so that we can make sure that we better harden that supply chain. With that said Paul, I think that there’s more products out there that are at grave risk and that their customers are at risk of having some of those products having backdoors put in as well.
PAUL: Right. Once you’ve focused your attention on this particular compromise, your mind sort of boggles of saying well, okay, one vendor, but who’s to say there aren’t more and how many updates? Then you’re starting to look at every update, right, from every vendor and saying well, how do we know if that one’s not been tampered with?
GREG: What’s their target? We’re paying trillions of dollars for an exquisite intelligence community and a cyber command. Hey guys, tell us what the target is so that we can prioritize and triage. We’ve heard crickets from the intelligence community thus far which is kind of frustrating for those of us who in fact do have security clearances and who are part of that critical information technology sector. There’s some frustration out there right now on the lack of information flow that’s coming.
PAUL: By target you mean what are they after? What is the purpose of this operation? Is that what you mean?
GREG: Sure. Take a look at it, Paul; if you don’t know what the target is, then you disperse your resources to try to check everywhere. But if you have a better understanding what the target set is, then you can do what in the military we call is economy of force and unity of effort where you can work to harden that high-value target which is the actual target. By economy of force, you’re not wasting your effort trying to guard things that are meaningless. As we take a look at it from a community standpoint, at this point if the target is in fact to insert chaos and a lack of trust into the efficacy of our cyber-security tools to protect us, maybe that’s mission accomplished in and of itself.
PAUL: Yeah, I was gonna say maybe again we’re talking about Russia here, so maybe there isn’t a specific target so much as either just wholesale information harvesting or again, yeah, sowing doubt and distrust within government agencies.
GREG: Yeah, it could be that. However, let’s take a look at one of those bright glimmers of hope out there. Ultimately, the information that the federal government owns is that of the people of the United States and we have a free and open society. Certainly we want from a privacy standpoint that private information is protected, but it’s not like we’re a totalitarian regime or we’re going to make sure that that information is not available to the people. With that said, this is a five alarm fire and if — getting into the federal government, what about critical infrastructure? Those are some of the targets that I’m really concerned about in addition to the government breach.
PAUL: One of the buzzwords is being thrown around as you know is this concept of zero-trust networking which is definitely — has a lot of interest in the private sector. I’m not sure where the federal government is on moving toward zero-trust but a lot of folks are looking at this and saying this is really the model that we need to be going to. Just from your experience, what would implementing a program like zero-trust networking at the federal government level entail?
GREG: Well, first, Paul, thanks for that. I don’t think that zero-trust should be considered a buzz phrase. I think it should be considered a business imperative. It doesn’t matter if you’re in a government or in a private sector. I’ve been talking about the need to pivot to a — zero-trust security strategies while I was in government and I think it’s so important that when I pivoted out and retired from federal government the second time, I’ve been a proponent and working towards putting zero-trust as a security strategy in both public and private sector. I teach that to my students at Carnegie Mellon but I’m involved in the industry to make that happen. I take a look at zero-trust as opposed to the traditional perimeter-based security strategy that we’ve been following in network enterprises everywhere. Sadly, that perimeter-based approach; if you peel back the onion, Paul, we’ve been using that perimeter-based [00:15:00] approach of security ever since Sun Tzu and Alexander the Great were generals marching around the earth.
GREG: As a war college graduate, I’ll tell you it’s not lost on me that Sun Tzu and Alexander the Great didn’t have iPhones, mobile computing, Cloud computing, the internet.
PAUL: Yes, right.
GREG: We’ve got to change our…
PAUL: The first Trojan horse was in fact the Trojan horse.
GREG: Yeah. Gee whiz, we can talk about Greek tragedies, too. But we’ve got to change our strategy. We really need to rethink. Zero-trust is not just a buzzword. It is a legitimate security strategy. Sadly, the government has been in a state of paralysis by analysis. They’ve been looking at it for years and they have not necessarily been implementing it. I’ll give a shout out to the United States Air Force because they actually in my opinion have taken the lead. Nikola Shalan, the chief software officer of the United States Air Force has been implementing zero-trust in protecting the DevSecOps environment of the Air Force. He’s brilliant. General Weggeman, General Hawk, General Raduege and the folks at Air Combat Command, they’re moving forward now on it but I think the rest of the departments and agencies and military departments are lagging behind and nation state actors are taking advantage of that.
