GTCF #14: Dr. Eric Cole - Preventing a Cyber Crisis in your Business

GTCF14-blog-logo


Dr. Eric Cole is our guest for episode 14 of Gula Tech Cyber Fiction. Eric and Ron speak about why we need certifications for Chief Information Security Officers, marketing terms like "zero trust" and "artificial intelligence", cybersecurity risk frameworks, Data Care and a good bit of hacker science fiction. Dr. Cole started his career doing cybersecurity at the CIA, has a PHD in computer science, has authored 8 computer security books including Cyber Crisis which will be available soon and runs Secure Anchor consulting which provides cybersecurity expert witness services and security consulting.








Show Transcript

Ron Gula: [00:00:00] Hi there. This is Ron Gula with the Gula Tech Cyber Fiction show. Today, our guest is Dr. Eric Cole. And before we get to the good Dr. Cole, we have a couple of shout outs. So first of all, if you've seen this man, Bryson Bort is going to get his beard shaved April 10th, which is just a week from now. And we are gonna do it to raise money for a good cause. So if you're not following me on Twitter, I'm @RonGula and you can register for, uh, for the great shave as we're calling it next week. I also I'm wearing Godzilla 'cause I'm a big Godzilla fan. Godzilla verses King Kong is out. But I'm also wearing Tenable Network Security shirt. Tenable was recently named as a finalist for this year's SC Magazine, a couple of different awards that they're, that are coming out there. And so I wish them, uh, great luck with that and hope everybody at Tenable is doing, doing really, really well. All right. Well on with the show. Eric, how are you?
Dr. Eric Cole: [00:00:55] I'm doing great. Thanks for having me.
Ron Gula: [00:00:57] Thanks so much for coming out today. So whe- when was the last time we met?
Dr. Eric Cole: [00:01:02] Uh, I think we met probably 20 some years ago. But I think the last time in person was probably three or four years ago at a security conference.
Ron Gula: [00:01:09] It was, it was, uh, either a SANS conference. Were you, you did IONS for a while bit?
Dr. Eric Cole: [00:01:13] Yes.
Ron Gula: [00:01:14] That were you ... And then, uh, there was the conference in Myrtle Beach that we were talking about earlier that we couldn't, we could not remember the name of that. So-
Dr. Eric Cole: [00:01:20] Yeah. Like a forensics conference-
Ron Gula: [00:01:21] Yes.
Dr. Eric Cole: [00:01:21] ... or something along-
Ron Gula: [00:01:22] Yes.
Dr. Eric Cole: [00:01:22] ... those [laughing] lines?
Ron Gula: [00:01:22] Absolutely. Absolutely. So for people who aren't familiar with you, what's your background? Uh, you have in your LinkedIn page that you worked at the CIA. I think we all started out in Intel or DOD, but tell us a little bit about yourself.
Dr. Eric Cole: [00:01:34] So I've been doing cybersecurity for 30 years and as you mentioned, I started off at the CIA as a professional hacker for eight years. So essentially learning how to identify vulnerabilities, how to identify exploits. And I'll tell you, after working at the CIA for eight to nine years, I figured out two things. One, offense is boring because you always get in, right? One of the golden rules of cybersecurity is, when you add functionality, you always decrease security. So I switched my career focusing on the defense. And the other thing I realized why I love working at the government, I don't like working for other people. So I also sort of started my career as an entrepreneur where I then, uh, built up a company TSGI that we sold to Lockheed Martin. And then Bob Stevens, the CEO of Lockheed, kept me on as their chief scientist. So I handled all cybersecurity issues and breaches and acquisitions for about eight years. Then I got recruited by McAfee and I was their CTO to redesign their entire product line.
And then we had the company acquired by Intel for several bill. And then after that, I decided, Hey, I got one or two more in me. So I started Secure Anchor where I'm really focused on strategic cybersecurity. And helping organizations build roadmaps with a keen focus on training up chief information security officers so they could really understand then integrate security into the business.
Ron Gula: [00:02:54] That's, that's awesome. So, uh, let's talk about that a little bit more. So Lockheed Martin, you're there as the cybersecurity, uh, senior cybersecurity person, uh, for like the mid 2000s or so. That's about that timeframe?
Dr. Eric Cole: [00:03:07] Uh, correct. It was from, uh, 2003 to 2007.
Ron Gula: [00:03:10] And when I think of Lockheed Martin, I think of missiles and, and airplanes, but, but what did they do in cyber? Like why, why do they have a cyber person such as yourself on stage, uh, on staff?
Dr. Eric Cole: [00:03:20] Yeah. It, it's really to protect all of their intellectual property. I-, if you think about sort of one of the ones they would known for, when the Chinese breached their fighter jet in order to get some of the new information and details about how the radar systems work. Because think about it, if a foreign adversary can understand how our radar system is working for the brand new fighter jet, they could design ways to bypass or get around it. So a lot of the focus was really on the protection of the intellectual property and making sure that the critical information, contract data and other information since most of their work was for the government was properly protected, secured, and locked down. And probably not surprising, and I see this even with a lot of companies today, but in the mid 2000, cybersecurity was always an afterthought. It's design and build the solution, and then at the very end, let's throw a few technology on there, add it on and that's all you need for security. And as you know, it's really about integrating security into the design process.
So one of the big things at Lockheed Martin that I did was I required that any new project, when they did their kickoff design and their estimates for the project, that security was present at the meeting and that security requirements were presented at the same time the initial design build was put in place.
Ron Gula: [00:04:36] Excellent. So, uh, so now you're at Secure Anchor and what are some of the services that you are providing to clients and, and people these days?
Dr. Eric Cole: [00:04:45] Uh, so at Secure Anchor there's three core services. One is CISO certification because I think that's a big gap. Really helping to train, coach and get CISOs that actually can understand the business. The second one which is tied to that is building out effective security roadmaps for organizations. I know a lot of companies like to have their pen tests, their security assessments and others. But what I find is, they hire a company, they get an 800 page report and it sits on a shelf and nothing happens with it. So we do an assessment with a twist where we build out a roadmap based on the understanding of their business that's integrated into the business that their team can follow. And then the third one is expert witness, where I testify in high profile cases to typically intellectual property, data breaches, or trade secrets.
Ron Gula: [00:05:32] If the packet fits you must acquit, that kinda thing?
Dr. Eric Cole: [00:05:34] E- exactly. Yeah, exactly. I love that. I'm gonna use [laughing] that one.
Ron Gula: [00:05:37] So, um, you know, let's talk a little bit about the C-, the CISO, uh, certification. And a lot of people that listen to the show and watch the show, you know, are trying to get into cybersecurity and they might dream someday of being a, maybe a cyber entrepreneur. But they also think about being a chief information security officer. So why do we need a certification for that type of, uh, type of role?
Dr. Eric Cole: [00:06:02] To me, the reason we need a certification is because it's different than being a security engineer. And, and a perfect example of that is, we do a lot of social media. And I'm putting out information on our CISO cert. And one of my favorite, favorite comments was somebody posts and goes, "Dr. Cole, you are clearly naïve. You can not teach people how to be a CISO. The only way to be a CISO is be a security engineer for 12 years, threaten to leave the company if they don't promote you and get the CISO title."
