Listen to the Episode:
Watch the Episode:
In the second episode of e360's State of Enterprise IT Security podcast, host Brad Bussie, Chief Information Security Officer, addresses current cybersecurity challenges. The episode focuses on three pertinent topics: the safety of using TikTok for cybersecurity experts, the escalating threat of cybersecurity breaches this year, and the impact of the MITRE ATT&CK framework in cybersecurity.
Brad begins by examining TikTok's risks regarding data privacy and misinformation, offering strategies for safe usage by cybersecurity professionals. He then shifts to the likelihood of increased cybersecurity breaches, highlighting factors like evolving attacker tactics and geopolitical tensions, and suggests countermeasures including enhanced awareness and robust cybersecurity infrastructure. The episode concludes with an exploration of the MITRE ATT&CK framework's role in standardizing cybersecurity practices and its influence across the industry, while acknowledging its limitations.
This episode provides a nuanced perspective on cybersecurity, blending expert analysis with practical advice, making it a must-listen for technology leaders and enthusiasts keen on staying ahead in the rapidly evolving world of cybersecurity.
Key Topics Covered:
- Can cybersecurity experts safely use TikTok?
- What's the outlook for cybersecurity breaches this year?
- How influential is the MITRE ATT&CK framework?
- Byte-Sized Security Podcast: C kan cybersecurity experts safely use TikTok?
- Reddit Discussions: Will cybersecurity breaches be worse this year?
- Is the MITRE ATT&CK really that influential?
Read the Transcript:
[00:00:00] TikTok's algorithm, they can expose users to misinformation propaganda,..., especially if it's coming from a quote unquote verified source. Those are things that are a little more controlled on other platforms, but not so much on on TikTok. So this could be pretty concerning for me as a cybersecurity practitioner when it comes to dealing with sensitive.
[00:00:46] All right. Hi, everybody. I'm Brad Bussie, chief information security officer here at e360. Thanks again for joining me for the State of Enterprise IT Security Edition. This is the show that makes IT security approachable and actionable for technology leaders. I'm happy to bring you three topics this week.
[00:01:06] The first one is, can cybersecurity experts safely use TikTok? The second is, will breaches be worse this year? And the third is, might our attack really that influential? So with that, let's get started. So, can cybersecurity experts safely use TikTok? And I look at this whether You know, cybersecurity experts can use TikTok, and I think it depends on several factors.
[00:01:40] Part of it is what's your risk tolerance? Really? What's the purpose of your usage? And what precautions are you taking? So if I were to break it down into a couple of considerations, I would start with what are the potential risks? So [00:02:00] I'd say since the inception of the application or website, depends on how you consume it, data collection and privacy concerns are paramount.
[00:02:10] TikTok collects considerable user data. There's been argument that Google collects it the same, that YouTube also does it, Instagram, kind of the whole Facebook family. But I think what's being done with it is more of the concern. So it's collecting user data. It includes the location, the device information, the viewing habits of the user.
[00:02:38] The app owner is a Chinese company, which raises some concerns about potential data access by the Chinese government. It's interesting though, because TikTok denies those claims. There are security vulnerabilities and while vulnerabilities are inherent in any software, like we've, we've hit on that a few times before.
[00:03:03] TikTok's faced some pretty harsh criticism in the past for the security flaws. That could again, potentially expose user data. So we're still talking about data. We're still talking about privacy. But I think even more dangerous is misinformation and propaganda. So TikTok's algorithm can expose users to misinformation, propaganda, especially if it's coming from a quote unquote verified source.
[00:03:39] Those are things that are a little more controlled on other platforms, but not so much on on TikTok. So this could be pretty concerning for me as a cybersecurity practitioner when it comes to dealing with sensitive information. So let's say I decide to [00:04:00] accept the risk. What are some of the things that I could do to use TikTok?
[00:04:05] And I'll also talk a little bit about how I feel about security experts leveraging the platform to reach an audience. So for me, It all comes down to limiting engagement. So if an expert does choose to use TikTok, they should limit the engagement to very specific purposes, like following education, specific content, industry trends, and really the goal is to minimize any data exposure.
[00:04:40] I'd say making sure your privacy settings, utilizing all the available privacy settings and restricting data sharing. can offer some protection, but it doesn't offer you protection from the main thing we're concerned about, which is the owners and operators of TikTok and what they would do with the information.