PAUL: Obviously, we’re — one of the big changes I think that’s — that we saw in the last four years with the Trump administration is more of an emphasis on come defend forward and so on. I was reading the CNN article or report that they did with Bellingcat on some of the strategies they used to track the people alleged to have participated in the poisoning of Mr. Navalny. It would seem to me that it’s sort of one of those people in glass houses-type scenarios that there appears to be plenty of opportunity out there for adversaries of Russia. One question is strategically for any countries involved in this type of operation, knowing that eventually you will be found out, where does — where do we end up here? Is there a sort of mutually-assured destruction-type mindset that takes hold or is this just kind of the spy games of the 21st century just like there were during the Cold War? There were spy operations going on all over the world and it was just part of the state of play.
GREG: I think we really need to rethink our cyber-deterrent strategy because whatever it is right now, it ain’t working. Sure, as we take a look at where we want to go forward, it’s — I’m already seeing chatter through the different newspapers that are out there where folks are sounding different kind of alarm bells. I’m hearing some folks say let’s hold these companies accountable, blah, blah, blah. Bad on them, bad dog. On the same token, I’m hearing folks up on the hill saying oh, well, this administration screwed up and that administration screwed up. That’s just — okay, thanks. There’s a place for that. When we have an airplane crash in the Air Force, we don’t immediately take the wing commander out and shoot him in the back of the head and say you failed. What we do is, is we convene two concurrent boards.
The first investigation board is the safety investigation where we go out there and we say okay, so what happened? We want to prevent this from happening to another pilot, let’s say. That gets everybody’s interest. It’s, let’s go find out what happened. Was there a material failure, et cetera. Then we have the accident investigation board where we find out the facts and circumstances and sometimes people do get fired because they didn’t follow proper procedures or whatever. But if we find as part of the investigation that the procedures or the tools or the airplane sucked, then we’re not gonna take that wing commander out and shoot him. We need to have a really sober investigation here and one that’s done with velocity and precision. We don’t want to over — wait forever while we’re under attack.
But we don’t want to overreact either so that we lose sight of what the strategic targets are and the [00:20:00] strategic objective is to protect national prosperity and national security. Right now, both are at risk because we don’t have attack characterization. We don’t have attribution. We don’t have information as to what their end game is and as a result, if we’re not careful, mature, and deliberate, we’re gonna just flail. Now’s not a time for finger-pointing. Now is the time for buckling our chin straps because we’re under attack. Having had direct and indirect fire with the bullets whizzling by at one point, I’m more concerned about protecting national security and national prosperity than — yeah, we’ll find whether or not there’s some blame but let’s do things the right way the right time. There’s more to be learned because I think that these goobers, they’re elsewhere. Let’s go find out what our real risk exposure is before they pull another trigger.
PAUL: Sure. Okay, final question; obviously we’re not exactly sure what the timeline of this attack is but it seems like it stretches back at least to the summer and probably back to the — before that. Would it surprise you to learn at the end of the day that some of the changes necessitated by covid including remote work either in the government sector or out there in the suppliers, SolarWind, and the — provided an opportunity and opening for these adversaries to insert themselves into the software supply chain and also to carry out this attack?
GREG: Paul, I think your Jedi skills are impressive. I think that if you take a look at a couple of other smoking candles in the back corner of the room; as you take a look at all these pieces coming together, you can make a really good case that first of all, they were thinking about this well beforehand and they probably executed in that supply chain. Given the vulnerable codec, this happened well before the pandemic. But I think that as I take a look at the evidence that’s available right now, things like everybody in the particular industry — according to this Department of Commerce, 42% of the workforce pivoted to a work from home. The vast majority of them have been using VPNs, virtual private networks, for their secure remote access. VPNs are elderly technology. They made their first appearance the same year the PalmPilot did and [inaudible] was a rookie for the Yankees.
We’ve still got folks saying well, VPN equals secure remote access when there’s better secure remote access capabilities out there that are more modern and secure. Heck, we’ve had — I’ve lost count at a dozen. There’s easily now a dozen and a half, maybe two dozen government alerts since the pandemic started on VPN vulnerability. We’ve seen old malware like Agent Tesla. There’s an Agent Tesla variant as a great example that added a key logger that sniffs for VPN username and password credentials so they can hijack your stream. The thing about it is we are not necessarily using the most modern and most secure and most efficient technologies. Software-defined perimeter technology; folks who pivot to that, they see a 75% — 50% to 75% decrease in costs. Makes it much less complex for your guys and gals in the server room. The Help Desk calls go down. I can put it on my phone myself without having an IT tech do it.