Ron Gula: [00:06:31] [laughs]
Dr. Eric Cole: [00:06:32] And, and I sort of read that, I was like, [inaudible 00:06:34]. Because that's the problem. Now, there are cases where world-class security engineers, if they do a mind shift, can become a world-class CISO. But the problem is, world-class security engineers that are super technical typically don't make good CISOs because it's completely different. And a great example is, and this is sort of my CISO test. You're sitting at your desk and all of a sudden you get a text that one of your server has been compromised, one of your systems has been broken into. What do you do? If your answer is, "I immediately run into the data center." Or, "I immediately ..." If you're working from home, uh, "connect into the system with SSH, analyze, look at what's going on, analyze the logs, determine the extent of damage, determine the extent of compromise." Congratulations, you're a world-class security engineer. You would make an awful CISO.
On the other hand, if you said, "Well, the first thing I would do is get my team together. I would start to task them saying, look at this, look at this, check those logs. I would then say, get back to me in 45 minutes. I immediately call the CEO of the company and give them an update and say, I'll get back to you in an hour." You would be a world-class CISO. But it's a completely different mindset. CISOs are focused on the business and world-class security engineers are focused on technology and technical solutions.
Ron Gula: [00:07:51] What's, what's the quote that you have on Twitter and LinkedIn? A CISO is not a technical job, right?
Dr. Eric Cole: [00:07:57] Exactly.
Ron Gula: [00:07:57] Right?
Dr. Eric Cole: [00:07:57] Yeah. The CISO is not a technical career path for security engineers.
Ron Gula: [00:08:01] But it does, it does help, but it also does hinder this, this people conversation. And I spend a lot of time trying to educate people, getting into this, this, this business, and I tell them like 90% of the time you're talking to people who aren't technical.
Dr. Eric Cole: [00:08:15] Right.
Ron Gula: [00:08:15] So you need to be able to learn how to communicate. So I'm kinda curious, in the CISO certification, how much, you know, business stuff is in there, how much communication stuff in there? Is it ... Do you have like the Myers-Briggs test? Do you have that kinda ... You know, what kinda person, what kinda CISO makes a good CISO? What kind of person makes a good CISO?
Dr. Eric Cole: [00:08:30] So, yes, a lot, a lot of people are a little shocked when they get into the CISO cert because it's 40 hours of knowledge transfer. And then there's a coaching component and a private community where you can interact. But of the 40 hours, only seven of it is on security technology. There's 20 hours of it on business, mindset, asking the right questions. For example, if you're a CISO, you must be able to read a balance statement. You must know what a profit and loss is. You must understand how the business is making money. And I know at first people are shocked with me, but think about it, if you don't know how much money the company's making in both revenue and profit, how do you know how much to spend on security? If you don't know which products or business lines are bringing in the higher profit margins, how can you align security to properly protect the critical data?
So we actually teach a lot of ... I sort of call it a mini MBA. And then the other part that I find really important is mindset. When I talked to a lot of folks, they're like, "Eric, I could never be a CISO. I, you know, I mean, no one's gonna trust me. Executives are never gonna talk to me." And I go, "Whether you think you can or think you can't, you're probably right." So to me, you've gotta believe and trust yourself because when you're sitting in front of a CEO, if you sit there and look at the CEO going, "Listen, I don't know business. And I don't know ..." You're done, right? You gotta have that confidence, not arrogance, but confidence to understand what the business really is, and then integrate security in. But when you're talking as a CISO to executives, it's dollars and cents. One of my favorite little tricks is when you're talking to executives, there's only four things you need to worry about.
What is the risk, likelihood of occurring cost, if it occurs and cost to fix it? If you're talking false positives, firewalls and IDSs, you're in technical geek land and they are not understanding what you're saying.
Ron Gula: [00:10:17] So I really liked that. And there's products out there that can kinda help people do this kind of risk and financial modeling, right? You have loss of revenue. If you have a-
Dr. Eric Cole: [00:10:26] Yeah.
Ron Gula: [00:10:27] ... you know, the server that books the airline tickets, right, if you're doing a million dollars a day and that goes down for three days, if I could do the math right, that's a $3 million loss, right? If you lose, you know, data in California, you might have financial loss from, from regulatory co- and compliance compromises, right? So do you teach people kinda how to pull all that apart, put it on a spreadsheet, put it on a PowerPoint and present that to the board or present that to the CEOs?
Dr. Eric Cole: [00:10:51] E- exactly. It's all about understanding the business. When we do security assessments, it always shocks everyone. 'Cause when we go onsite to perform our security assessment, the first thing we do when we get there is we sit down with the CFO and I wanna understand the financials of the business. And that's so backwards because most security assessments are all about everything else. Because to me, if I can understand the financials, I can understand what the business lines are. And what I wanna understand is how the company makes money, what their margins are and what differentiates them from the competition. Then based on that, we're then gonna say, "Okay, what's the biggest risk to the organization? Is it loss of confidentiality?" Which most people always think about. Mo- most security professionals are all about protect the data from disclosure, but actually in a lot of cases, integrity and availability are more important. We, we just got hired by a company that does a large number of the COVID tests and they grew by 400%.
Uh, as a business owner, you'll appreciate this. 2019, they may 21 million in revenue. In 2020, they made 370 million in revenue yet they had no security in place and their folks are all about PHI and encrypting the data. And I looked at them and I said, "Okay, if some of the patient testing data gets out of the public, can you survive?" And they said, "Yes." I said, " If you start screwing up patient records and give the wrong test results to the wrong people, can you survive?" And they're like, "Well, it's get a little questionable." And then I said, "If you can't run your test results for three or four days, can you survive?" And they said, "We go out of business." So right there you saw that their priority was actually quite backwards. So our main focus was how do we keep the availability and integrity? And then the confidentiality, while important, actually came at a distance. Third, it wasn't the top priority.
Ron Gula: [00:12:47] Now a lot of these customers you're working with are large, large enterprise, right? 20 million, 100 million more in revenue, right. So there, is that kinda correct?
Dr. Eric Cole: [00:12:55] Yeah. So, so our sweet spot in the market is what I call a small to medium. So about 200 million to 2 billion-
Ron Gula: [00:13:03] Mm-hmm [affirmative].
Dr. Eric Cole: [00:13:04] ... that has IT. And they have somebody on the team that does security, but they typically don't have a CISO or a security department. And they need someone to help them understand or integrate security into the IT and business process.
Ron Gula: [00:13:17] Excellent. Um, so for a lot of those big organizations, how many of them are dominated by, you know, HIPAA by PCI? Or they kinda say, "Hey, we wanna be compliant with like DOD standards, like the risk, uh, management framework, the s- DISA STIGs." You know, that kinda, that kinda stuff?
Dr. Eric Cole: [00:13:35] Most of the ones we get involved with, you're exactly right, there's a compliance drive. That there's a regulation drive. Somebody in the organization, usually legal, goes to the executive team and says, "Hey, there's this new regulation or this regulation we've been ignoring and we need to go in and pay attention to it." And one of the things I always joke with my engineers is when we do assessment work, you want to give them what they asked for, but provide what they really need. So they're asking to be regulatory compliant, but in reality, you can be compliant with regulation and still vulnerable and still compromised and still broken into. So what we try to do is say, "Okay, we're gonna give you what you asked for, get you compliant, but then we're gonna also do it in a way that you actually secure, protected, and your critical data is managed. Understood what the proper process flows."
Ron Gula: [00:14:20] That's excellent. How often are you using tools like the NIST cybersecurity framework or Sounil Yu's Cyber Defense Matrix? Have you seen those?