[00:05:00] I always encourage device separation. So use a separate device. strictly for Tiktok. And this can isolate potential risks from work or personal devices. But again, Tiktok learns from where you're visiting, what you're watching, how long you stay on something, where you are. I mean, it looks at all of those things.
[00:05:27] So keep in mind that device could be exposed. So be very cognizant of what is actually on that device. In addition to tech talk, and I would say, have some critical awareness, you know, maintain a critical eye on all the content that's encountered and verify the information, make sure it's coming from a critical credible source.
[00:05:55] I mean, that's, that's pretty important. So alternatively [00:06:00] there are some industry specific platforms, so you could go to what I would consider more secure platforms that that specifically cater to cybersecurity professionals. But that's if you're interested in using it for that purpose. I think what I see is a lot of people use TikTok for relaxation, or they use it for entertainment.
[00:06:25] But just observing my family members... I actually don't let my children install or leverage TikTok for a lot of the reasons that I discussed. So, I think just being aware of what you're after. So if it is entertainment, I think there's a lot of other options. I actually see a lot of the things that make it to TikTok, they show up on other platforms.
[00:06:55] Now, maybe it's not as fast, but it does happen. And then, if I'm looking for an alternative, let's say I'm researching something, I don't necessarily think TikTok's the place, because you're never quite sure about the authenticity of the information. So there are other places that I could get cyber information.
[00:07:17] There are a bunch of blogs and websites and we'll talk about some of those throughout the podcast, because I think it's important that we're all armed with some good information. So if I'm going to conclude this, this segment, I would say, whether cybersecurity experts can safely use TikTok?
[00:07:40] It ultimately depends on their individual risk assessment, risk tolerance, and their mitigation strategies. So while potential risks do exist, I think careful engagement, [00:08:00] utilizing the privacy settings, exploring alternate sources that that can help manage some of the risk. And I would say If if I'm after specific information, there's other places that I could go for it.
[00:08:16] So again, it's up to the individual. And if I am a influencer, let's say I'm a cybersecurity influencer. I don't know if I've hit that status quite yet, but once I do, are you going to find me on TikTok? You won't. But I feel that there are other platforms that are more appropriate for that outreach.
[00:08:43] So I'll just leave it there. I think there's going to be some heated debate about this one, and I'd love to, I'd love to chat more about it.
So let's move on to the second. Of our topics for this week, will cybersecurity breaches be worse this year? And I see several factors that suggest a very high likelihood of a continued or even an increase in the threats as well as the breaches.
[00:09:15] So if I'm looking at it, I mean, we really have a growing attack landscape. There are evolving tactics. Attackers are constantly innovating. They're exploiting new vulnerabilities. They're developing more sophisticated techniques. And as we talked about in previous shows, Those attacks are now AI-powered.
[00:09:40] You can put together a much easier social engineering scam. I see a lot of this with help desks where they're getting socially engineered, saying that someone is a user. They're unlocking accounts they're reissuing keys. They're just doing unnatural things [00:10:00] the way we would consider it unnatural, but to them, they don't actually know what they are dealing with.
[00:10:07] They think it's a real person. So, I think we're going to continue to see ransomware being a significant concern. Because of the money aspect, I also see an increased attack surface, so there's a growing reliance on digital technologies, cloud computing, interconnected devices, and that just expands the potential entry points for attackers.
[00:10:40] I think another one is geopolitical tensions. There is a lot going on and I think cyber warfare, state-sponsored attacks. They're on the rise and I'd say adding another layer of complexity to the threat landscape is just all of the different conflicts that are starting to spill over into allied countries with what's happening with Russia and Ukraine, with what's happening in Israel.
[00:11:15] There are a couple of others that I would mention, but I think these are the ones that are of most interest for this year. I continue to see vulnerable infrastructure all over the place.... outdated software and systems. A lot of organizations, they still rely on outdated technology with known vulnerabilities, and that makes them easy targets for attackers.
[00:11:43] And I know you're thinking... Well, why don't they just patch their stuff? Why don't they just do? Why don't? Why don't?...Well, I asked that question every day, and I still don't have a good answer because it's different for everyone that I talked to, uh, human error. I mean, [00:12:00] phishing attacks, social engineering scams.
[00:12:02] They continue to exploit, I would say the most vulnerable, which is the human, and that is a significant risk. Lack of cybersecurity awareness. I mean, insufficient awareness and training. In an organization, it can leave them completely unprepared to handle cyber threat. And then the rising financial incentives, I mean, cryptocurrency popularity.