We sometimes lose sight of the forest because of the trees and as we take a look at where we’re going as a result of all these breaches, we really need to take a step back and say hey, are we architected for success, to meet our objectives? I think right now in both government and in the private sector, the answer is no. We need to rethink and redo. We invented this stuff. We can do better. I would tell your audience don’t despair; there’s still hope. We need — as a community, we need to bind together, continue to share information, but we also need to buckle our chin straps and cinch them down tight because I think this was part of a broader campaign. I think [00:25:00] we’re gonna find that these bad guys have gotten into other areas and I’m very hopeful that we’re gonna get more information that’s going to provide context to help focus our efforts as we do our triage, our damage assessment, and look to repivot and implement zero-trust as a security strategy to better protect national prosperity and national security.
PAUL: Thank you so much Greg Touhill, General Touhill, for coming on and speaking to us on The Security Ledger Podcast.
GREG: My pleasure, Paul. Be safe.
PAUL: Greg Touhill is a retired brigadier general and president of the federal group of the secure infrastructure company Appgate. Up next, the malls may be mostly empty this holiday season but the Amazon trucks come and go with shocking regularity. In pandemic-plagued America, e-commerce has quickly supplanted brick and mortar stores as the go-to for consumers who are wary of catching a potentially fatal virus in public. But all that online shopping carries its own risk; identity theft and fraud. As with the coronavirus, too many Americans are failing to take adequate steps to protect themselves from harm online. In our second segment this week, Katie Petrillo of the firm LastPass joins us in The Security Ledger studio to talk about some of the threats waiting out there for online shoppers and some simple steps that shoppers can take to protect themselves from harm.
KATIE: Katie Petrillo. I am the senior manager of product marketing for LastPass here at LogMeIn.
PAUL: Katie, welcome back to Security Ledger Podcast.
KATIE: Thank you for having me. I’m excited to be here.
PAUL: We’re here; it’s kinda mid-December and we’re in the thick of holiday shopping season. We’ve got a major snowstorm barreling our way here in Boston. Gonna make things even probably more compressed on the other side of this, and we’re in the middle of a pandemic which means that a lot of people not only are gonna do their holiday shopping season online but have been doing shopping online for going on a year now. The Amazon trucks come and go pretty much like clockwork. I don’t know where you are but they definitely do where I am.
KATIE: Oh yeah, constantly. I’m also in the Boston area preparing for that storm.
PAUL: I should ask you, how are you on your holiday shopping?
KATIE: I’m actually done. I’m very excited to say that which is not always the case.
PAUL: Holy cow.
KATIE: I know. Everything is wrapped too, which — that’s really the important thing.
PAUL: Holy cow. I think you’re shaming some of us right now.
KATIE: I’m showing off.
PAUL: You’re showing off.
KATIE: What else do we have to do other than sit online and buy things and buy gifts and get ready?
PAUL: This shopping season is truly one like no other because of the pandemic. Malls are not empty but definitely not holiday shopping season crowded, and so many people have just gotten into the habit now of ordering what they need whether it’s food or clothing or gifts online. What does that mean I guess for online shoppers in terms of their cyber-risk and the security risk? I know criminals kind of phish where the fish are so I’m assuming that they’re noting this as well.
KATIE: Yeah, absolutely. I think when we talked a couple of months ago I think it was now, we were talking about how just even the pandemic itself and how folks were spending more time online was causing that increase in hackers just because yeah, more fish in the pond. So, those hackers are there and I think that is continuing to unfortunately be a trend that we’re seeing with holiday shopping as well. It’s just because so many more folks are turning to online to do their holiday shopping. I think there was something that — I read something that saw that Black Friday alone on that particular day saw an increase of 25% in their online shopping trends. I mean, I’m even surprised that it wasn’t necessarily higher than that.
What that means though is you’re simply putting yourself more at risk with each of those purchases that you do make online. Thinking about every account that you create, so buying gifts for — on sites that you may not normally visit, entering your credit card, entering your e-mail address and your shipping address; all that information just helps to paint a picture about you. So, individually it may not mean anything but attackers are looking to steal anything they can, put it on the dark web, and then it sort of gets pieced together in a way that does all of a sudden start to paint a picture specifically about you that becomes valuable to somebody.