Dr. Eric Cole: [00:14:28] Yes. Yeah. So, so, so I, I, I, I would say sort of a, yes. So what we do is, we have what we call the proprietary method. But essentially it's a combination of all of them. So when I was at SANS, I built the critical controls. We have the NIST, we have the risk framework. So what we do, is we take pieces from all of those and say, okay, what, what really is the core functionality across all of them? And then focus in on those core areas. And then we sort of build out domains to focus on like for example, all of them on one way or another are really about asset inventory configuration management. So that's one area. Another one that's sort of integrated in, but I think is probably the most important is critical data. Most of these breaches we've seen out there from large hotels to healthcare, what does it all come down to? There was critical data on service that they didn't know about.
So if you can get better control and visibility of your data and know where it is and manage it, then a lot of these problems start to go away or get minimized very quickly.
Ron Gula: [00:15:27] That's, uh, that's well said. We had Tony Sager on the show and he kinda talked about his work, uh, early, in the early days of the NSA when he was trying to get that, what's the core of most of these, uh, common security compliance frameworks. And also what they're doing at The Center for Internet Security right now. Do you get pushback? Do you get people saying, "Look, I really wanna protect my employees from IP theft from China, but I don't know why we're having to factor control or the- these things are encrypted twice." Like, you, what kinda pushback do you get from non-cyber people?
Dr. Eric Cole: [00:15:57] Yeah, that, that, that's always the thing that comes back is where they, they want security, but they want it easy, right? They don't want it to get in the way. So one of the big things that I really push is, to me, if you do it correctly, cybersecurity should be a business enabler. I- it should really be done in a way that increases the effectiveness of the business. So for example, at one of the hospitals we were working with, the doctors were like, ""We're not doing two factor. It, it, it's not gonna happen." I mean, they were fighting it. There was a couple attempts that failed. So what we did, is we understood how they did their work and now what we actually do is a biometric proximity. In hospitals, you must have a badge. If you don't have a badge, you're not getting in because the physical security, the swipe. So they are trained already on carrying their badges everywhere.
So what we did, is we just upgraded their badges to have a proximity device, so when you're within six feet of a machine, it unlocks. And when you're six feet away, it gets disabled. Now of course, people could steal badges, but in hospitals, if you lose your badge, you've got bigger problems because somebody can get into, uh, sensitive areas, ICU and others. So they already have that piece taken care of. So we just adapted our security. We didn't do two factor in the traditional way where you have an RSA token. We did two factor with the proximity badge, and now it's increased the security. A lot of their issues went away and the doctors love it because we enabled them to be more successful. So to me, it's about how can you be creative and not just follow the set rule book, but understand the business and say, how can we align it to make it easier and simple for people to be secure?
Ron Gula: [00:17:33] Excellent. So outside of large enterprise, when you start talking to smaller companies, people who don't have a CISO and a, a compliance staff and that sort of thing, I often find it hard to, to convey all the complexities of cyber because we have to simplify things. So what do you kind of advice do you give for small business? You know, the donut shops, the dentists, the movie theaters, that, that type of thing. How do you, how do you tell them to go about life?
Dr. Eric Cole: [00:17:58] Uh, I, I know some security people get very upset when I say this, so I'll give the answer and then I'll give my caveat with it. Outsource it. Give it over to third parties. There's, there's great companies out there that can manage secure. Uh, I'm a big proponent of the cloud, especially for smaller companies. Now here's the thing you've gotta be careful of. A lot of really good security people, we're trained to look for the problem. We're trained to look for the fault. So I go in to these smaller companies and say, outsource everything to the cloud. And immediately you have security people going, "But Eric, there's this vulnerability. There's this vulnerability. There's this vulnerability." Yes. But that's the wrong comparison. If you're taking a solution and you're ripping it apart for all the vulnerabilities, you're assuming that the current way you're doing things is 100% secure. And that's the fallacy.
What I always say is, okay, moving to the cloud and giving all of your data information, email, to a third party to secure running lockdown does have risks. But compared to what a small donut shop is doing today, where they're running their own data center while they're making donuts, that solution is a whole lot better than what you have. So to me, cybersecurity is not about perfection, there's always gonna be issues and challenges. It's about always improving security. And if you're small and you can't have your own staff, giving it to a third party, now you wanna make sure you use a good third part. But there's a lot of great cloud providers out there that will take care of most of the work so you don't have to worry about it.
Ron Gula: [00:19:29] I think that's, I think that's well said. Um, the Cyber Readiness Institute, they've got, uh, four things they recommend, right. No USB. Well, usually clean USBs, have strong passwords, authentication two factor, pass your stuff and then do education on phishing. And, um, I've always thought that that was really good. There's like 20 other things you can do.
Dr. Eric Cole: [00:19:47] Yeah.
Ron Gula: [00:19:47] But if you're not doing those four, it's, it's, it's tough. And I definitely agree with this, you know, use cloud services, but we gotta talk about SolarWinds and, and Dark Halo here, right? So we all said, "Hey, let's outsource to the cloud. We all put our email on, on Office 365. And a lot of people only used one password to administer that, and they're getting taken over left and right. What are, what are your comments on that?
Dr. Eric Cole: [00:20:09] So, so two comments on that. The first one is, you can outsource email, you can outsource technology, you can outsource security. You can't outsource liability. So you still have to sit back and say, "What is our liability?" But if we look at with the Microsoft issue, the problem with that is they have a lot of good security that's not turned on by default. Because we're still in that stage where when I talked to a lot of Microsoft folks, they go, "Eric, some consumers want it, so we build it in. But not enough require it, that i- if we turn it on, we'll lose a competitive advantage." So if you went in to Office 365 and you turned on all the proper security and you turned on the two factor and the notifications, those attacks would have been detected, reduced and minimized. So the problem is the security is there, but we still have to take the responsibility to turn that on and monitor and track. And then with the SolarWinds, to me companies and the government broke a fundamental rule.
One of our fundamental rules is, when you have any third party connections into your network or third party servers, those must be segmented and isolated on a separate VLAN. I remember when I was teaching security 18 years ago, that was one of the fundamental rules. But we tend to break that rule and not follow it. The other fundamental rule that I teach is inbound prevention, outbound detection. You've gotta be monitoring all outbound activity and see where it's going. And that's how it was ultimately caught. But most companies are not looking at the outbound traffic. They're not monitoring it. So to me, this was sort of a wake-up call that even though it looks like it came from advanced adversaries, to me, this attack wasn't advanced. And so people get mad at me, but this was preventable if we followed some of the fundamental rules.
Ron Gula: [00:21:58] Yeah. So a couple of things to un- unpack there. Um, so the, the first one is that we talk about patching systems and, you know, keeping things updated. But a lot of times, if you're running 100% Microsoft shop or 100% Apple shop, which you can, you can do, you can buy 100% Apple products, 100% Microsoft products, you know, soon as you bring in Zoom, as soon as you bring in Adobe, as soon as you bring in ... You kinda turn off some basic defenses. So I often thought that the cyber folks who just try and say yes to everything we often don't say, "Hey, look, you know, it, it, it might be okay just to use Teams. It might be okay to do that."
So what are your thoughts on kinda running with a monoculture because it's easier to defend, it's easier to look and, uh, and manage?
Dr. Eric Cole: [00:22:41] So, so I'm very big on security of helping the business and helping them be successful. But there's a difference between helping and enabling the business and just saying yes to random stuff. So what I always do when we, we do CISO or vCISO type work, is when somebody comes and says, "Hey, we wanna use Zoom." I come back and say, "What is the problem you're trying to solve?" "Well, we gotta have zoom." "N- no, what is the problem?" "Well, I need to be able to do video conferencing with our different clients." "Great. We currently have, uh, X, Y, Z solution for doing that. Why isn't that working for you?" "Well, well, I prefer Zoom."