[00:12:32] That was a big boom, 21, 22. I think 2023 we saw a bit of a dip as far as how lucrative it is. However, that's still the currency. Of the cybersecurity attackers, and I think it will continue to be, and we'll see a resurgence of crypto. I think it's just where... it's where finances are going. How long it takes us to get there.
[00:13:06] I think that remains to be seen, but monetizing data, I'd say, is another area of that rising financial incentive. So it could be personal data. It could be corporate data. It's valuable. It's a commodity now. And attackers steal it so that they can sell it, because someone on the dark web is going to buy it for whatever purpose.
[00:13:36] And those purposes are typically nefarious. And then I'd say the crown jewel of all of this is ransomware. The ransomware payouts, it continues to be successful. Ransomware attacks and the incentives, they further develop and the deployment of the tactics keep getting better. [00:14:00] And it's, it's interesting cause this is a polarizing topic.
[00:14:04] When I talk to people about, Hey, should we pay the ransom? And that is a very personal question because I, I listened to enough. cybersecurity practitioners that say no, because if we stop paying the ransoms. then it's not lucrative anymore. And those types of attacks will go away. We'll essentially starve them out.
[00:14:30] But the challenge with that is in some instances, a business would cease to exist because they didn't do enough up front to protect themselves or to recover from that type of an attack. So I think we could go pretty deep on that. I think we'll have another show where we'll do that, where we'll talk about resiliency and what organizations can do.
Because I think if enough of us are prepared, then we can wage an offensive by being defensive and the next thing you know, ransomware will be a thing of the past because granted we will have an impact, but should we pay the ransom at that point? No, because we're ready for it. So I think some of the things that we can do this year as potential countermeasures, cause I never liked doom and gloom.
[00:15:27] Anything. I think three things improve cybersecurity awareness, so increase the awareness and training. I know we all look at it all the time and say, oh, my users just don't get it. They're not doing it. Keep at it. I think we can significantly reduce the human error. and how susceptible we are to social engineering attacks.
[00:15:54] We just have to stay consistent. And there are statistics of how many times somebody [00:16:00] has to see something before it really sticks. And it's a lot and our attention spans are getting shorter and shorter. So what I've done with, with our own program is I've made it more bite sized. So instead of the 45 to an hour training, I'm trying to do the fives,
[00:16:18] the tens, the 15 minute trainings, but I just do it more often, and that's been well received by my users investing in cybersecurity tools and infrastructure, I mean, organizations that prioritize cybersecurity and invest in tools, and you can look at it as still firewalls, secure access service edge intrusion detection, endpoint detection response. Those types of systems, I mean, they still strengthen the overall defenses.
[00:16:52] Now, you'll hear me talk a lot, and am I still a big fan of firewalls? If it's a perimeter implementation, not so much. I'm, I'm more of bringing security closer to the endpoint, closer to the application and closer to the user. But there are still firewalls in play. It's just how, how they're applied. And then I'd say the third countermeasure this year would be collaboration and information sharing.
[00:17:21] So threat intelligence is still one of the best practices within the cybersecurity community, because if, if we're all being attacked and we stay silent and we're not sharing the information, how we mitigated it, how we detected it, then the attackers are going to win. So making sure we share amongst ourselves and we have that good threat intelligence, everyone needs to invest in threat Intel.
[00:17:48] So however you're getting that information, we could again have a whole show about that. But there's a lot of options and happy to discuss any of those with [00:18:00] listeners. So speaking of threat Intel, let's let's wrap up this show with our third topic, which is the MITRE ATT&CK Framework. And is it really that influential?
[00:18:15] So for those of you that are new to MITRE ATT&CK, let's kind of look at it from the lens of just the simple high level. So MITRE ATT&CK is like a cybersecurity map of attacker tactics. So it outlines the common ways attackers operate. And that could be sneaky reconnaissance to deploying malware. And it makes it easier for defenders to understand their potential opponents.
[00:18:52] So think of it as a shared language and playbook for cybersecurity. It's helping everyone speak the language against cyber threats, and it's really the same language, so we all kind of understand where it's coming from. It's constantly updated, uh, just like maps when they get a new road or a new landmark, and what it does is it reflects new attacker tricks.
[00:19:21] and it helps keep our defenders up to date and you could say on on their toes. Now, I would say MITRE ATT&CK's influence in the cybersecurity world, it's undeniable. 48 percent of organizations use MITRE ATT&CK and they use it extensively. And that's for security operations. And a lot of that has to do with the endpoint detection response.