PAUL: A lot of data’s already out there. Maybe not through any fault of your own but obviously retailers and data brokers and so on have all been compromised, so that’s part of the background noise as well.
KATIE: Yeah, absolutely, absolutely. I think it’s only — this risk has only heightened since really — since the beginning of the pandemic. I think there was a stat from the FBI; they said they saw an increase in 400% of cyber-crime since March which is crazy. I can’t even fathom what that really means but I think what we’ve seen — how we’ve seen that present itself is things like phishing attacks or ransomware or something that — called Eastgiving where they’re looking for your — they’re really looking to scam a site for credit card numbers or payment information. I think these are risks that at some point felt more abstract but now they’re feeling much closer to home because of how much information we are putting online and then also the risks and just how it’s presenting itself and coming out because there are so many hackers out there really looking to piece all this information together.
PAUL: What should online shoppers be looking for? Most people, they might go to amazon.com or bestbuy.com; they’re pretty confident that this is a legitimate website, my information’s not gonna be stolen, but just because the site is secure doesn’t necessarily mean that there’s not risk as well. What should online shoppers be worried about?
KATIE: I would say look out for anything that is — looks unusual, especially if it’s a site like Amazon or somewhere that you do go regularly. If you’re seeing a pop-up or some sort of notification that you don’t normally see, take a moment to pause and investigate what — take a look at that. Don’t necessarily click on it but understand what you’re seeing and what might be weird. If you are seeing something weird, I think it’s always good — you can certainly Google to see if someone else is having these issues.
PAUL: So, what type of data do people need to be protective of and what are cyber-criminals out there interested in and likely to hit you up for?
KATIE: Yeah, it can be honestly — like I said before, any information starts to build a profile of who you are. Obviously there are very sensitive and important pieces of information like your credit card, your — any passwords to accounts like social security numbers, passport numbers; those are higher value. Even those security questions that go into you creating a new account and they want to get those backup security questions for you; that piece of information starts to again build a profile and if it’s tied to your e-mail address, somewhere that you might be mentioning your first pet’s name as a security question answer, then could be added to your profile and then some sort of a brute force attacker could be using that later. Actually, when you’re using your first pet in your password for your bank, it’s all of a sudden working against you. Honestly, I think it doesn’t — I’m sure that feels overwhelming to say this but every piece of information does matter. Ultimately, it all ends up sort of being on this dark web that we talk about that is — all this information can be sold there.
PAUL: So, pet name; not secure for a password.
KATIE: No, absolutely not. Hopefully everybody knows that by now.
PAUL: Well, I mean, let’s talk about the password because you mentioned password reuse which is the big elephant in the living room of online fraud and theft. People have easy-to-guess or -hack passwords and then to add insult to injury, they reuse those insecure passwords across many, many different sites. Help listeners understand what’s a secure password and how do you get out of that habit? ‘Cause I ask people all the time who are smart, educated people about their password habits and I get a lot of really sheepish looks as I’m sure you do as well. What makes a secure password?
KATIE: Yeah, I’d say two big pieces that go into your password are length and being random. The longer it is, the harder it is going to be to crack, obviously. Obviously, that doesn’t make it more challenging to remember but I think what you can do is sort of create a phrase but I think the key to that phrase is my second piece of advice, is making it random. Words that — short words strung together with symbols and numbers in there in a way that it really doesn’t make sense but it’s something that you’re able to remember, for example.
PAUL: To be or not to be is already on the hacker’s list of things to try.
PAUL: You’re gonna have to do better than that.
KATIE: Yeah. I mean, I think that’s the way to go for passwords that you do need to remember which I would say there should be very, very few of them at this point in your life. For the majority of your passwords, I would recommend going completely random and putting those passwords and accounts into a password manager that will remember them for you. So, where you do apply that long, random password that you need to remember is just for your password manager. In theory, you could have [00:35:00] one that you remember for the rest of your life. That’s something that I’m doing now and I think that’s what — I don’t even think about passwords. When I need a new — when I’m logging into a new account, this new shopping site; I’m buying something say for my mom, it’s a site I don’t normally go to, I need an account, I just generate a password really — with one click. It gets added into my vault, I have a new account, and I move on with my day. It’s a non-issue, doesn’t take extra time, and so I’d say random passwords are 100% the way to go but you do need to be obviously using a password manager ‘cause no one is that much of a [inaudible] and can remember random passwords for everything.