"Well, yes, everyone prefers different things, but can you try our solution for 45 days? And this has been checked, verified and validated and see if that works for you. And then if not, let us know specifically what's not working and we'll come up with a solution for you." Now, of course, you're always gonna get some folks that just, you know, I mean, they're gonna cross their arms and have a temper tantrum, which is okay. But, but to me, I find that diffuses a lot of it. Where when you say, what is the problem you're trying to solve? Don't come to me with a solution, come to me with the problem and then we'll start to figure it out. And there has to be rules in organizations. If you allow everything to happen, of course, every platform it's gonna get out of control. So if you go in and you've agreed that you're gonna use solution X, then guess what? That has to be the solution.
And if people don't like it, you take it to the board. But this whole idea of exception management or shadow IT, to me is probably one of the most dangerous things in organizations if you don't get a handle on it very quick.
Ron Gula: [00:24:20] Now, the second thing you mentioned was, was VLANs. But before we go into VLANs, let's just kinda kick an overview. And we're gonna say some marketecture terms here called like Zero Trust and segmentation and whatnot. I think a lot of people are familiar with the concept of two phones. Like the, your, your personal phone and your work phone. And, you know, your work phone might be on your same home wifi, but maybe it's got VPN connectivity to office. It doesn't have Facebook on it. It's got authorized apps. We kinda lose that when we go into the world of laptops and, and, and home networks and whatnot. So, so give us some thoughts on the VLANing, Zero Trust, segmentation, all that type of stuff.
Dr. Eric Cole: [00:24:58] S- so to me, what it really comes down to is, especially everything that happened with the epidemic, is we have to have an architecture that's location agnostic. Where, where people can work any place, anywhere, any time. So and one of my favorite questions is, I was talking with the CISO of a large financial institution in New York in January, and I said, "How many new offices did you open in 2020?" It's like, "Eric, we closed down seven offices. We didn't open up any new offices. We, we restricted access. So we, we actually shut down a lot of our functioning." I said, "Whoa, whoa, whoa. How many people do you have working from home in 2020 that weren't previously working from home?" He looks it up and he says 33,000. So I said, you opened up 33,000 new ...
And he like ... It, it was like, the eye where he never thought about it that way, but we have all these offices out there. So to me, the old concept of architecture VLAN and all of that is sort of going away where now the new architecture I'm pushing is a three tier model where you have all of your data in the cloud. Now it can be public, private, hybrid, but your data's controlled and managed in one spot. You then have a robust authentication tier where now all connections to that data, you have two factor, geolocation validation, and you have anomaly detection. Because most of these attacks, you have somebody who's logging in every day from 8:00 in the morning until 5:00 in the United States. And when their account gets compromised, it's somebody from a foreign country. So if you're just doing the basic correlation behavioral analytics, you can catch a lot of the attacks. So you have that middle tier there. And then, this is the big change, on the endpoint thin clients.
I, I know we've talked about it for a while, but we can have four terabyte hard drives uncontrolled with outdated operating systems. So to me, when you're moving to that model, we're really getting away from having a robust internal architecture with VLAN segmentation. And now what we're saying is, every single person is isolated and separate. You get new operating systems and there's always authentication to get to the servers. And the thing that I laugh about at it is, I've been recommending, and I know you have too for a long time, but now all of a sudden, "Wait, wait, wait, we gotta use the cool term Zero Trust, right?" To, to me, that's always been a con, but, but, but we are now given cool names-
Ron Gula: [00:27:20] Yeah.
Dr. Eric Cole: [00:27:20] ... it's just sort of [laughing] same.
Ron Gula: [00:27:21] So, um, I'll, I'll, I'll just kinda talk about this. We, one of our advisors for our foundations, Tom Quinn, he's the CISO of, uh, T. Rowe Price. And I was asking him about like, you know, "Do we need a Zero Trust product? You know, do we need things to make this ..." And he goes, "Look, we just kinda design our network to do this, right. It's, it's, it's always been like this." You have least privilege, you have segmentation, you have the authentication and it, and it's good. But one thing I wanna dig into is this concept of a thin client. Because on one hand, you've got a complex operating system laptop, Windows, uh, you know, Apple OS X, that sort of thing. That's not really a thin client.
But on the other hand, you have closed systems like Chromebooks and, and, and Apple, uh, you know, iPads and stuff. But then you also can have little, you know, I say little, virtual machines that can run on your endpoint and give you like, like remote access into, into Windows. And so when you say thin client, just expand that for a little bit more. What do you, what do you really want at that endpoint?
Dr. Eric Cole: [00:28:16] Excellent. So, so what I want when I talk about thin client is no big hard drive for data storage. So in the ideal situation with a thin client, you turn it on in the morning and it goes out to a trusted site that verifies and validates. And it pulls down the entire operating system and runs it in memory. So now what you're doing is, instead of having a laptop that has a four terabyte hard drive, you now have 64 gigs of memory because you're running the entire operating system there. Now, if you have some locations that are slower speed, and it's gonna take two or three hours to do that, you could have a small hard drive that caches the operating system. And you only pull it down on the weekend when it's slower. But the three problems you're trying to solve with thin clients is first, no local data storage. Because if you're storing data locally, you're opening up to ransomware attacks. You lose control of your data. Things can leak out very quickly.
Second thing we're trying to do is really make sure it's up to date and patched. So now if you're getting a new operating system every day or every week, now it's being patched, it's being updated, it's being locked down. To me, probably the biggest thing on the thin client model is now when you get compromised, the length of time is greatly reduced. When you have a traditional hard drive with a four terabyte hard drive and the OS installed, you get compromised six months into it, and you're compromised two years.
Ron Gula: [00:29:41] Because nobody reboots those computers and all that kinda ... Now, how about remote desktop? So-
Dr. Eric Cole: [00:29:46] Yeah.
Ron Gula: [00:29:46] ... it's one thing to have a thin client. Um, what do you think about remote desktop? Where I can maintain my pristine computers on my cloud, on my private secure VLAN and give people the illusion of here's your Windows desktop, here is you are OS X desktop. How do you feel about that?
Dr. Eric Cole: [00:30:03] If you can get the training issue under control, where you can train people how to use it, then it's great. The, the, the reason why I do the thin client model, when you're talking about doctors, lawyers, marketing, salespeople, thin client looks just like their operating system and it's no different. When you're talking about remote desktop, there's a couple of extra steps that you have to go through. So as long as you can get that training piece under control and people can understand how to do it, the same type of stuff.
Ron Gula: [00:30:29] That's excellent. And then just the last kinda thought on that. A lot of people, when you bring up, you know, thin clients, you know, or, or a hardened remote desktop, they also say, "But what about my Chromebook? What about my, my, my Microsoft Surface? What about my Apple iPad? Isn't that more secure because I don't have like a lot of local storage and everything's in the cloud?" How do you feel about that?
Dr. Eric Cole: [00:30:50] So today what you're looking at most of the attacks are opportunity attacks. So they're sending out a phishing message about COVID or a FedEx package to hundreds of thousands of people hoping that 10 or 15% click on it. So today, 90% of what we've seen attacks are focused on Windows operating system. So if you use a non-Windows operating system like a Linux or an Apple, it's not more secure because they have vulnerability still, but they're less targeted and therefore a little safer. So what I actually, what I do and my, all my clients do, is we have our Windows system for doing work for clients. 'Cause everybody uses Word and PowerPoint. You gotta be consistent. However, the two most dangerous operations, checking emails and surfing the web, we always do on iPads. So I always carry an iPad with me. And when I need to check email or do research, that's always on the iPad. This way, if it's malicious, we can catch it or track it beforehand. I clean out all the bad stuff.