[00:19:50] platforms, they're, they're basing a lot of the way they do things on MITRE ATT&CK. And then there's another 41 percent of organizations that are [00:20:00] using it to some degree. So if I'm looking at that from influence, that's a lot of percent. I mean, that's that's pretty close to 100, but 19 percent consider it critical to their future security strategy and 62 percent see it is very important.
[00:20:18] So if I'm reading the statistics, it's a good base level framework. But not enough for seeing it as a critical component to their future security strategy. And I think that's a bit of a miss because it really is a great map and way of understanding attackers. And there's a concept of the kill chain. And if you look at how attacks are started and how they end.
[00:20:50] You can follow it just like a playbook. These, these things are real and attackers do follow step by step because it is a chain. It is a process. It's typically a nefarious process, but it is something that we can still understand. Now, if I look at the impact on the industry, what has MITRE done for us? It it's done.
[00:21:13] One of the best things, which is standardizing the language so we can all look at it, we can all see it. It's common framework, and it describes the attacker tactics and the techniques. It fosters better communication and really that whole collaboration across the cybersecurity community. There's improved threat detection because of it, and that's because we understand how the attackers operate.
[00:21:40] And we can develop more effective defenses and detection mechanisms because of that. And I mentioned this before, but it's really having informed security tooling. So the vendors that are [00:22:00] creating. Cybersecurity tools and defense software. They're aligning their products and their services with MITRE ATT&CK and the Mitre ATT&CK framework.
[00:22:10] So really it makes them more relevant and effective. And I would also argue that MITRE is driving innovation. So there are continuous updates to the framework. And that's key because our attackers are evolving. And that's what we want. We want, we want a, uh, a parody and to keep pace with each other because it's not going away.
[00:22:40] Benchmarking and testing. So this is something that I was really missing. If you all remember NTT back in the day, you know, they would test a lot of different software and we could get some scoring based on how well. Yeah. The cybersecurity tooling performed in the real world. Well, Mitre has has put on that superhero cape and they're doing something very similar, if not a little bit better.
[00:23:05] They're doing benchmarking and testing. So it provides a way to measure an organization security posture. Against known threats, but they are also testing in an environment a lot of different tools, and then they're giving us scores, which is which is great. So if you're interested in that, hit the miter website, take a look at it.
[00:23:28] And I think the way that we are going to survive this new age of AI is how miter is open source and collaborative. So it's freely available. It's openly developed and its goal is to foster that collective spirit in the cybersecurity community. So I've always looked at it as we are better together. I'm a big fan of the crowd movement.
[00:23:57] That's a little old [00:24:00] now by by the standards, but still it is our best chance against attackers. So overall, MITRE ATT&CK, it's become a cornerstone of modern cybersecurity. I think its influence can be seen in its widespread adoption, the impact that it's had on the industry and the ongoing innovation that it drives.
[00:24:26] So, I would give you a counterpoint, too. It is highly influential, but it's not a one size fits all solution. I mean, you need to look at it and adapt it to your specific needs. And I, and I think that some organizations struggle because of their particular threat landscape. It may not be fully compatible, but I think you're still, you're still doing something which is, which is better than nothing.
[00:24:54] I would say some critics, they argue that MITRE ATT&CK focuses Too much. I don't know if you could possibly do that, but they, they say too much on advanced persistent threats. And that is something that may not be as relevant to smaller organizations because they're getting hit by more of the drive by, the botnet because advanced persistent threats typically need resources and are very targeted and directed.
[00:25:26] So they go after what we call the bigger fish or they're, they're wailing, uh, a lot of smaller organizations. They just get hit by kind of more of the automated stuff. And it's, it's like casting a wide net and seeing what you get. That's, that's more of how those attacks are. And, and MITRES is good, but not amazing for that.
[00:25:48] There are other frameworks that I think are a little bit better. And I think some of the smaller organizations should be focused just on the basics, which is like a CIS 18 [00:26:00] or a, a NIST CSF type of an approach. But we could, we could talk about that later. And then. I would say, you know, despite some of the limitations that you could mention, it's still, MITRE ATT&CK is still valuable.
[00:26:15] And it's a great tool for any organization, and I'll say this in quotes, that is serious about cybersecurity. So, I hope this information gives you a good understanding of MITRE ATT&CK. and the influence in the cybersecurity world overall. Well, thanks everybody for spending some time with me and E360 security.
[00:26:40] Have a great rest of your day.