PAUL: You’ve got better things to do than commit to memory the, yeah, twenty-five-character alphanumeric value, yeah.
KATIE: Plenty of things to worry about and passwords does not need to be one of them.
PAUL: Yeah. It’s a big leap of faith for people to let go of that idea that they need to be mentally managing and juggling all their own passwords, though. I mean, I found that to be the case. It’s like a shift that you need to make mentally.
KATIE: Oh, absolutely. It’s not something I expect people to let go of and do immediately. I think a good starting point is simply starting to use a password manager. Just play around with it. Start to add in a couple of your passwords which you’re — probably can still remember. Add them into LastPass. Let them — let LastPass fill that for you on a regular basis. Just kinda see how that works and I think you’ll start to see how valuable it can be in your day-to-day for a password manager like LastPass to fill your passwords, to create new accounts, and then I think you’ll start to see the value of oh great, I can just generate a random password and I do want LastPass to actually take this over for me. It’s definitely a journey. It’s not something where people are going to — unless you’re fully bought in or maybe did have some sort of hack or breach that happened with your accounts and you have some sort of compelling reason to go all in, I don’t expect people to make that leap right away which is awesome.
PAUL: Okay, so assuming you get all your weak password game up to snuff with strong passwords, are there other steps that people should be taking or looking at either in a context of e-commerce and online shopping or just all the stuff you do online; banking and healthcare and all the other stuff?
KATIE: Yeah. I definitely — password management is a big piece of it and one step I want people to be aware of but it’s not the only one. I think the other key piece that you probably heard a little bit about is multi-factor authentication or two-factor authentication, and so adding that onto sites wherever you can or at least for those really most valuable sites. Obviously if you’re using a password manager like LastPass, make sure you have that second layer of authentication on the — getting into the vault itself because all of your keys to the kingdom are in that piece. But add MFA to other pieces, other areas; to your credit card, to your bank account, so some of those really sensitive sites that you’re logging into.
PAUL: The final question is, the election’s over so we don’t have to have painful political conversations with our family but maybe we should be having painful cyber-security conversations with them instead. What do you recommend for bringing those we love into the security circle, so to speak, and having frank conversations with them about sensitive topics like their password hygiene?
KATIE: Yeah, I think this is an important one and also one that people do feel strongly about. You mentioned when you ask people about their password habits and they give you the sheepish look, or they have a system that in their brain think they have validated they’re secure and you’re like, that’s really not actually working.
PAUL: Not only is that not secure but it’s actually a road map.
KATIE: Yeah, right, like you’re actually giving them the keys. You’re telling them how to go figure out this password.
KATIE: It’s definitely a tricky question but I think the key to it is education, and so understanding the risks, like some of the ones that we talked about earlier, especially around phishing. I don’t know, I even think — I think about — a lot of this, I think about some of our elderly relatives; they receive e-mails and just click on everything. I think education around what an e-mail — a good e-mail looks like, what could be suspicious, or just ask somebody if you’re not sure and being able to show it to somebody and get another opinion. But I really think the big piece is educate folks on some of those areas where you might see some of that suspicious activity so people can start to identify it for themselves. I think understanding those poor behaviors; why password reuse is so bad, what you can be doing to create stronger passwords and tools to help them, I think it’s just all part of that evolution. Again, it’s not something that happens overnight but just something that [00:40:00] really needs to be happening at a education level first.
PAUL: So, Katie, should folks think about password managers as a Christmas gift or as a New Year’s resolution or both?
KATIE: Or both, maybe. I think the Christmas…
PAUL: The Christmas gift that becomes the New Year’s resolution.
KATIE: Exactly. You give the gift for Christmas, get your [inaudible] on board and then there’s a little bit of new year, new you, new passwords feelings to take into 2021. Absolutely. I love that. I think, again, we have all this time. Spend just an afternoon to get yourself up and running with a password manager.
PAUL: Thank you for coming on and speaking to us on The Security Ledger Podcast once again.
KATIE: Thank you so much for having me Paul. I appreciate it.
PAUL: Katie Petrillo is a product marketing manager at LastPass, part of LogMeIn.
Transcription by: www.leahtranscribes.com