And then once I know it's good, I then use my Windows computer. So it's really having these two devices to separate and minimize the risk.
Ron Gula: [00:31:57] Awesome. All right. So I think we've eviscerated the Zero Trust-
Dr. Eric Cole: [00:32:00] [laughs]
Ron Gula: [00:32:00] ... marketecture. Um, let's throw out a couple of other ones. So just, I'm just gonna say a couple ones. You mentioned anomaly detection earlier. Let's talk about anomaly detection, but then segue into artificial intelligence.
Dr. Eric Cole: [00:32:12] Okay. So human beings are creatures of habit. We do things a certain way in a certain pattern. Uh, I'm sure if we went in and looked at your morning routine and you told me what you did today, I could probably predict what you've done for the last three, four or five weeks, right. But mo- most of us have very strict habits. So when you're looking at how we use a computer, there was very clear patterns of how somebody operates. When they log in, where they log in, what they do, what they access. So what I found is, people give it all crazy words, but if you're just building a profile of normalcy and then anything that deviates from that, you go in and alert on, you can catch a lot of these attacks. O- one of the big breaches we just worked on a couple of weeks ago where a healthcare organization had 100,000 records stolen. Everyone that logs in to that company is in the United States. The attacker came from overseas. So if they just did some basic geolocation, they would have been able to catch that type of attack. So that's sort of-
Ron Gula: [00:33:14] Or, or even prevent it.
Dr. Eric Cole: [00:33:15] Or even prevent it.
Ron Gula: [00:33:15] Yeah.
Dr. Eric Cole: [00:33:16] Exactly. So that's really what I'm looking at, is just le- let's understand what's happening. Let's get a little more visibility. And any of those outliers, let's start doing a better job of catching, locking down and preventing.
Ron Gula: [00:33:26] Yeah. So i- if I may, and we'll get into AI in a second like I asked, um, so this anomaly detection, this is really what people refer to as hunting. It's one thing to load up for, for, for bad signatures and malware and bad, bad indications of compromise. But once you get past that ... Like SolarWinds, there were no indications of compromise, right? But there was anomalies about outbound connections, about how SolarWinds was behaving and stuff like that. So when I start thinking about large enterprise and even small business, when you're outsourcing IT, a lot of people, they asked, "Do you have security?" And they point to their antivirus or a firewall. I wanna educate people that they need to ask people to hunt. They need to look for anomalies. They need to look for these things, because a doctor's not gonna do this. You know, and a hospital staff might not have those kinds of things. I, I like to talk about this in terms of something that I call the Cyber Poverty Line.
Dr. Eric Cole: [00:34:16] [laughing] Yeah.
Ron Gula: [00:34:17] That hunting is a key part of that. So-
Dr. Eric Cole: [00:34:19] Yeah. You're spot on it. And to me, it's the switch. So everyone talks about incident response. Incident response is reactive. It's indicative on there's something visible. So when we go back 20 years ago and you had, I love you, Melissa, visible things on the network, incident response was great. Today, it doesn't work because there's nothing visible. Today's attackers are covert. So I always say, and it's once again, buzzwords, I call it proactive incident response, which is what you call threat hunting. Where you actively hunt and look for those anomalies. And one of my favorite things where I've gone into companies that have been compromised for two or three years, and I catch the attack within 20 minutes by doing this simple exercise. Take the outbound traffic, geolocate it on a map of the world and use heat maps. So the more data, the thicker the connection. And then go to your executive team and say, "Okay, where are your clients and where do you do business?"
So I go in and I do this heat map where you have all these lines going, uh, to the East and to the West, to, to certain countries. I'm always careful about ... I don't wanna act like I'm naming, but we know who we're talking about. Certain countries out there. And I present that to the execs and they go, "Eric, we don't do any work in this country. We don't do any work in that." Yet 30, 40% of their traffic's going there. And we catch the attack and able to stop it very quickly. And they give us a lot of credit, and we're known in the field for doing this, but I'm laughing, going, "Why are you paying me all this money when you could have done this? I mean, your team could have produced the heat map, the software's cheap or free. Why are you paying us?"
Now, uh, uh, my, my team gets mad when I say this, 'cause I'm not trying to put us out of business, but these are things that you should be doing internally. You don't have to hire contractors or security experts to do some of the basics.
Ron Gula: [00:36:01] And you, you can even do that geolocation in the states. You can do it by zip code.
Dr. Eric Cole: [00:36:06] Yes.
Ron Gula: [00:36:06] That's so accurate these-
Dr. Eric Cole: [00:36:07] Yep.
Ron Gula: [00:36:07] ... days. You can even break it down, this is a cell phone IP address, this is a, uh, an Amazon data center. You can cross-reference it with stuff like Shodan.
Dr. Eric Cole: [00:36:15] Yep.
Ron Gula: [00:36:15] There's a lot of work to be done out there. So if you're not doing it, you know, you might have something going on right now and you, you never really, never really know. Um, so, so anomaly detection, you know, it's, you're measuring something. You're measuring log-ins, activity, email, um, uh, you know, browsing the web and you're looking for outliers.
Dr. Eric Cole: [00:36:35] Yes.
Ron Gula: [00:36:36] And, and, and that's also a way to understand what's on your network. It's ... Well, I consider it's a form of like asset discovery, what's normal, right? If you don't know what's normal, you can't really figure out, you know, what's, what's abnormal. But how do we then get into artificial intelligence? Where are we right now with ... Is that, is that, is that something that we can use? Is it something in the products? What's your, been ex- your experience with AI over the last 30 years?
Dr. Eric Cole: [00:37:00] So, uh, interesting you say that because when I was starting at the agency, uh, I didn't cover this 'cause it wasn't cybersecurity, my first job was actually a programmer where we actually built AI systems to do predictive analysis. So when they were tracking certain individuals and, and wanted to predict what their behavior would be, I got all of the data and built out neural networks and expert systems to do that. So to me, AI is great if you have good, accurate data sets in which it doesn't change or get modified. O- one of the concerns, especially with neural networks in cybersecurity is, we don't have those clean datasets because it's always changing, always modifying, always updating. Now I do believe that expert systems rule-based systems where you can take, okay, what are the steps an expert takes to perform things and implement that?
But, but I feel like in cybersecurity that AI has sorta got over-hyped a little bit where, AI solves world hunger, just call it AI, just say you're different and people buy it. But once again, I come back to, what are you really doing that's different? And let's put the proof in the pudding. So what I always tell everyone is, if you have a new technology where they're claiming to do AI or some other great methodologies, go ahead and sign the PO, but ask them for a 30 day trial. Because if their product really works and does what it's supposed to, then they're willing to back it up. And if they're not willing to back up their product to give you a 30 day trial, you might wanna think about, okay, is the product really gonna deliver on what they're saying?
Ron Gula: [00:38:33] And there's, you would like to think that there's at least 30,000 organizations that have been exploited with Exchange or SolarWinds, depending on how you count it. And had all sorts of endpoint and perimeter. And I think IronNet claim that they kinda caught some of that. Some of the other folks kinda rushed to, "Hey, we found this." You know, maybe they didn't know what it was 'cause they find, they find a part of it. But I always, I always like to ask people who pitch me AI solutions, "What have you found to date? Like, were you, were you involved in that?" All right. So we, we did Zero Trust. We did, we did artificial intelligence. Now let's talk a little bit about insider threat. What, what is that? You know, how much does cyber people, uh, cybersecurity people, are we worried about insider threat? What's, what's been your experience with that term and people's feelings on it?
Dr. Eric Cole: [00:39:17] T- to me, insider threat is just inherent to how attacks work. So one of the things I always say is, if you look at almost all attacks, the source of almost all attacks are external. The cause of damage with almost all attacks are internal. So when I look at insider threat, even though at the agency, uh, we had Ro-, uh, Aldrich Ames, Robert Hanssen, right, the, w- the, everyone thinks insider threat, deliberate, malicious, insider is somebody who's gonna actively try to bypass. A- and once again, if you have a malicious actor inside your organization, and they're really good, it's really hard to catch them unless they screw up. But what I always said, 'cause I worked on the Aldrich Ames case, the way you catch bad actors is they're gonna either get greedy or brag.
I mean, Aldrich Ames he was making $30,000 a year and he's showing up like a pimp with a fur coat, diamond rings a new jag. It's like, dude, pay the ta- ... I mean, if he would have kept this profile low, may- maybe they would've never caught it. So people are always thinking about that deliberate, malicious insider. To me, insider threat is broader. It's accidental, inadvertent, insider. Somebody who clicks on a link, somebody who opens an attachment, somebody who does something that causes damage. Well, if you think about it, that's pretty much all client-based attacks. So, so to me, even though I wrote a book many years ago Insider Threat today, insider threat is just one of the two target vectors. You have servers are one target and that's where the configuration management and patching and control of data comes in.
And you have the endpoint, which is really all about insider threats, insiders doing things. So to me, if you're not doing insider threat, which is the cause of almost all damage, you're creating huge vectors that the adversary can exploit.
Ron Gula: [00:41:11] So I definitely agree that if I compromise an employee's laptop or, you know, resources, I'm now the, them, and I'm the insider.
Dr. Eric Cole: [00:41:20] Yeah.
Ron Gula: [00:41:20] But, but the hunting for the next Edward Snowden, you know, is, is an interesting thing. There's a lot of people putting a lot of resources into that. And they're getting HR involved, you know, they're getting physical security involved and this goes back to your CISO, um, you know, you gotta be good talking to people. It's not just about the ones and zeros on the computers, it's the business risk. And I think it's interesting that a lot of people are bringing HR into these things to look at, uh, look at folks. Um, all right, good. All right. So I'm gonna go with one more, um, buzz, buzzword, and then we'll get onto some other things. So on the endpoint, right, we started out with patching. We still have patching.
We have antivirus and then we have EDR, right, endpoint data ... What is it? Data, um, reco- ... I, I'm, I'm gonna ... yeah. Flame me on Twitter. It, it's it's good. Too many acronyms. And then we have XDR, right?
Dr. Eric Cole: [00:42:10] Yeah.
Ron Gula: [00:42:10] We're, we're doing, we're doing more at ... When are we done? Like at what point do we have enough monitoring on the endpoint to be like, "Yup, we're, we're, we're, we're good."
Dr. Eric Cole: [00:42:19] Uh, I, I think it comes down to, if we can take some of the data off the endpoint and store it centrally and minimize that risk component, ultimately at the end of the day with the endpoint, as long as there's functionality, it's gonna rest on the user. W- w- what I always sort of use as the analogy, is we can take the safest car on the planet, but if we put a reckless driver and they drive that car 100 miles and hour into a tree, they're gonna still get hurt or injure themselves. It's the same thing. We're trying to engineer a solution. And, and hopefully this is okay to say, because no matter what you do or put in place, you can't secure stupid.
Ron Gula: [00:42:57] Yeah.
Dr. Eric Cole: [00:42:57] I mean, i- if you, if you're gonna have individuals, and most of these attacks that you look at are really stupid things. Somebody gets an email from an executive that says transfer $300,000 to an offshore account, and you do it without picking up the phone or checking. Now, I know some people might get mad at me. That violates some of the common sense. So to me, what it really comes down to is we have to create better processes and systems. And instead of relying on technology, because we keep wanting to, "Well, if we get one more thing on the endpoint we'll be secured." Really, it's not. You're got to ultimately, uh, educate the users, minimize the risk and minimize their exposure points.
Ron Gula: [00:43:39] So you, so you've been in the business for about, about 30 years. Uh, how many books have you written?
Dr. Eric Cole: [00:43:44] Uh, I have my eighth book, uh, Cyber Crisis coming out in two months.
Ron Gula: [00:43:48] Very good. Is that ... Can I see that, a preview of that an Amazon? How, what, how do you, how do you get that?
Dr. Eric Cole: [00:43:52] Uh, yeah, it's, it's on Amazon and actually I'm so mad at myself because I woke up this morning and I remembered to bring you a copy because I have early release. So I'm proud of myself for that and I left it on the counter. So I'm gonna have to ship it to you and get you a copy. But, uh, yeah, it's available right now for pre-ordering and I'll make sure you get a copy so you can, uh, look through that and, uh, we can hold it up at the next, the-
Ron Gula: [00:44:13] There you go.
Dr. Eric Cole: [00:44:14] ... the next interview. [laughs]
Ron Gula: [00:44:14] What, uh ... So your eight books, your eighth book, uh, have you kept the same publisher all these years? Have you changed publishers? What, what are the topics you've written about?
Dr. Eric Cole: [00:44:22] Uh, so I, I've switched publishers over the years and I've really made a paradigm shift because my first books, my first book came out in 2000, Hackers Beware. And then I had Advanced Persistent Threat, Network Security Bible, Hiding in Plain Sight. All very technical, because I felt back in 2000 to 2015, there was a problem with education of technical people not knowing about cybersecurity. It was a brand new field. Not everyone could take all the great training that was out there. So I was really trying to get the technical knowledge to a critical mass. I think that knowledge is there. And what I realized about three or four years ago is the problem is that the average person doesn't understand cybersecurity. So my seventh book that came out two years ago was Online Danger. That was really written for parents, teachers, doctors, that just understand the threats, the dangers, the issues that are out there.
And that was good. But what I've realized is the real problem is that it's executives don't understand cyber because we never speak their language. So this book is a business book written in business language. I had a lot of key business executives review it, analyze it for business professionals, managers, directors, CEOs. They could sit down, read it in a few hours and understand the questions they need to ask to protect their organization.
Ron Gula: [00:45:45] So what are, what are some of those questions and what are some of the misconceptions that, that people outside of cybersecurity have about cybersecurity?
Dr. Eric Cole: [00:45:53] So, so, so probably, uh, the biggest misconception, uh, that executives or non-technical people have is to have an organization secure, you just have to have a department. So i- if you have a cybersecurity department with a cybersecurity engineer, you check the box and you have security. And what they don't understand is, cybersecurity to be done correctly, has to be integrated into your business. It has to be integrated throughout the entire business. The analogy I always use is most companies treat cybersecurity like the icing on the cake. They bake the cake, they bake it. And then the last final thing is, should it be strawberry or chocolate? Should it be IDS or firewalls? And it's too late to me. You want cybersecurity to be the flower. It's the first thing you put in the bowl. And most importantly, when the cake is done, you can't identify the flower. So to me, cybersecurity needs to be integrated into every process and every business unit.
Ron Gula: [00:46:49] That's excellent. So I think that's a good segue into something that my wife, Cindy, and I are pretty passionate about, is expanding the cybersecurity industry to something we're calling data care. To not only make it, uh, cybersecurity, more, uh, uh, people aware that they have a personal responsibility to do this, but also for people who wanna join this, this industry. Well, most people in our industry looks like you and me, you know, really attractive White dudes, right, right, right.
Dr. Eric Cole: [00:47:14] [laughs]
Ron Gula: [00:47:14] Um, you know, but a lot of people are, you know, of color, there's a lot of women, there's, there's, there's just a lot of diversity that's not present because they weren't, weren't doing that. So we're kinda hoping to include this with, with, uh, with this concept of data care. But, but going back to the, to, to the ... Well, well, well, I guess, first of all, how do you react to that? Do you agree with that? Is that, is that cool?
Dr. Eric Cole: [00:47:32] Yeah. Uh, uh, uh, I think that's spot on. And a lot of people laugh, but I do a lot of keynotes and a lot of free keynotes and I probably do four or five keynotes a year at women and security groups.
Ron Gula: [00:47:45] Mm-hmm [affirmative].
Dr. Eric Cole: [00:47:46] And clearly I, I, uh, I'm not dapper. What they don't realize is I have two daughters and my youngest daughter, who's 15, wants to get into cybersecurity. I never pushed it on them, but what broke my heart was when she was 14, a year ago, she came to me and she's like, "Dad, I really wanna get at the cybersecurity. It seems cool. I really like what you're doing." She goes, "But is that a field I can get into 'cause I'm not a man?" And I was just like, "Are you kidding?" So, so that, that's when I'm like, "Okay. We need to help fix this problem." So I'm really out there educating. I spoke to her class and others that, "Listen, anybody can get into this field. And in a lot of cases, when you look at the mindset that's different between men and women, we need that diversity."
So I think that is spot on and I, I love that. I would fully support that.
Ron Gula: [00:48:34] So you're also a doctor. You have a PhD in computer science. You did your, your dissertation in computer security, but you are Dr. Eric Cole And do people ever go, but, "Well, are you ..." You know, you know what I mean?
Dr. Eric Cole: [00:48:48] Yeah.
Ron Gula: [00:48:48] Are, are you a real doctor?
Dr. Eric Cole: [00:48:50] Yeah.
Ron Gula: [00:48:50] Right, right. But, but this goes to professionalizing the cybersecurity field. We have a very young field. You can be a PhD in architecture, PhD in a lot of different things. Basically a lawyer, you're basically a PhD. We don't have enough PhDs in what I consider in cybersecurity. So what, how do you feel about our field? Are we, are we getting better? Um, you know, are we, are we doing a better job building things that can't break and recruiting more people to our profession?
Dr. Eric Cole: [00:49:16] Uh, I think we're doing a better job of really starting to solve and understand the problem. But I don't think we do as good a job as recruiting. C- c- 'cause let's face it, I think we're the exception. But a lot of world-class security engineers are introverts. They, they, they, they're not gonna go out there and talk or, or, or be active. And in some cases, they view it as competitive. So I think we need to do a much better job of making it more exciting, showing people all the different opportunities in cyber and really putting together roadmaps to get there. And I, I agree with you completely. And that's one of the reasons why when I created the CISO certification, a lot of people criticized me going, "Another cert." But I'm like, no, what I'm trying to do is baseline what is the knowledge? Saying these are the steps and then validating that you have that knowledge. Now, you might agree that my baseline is right or wrong, but I'm trying to do that where we need to do a better job for entry level security, mid-level and advanced.
Of, okay, what are the baseline skills and how can we verify and validate that you have those core skills?
Ron Gula: [00:50:22] It's interesting. I had a lot of questions, how do I get into cyber? What programming language should I learn? And I'm like, "Well, you can go into cybersecurity and be a Python programmer." So you can also go into cybersecurity as an artist, as a, as somebody who can write well, technical drafts person. It's really interesting. But the comment you made about, we need to make cybersecurity exciting is really difficult.
Dr. Eric Cole: [00:50:43] Yeah.
Ron Gula: [00:50:43] Uh, we had Sid Meier on the show. He created Civilization, a lot of great games. And I asked him like, "Why don't we have any cybersecurity games?" And he's like, "It's kinda boring." And then if you actually step back and you look at what you're trying to prevent, like all of Chinese Intel from breaking in, it's a little disheartening to kinda, to kinda go that. So how are some ways we can make cybersecurity more appealing to, to people?
Dr. Eric Cole: [00:51:06] Uh, I, I think it's really like going in and sort of showing the fun side of it. So, so one thing I try to do when I talk to high school or college kids, or, or we even a lot of these is show some of the fun cases I worked on. Where I got to travel the Saudi Arabia and I got met on the tarmac by the Prince who picked me up in a limo. Now, once again, does that have anything to do with [inaudible 00:51:29]? But, but, but what it's showing them is that you can get very respected in the field, and a lot of people like that prestige. And then I tell them how we were able to catch attackers, r- r- go back and forth. To me, we need a lot more Cliff Stoll-
Ron Gula: [00:51:43] Yeah.
Dr. Eric Cole: [00:51:43] ... type individuals. I mean, you could say what you want about him, but that dude made cyber exciting. I mean, I, I saw him speak once where he's running across the tabletops and, uh, The Cuckoo's Egg. I still love that book and recommend it to everyone. W- we need to go in and e- e- even though it's a little fictionalizing, is just show the fun side, the exciting side and all those different interesting things you can do so people wanna go into the field. But the other thing I'm finding with a lot of the young folks is, right or wrong a- a- and I don't necessarily agree that it's all about the money, but I think showing them, you can make a lot of money, you know, I mean, in cyber. And that I think is where it starts getting exciting to them because most have been trained up, if you wanna be successful and make a lot of money lawyers, doctor.
Ron Gula: [00:52:27] Doctor. Exactly. So, yeah, so a lot of times my wife and I we go out and we speak to these like co- community colleges or high schools, I always ask them, "Who do you think makes more money, a doctor, a lawyer, or a cybersecurity professional?" It doesn't matter what the answer is. I want them to kinda think that there's a professional career here where you can go and actually make a, a, a, a big difference. Have some lateral movement into other jobs, which is actually a good thing, right? Not necessarily in, in the malware side, but it's, it's, it's it's fun stuff. How do you think Hollywood has hurt our industry as far as representing us as, you know, men and hoodies and dark, dark rooms, doing bad things?
Dr. Eric Cole: [00:53:05] Yeah. Uh, uh, uh, uh, I think a couple of things here. One is that they make us out to be weirdos. Like i- if you go into cybersecurity-
Ron Gula: [00:53:13] I, I'm, I'm not a weirdo.
Dr. Eric Cole: [00:53:14] Uh, exactly. [crosstalk 00:53:16]-
Ron Gula: [00:53:15] I'm wearing, wearing, wearing Godzilla, I'm 50 years old. I can show you my Godzilla toys-
Dr. Eric Cole: [00:53:19] Yeah.
Ron Gula: [00:53:19] ... anyway.
Dr. Eric Cole: [00:53:20] But, but, but, but they also need to see your beautiful family and beautiful house. To me, Hollywood makes it out that like, if you're a cybersecurity, you're gonna be living in a basement alone. Like, uh, it just frustrates me, uh, these movies where the cybersecurity guy is living in his mom's basement eating Twinkies. And I'm like, "Come on. That's not who we are." And then I think the other thing that, that they do that's really bad for us is, they make it seem so simple and easy. Like you just [inaudible 00:53:47], you know. And I'm like, "No, no, it's a lot harder and more difficult." So I think what happens is you have a lot of people going, "Well, I don't wanna be the weirdo. I, I, I do wanna have a social life."
And as soon as they get into cyber, because it's hard, they go, "Well, Hollywood made it easy. Therefore, I'm not gonna do it." And, and they give up too easily. So I, I think it's that misconception factor. And then the other one to me is also the media where they won't cover what's really happening. I report so many cases to the big news stories and you know what they tell me, "Eric, if it's not over 100 million records, we don't care." So I think they make it sound like if you're only watching the news that a cyber attack happens once every two years, it's a little bit of an issue, and then it goes away. I don't think people realize so much work is out there and there's such a huge need.
Ron Gula: [00:54:37] So when the Navy came out with Top Gun, because that really was an awesome recruiting video, even though it's a great, great movie ... And I can't wait for Top Gun 2, by the way. Um, you know, what would a movie be that could draw more people into cybersecurity? What are some examples of movies that you thought the hacking was good or the cyber defenses were good? Are, are, are there any? Could there be any?
Dr. Eric Cole: [00:55:00] Yeah. Yeah. So I, I think there's a, uh, a couple of ways of doing it. One is, I think if you just follow, uh, the, the life of a hacker, sort of do like a Tom Cruise version where you have a kid in school that was maybe getting disruptive because he was thin, he was too quick and too smart. So he was getting bored in class and getting kicked out. May, maybe he then drops out of high school and doesn't go to college to sort of deemphasize that. And then just take them through some of their different career paths and some of that fun stuff, to me, just make it a little more real. Uh, uh, I think they've come close. Like if you look at Live Free or Die Hard-
Ron Gula: [00:55:39] Mm-hmm [affirmative].
Dr. Eric Cole: [00:55:39] Uh, Hackers, I hate to say it 'cause it's like one of the first ones. I mean, it was awful. I mean, once again, weird, strange individuals. I think we need to make a cool theme and a cool way to do that, but make it a little more real and a little more practical for folks. And like I'm surprised no one's done that. They've attempted, but they always just go over to this crazy land. But I, I think there's a huge opportunity for a TV show or a movie that really just real life ... Like there's all these reality shows. If the Kardashians can make all that, why can't we start a reality show on cyber? [laughing] Come on.
Ron Gula: [00:56:13] So you mentioned the, the Live Free or Die Hard movie.
Dr. Eric Cole: [00:56:16] Yeah.
Ron Gula: [00:56:16] And, and of course that was the plot where a former head of DHS cybersecurity kinda turns on people 'cause it wasn't-
Dr. Eric Cole: [00:56:22] Yeah.
Ron Gula: [00:56:22] I, I can't help, but think of Chris Krebs, right? I mean, it's, it's-
Dr. Eric Cole: [00:56:25] [laughs]
Ron Gula: [00:56:25] ... it's, it's interesting. Having said that though, there's so many reboots of movies. I would love for them to reboot WarGames.
Dr. Eric Cole: [00:56:32] Yes.
Ron Gula: [00:56:33] If they could reboot WarGames where, you know, it's the same plot, but they can, uh, feather in all the different types of cyber command, space command, and, uh, the different types of hacking and just put, make it real, make it more Tom Clancy ish and less, you know, teenager movie, that might be a really good way to kinda tie our generations together. Because it, that, that is one of the better hacking movies that, that's ever been made.
Dr. Eric Cole: [00:56:56] Yeah. It's funny you say that because the two that would come up, I'd definitely put WarGames first and Sneakers-
Ron Gula: [00:57:02] Mm-hmm [affirmative].
Dr. Eric Cole: [00:57:02] ... second. And to me, that one actually was pretty close. So they actually had Robert Redford. It was pretty real. So yeah, if, if they could come out with a new version of WarGames and Sneakers, yeah, I think that could sort of do the trick to just get-
Ron Gula: [00:57:13] Yeah.
Dr. Eric Cole: [00:57:13] ... the excitement.
Ron Gula: [00:57:13] The only, the only fiction in that Sneakers thing was when he gets his paycheck and it wasn't a whole lot. Remember the accountant or the teller wasn't too impressed when she handed him the check-
Dr. Eric Cole: [00:57:21] Exactly. [laughs]
Ron Gula: [00:57:21] ... right? Like, like, yeah, no, it's usually, uh, usually a big check-
Dr. Eric Cole: [00:57:24] Yeah.
Ron Gula: [00:57:24] ... and, and and that's fun stuff. Very good. All right. Well, where can people go to engage you and learn more about you? You said you've got eight books. I, I can, we can just Google your name and find these books, but, but where can people go to learn, learn more?
Dr. Eric Cole: [00:57:37] Uh, so the best is secure-anchor.com. That's my company website. We have a lot of free resources. Also, we do a lot on social media. I have a show Life of a podcast that I do every week. Sorry, life of pod ... Life of a CISO. [crosstalk 00:57:52]-
Ron Gula: [00:57:50] There you go.
Dr. Eric Cole: [00:57:52] ... sets.
Ron Gula: [00:57:52] Yeah, yeah.
Dr. Eric Cole: [00:57:52] Life of a CISO. That's a podcast on YouTube. So if you just search for Dr. E-R-I-C, Dr. Eric Cole-
Ron Gula: [00:57:58] Mm-hmm [affirmative].
Dr. Eric Cole: [00:57:59] ... on that. And that's really the trick. If you go to Google, if you just search on Eric Cole, three, people are gonna come up, a hockey player, a drug dealer-
Ron Gula: [00:58:07] [laughs]
Dr. Eric Cole: [00:58:07] ... and a security professional. Now, if you can't figure out which one is me, just put in Dr. Eric Cole or Eric Cole cybersecurity, and you'll get all of my content.
Ron Gula: [00:58:14] I, I think that's hilarious. Um, I always thought the Gula name was very unique. And we had the cast of MacGyver on, and the young lady who's on that show was on the Gullah Gullah Island, which was a, uh, like a music thing. And then when we were getting our Twitter feeds and stuff hand out, there's like Gula Tech, which is somebody in Iraq. And, and Gula is like the Sumerian God of, of, of healing.
Dr. Eric Cole: [00:58:36] Wow.
Ron Gula: [00:58:36] And I was like, only ... He's probably like, "Who's this guy over in America?"
Dr. Eric Cole: [00:58:39] Yeah.
Ron Gula: [00:58:39] You know, doing that. That's, that's, that's awesome. All right. Any, um, any predictions for either the nation or cybersecurity? We have a new administration. There's a lot of focus on cyber, we're coming out of COVID, all sorts of great things going on. Anything you wanna leave us with, thoughts on the future?
Dr. Eric Cole: [00:58:54] So, so the prediction, which I hope is wrong, but it seems like the prediction now is, uh, with the SolarWinds and the attacks that are happening, it's all about blaming others, sanctions and pointing fingers. And, and I really hope that we get over that quickly and we get to the point where we start having some accountability for companies to implement proper security. We're the only major nation that doesn't have a national law on data privacy. We have a lot of state laws, but not national. Europe has GDPR, there's others out there. So I, I'm hoping that Congress and the White House can say, "Okay, the blame game isn't the way to do this. Let's get some regulation in place." I'm not usually a fan of regulation, but I think cyber needs a little help here. A little regulation, a little structure, and a little accountability. And I think then that will also drive the jobs and all the other things that we've talked about.
Ron Gula: [00:59:49] I definitely agree with that. And I think we need to get away from just reliance on compliance and, and hunting. Even though we're gonna be doing this for a long time and get back to real security engineering. Like, what is the business? How do we secure it? And that's the only way you're really gonna protect that data. So I'd be, I'd be a big fan of that. Um, awesome. Well, Dr. Eric Cole, thank you very much for coming on. Um, uh, we'll be putting people in the show notes and then, uh, your way, uh, pointing to the podcast. Thanks for making the, the trip up here. Uh, once again, this is Ron Gula, closing out with the, uh, Gula Tech Cyber Fiction show. Thanks everybody for watching.