Control The Explosion of Decentralized Secrets

One of the leading causes of breaches and cyberattacks like ransomware is lost or stolen credentials and secrets. The shift to the hybrid office resulted in an explosion of unmanaged applications. Combined with typical poor password hygiene, there is a significant risk of shadow IT passwords becoming a loose thread to your cybersecurity posture.

We have surveyed IT professionals to learn how they manage decentralized passwords in a state of heightened cybersecurity risks. In this webinar you will learn:

What are some of the biggest pitfalls from the explosion of unmanaged passwords and secrets across organizations
Why IT security leaders are concerned about poor password management habits
How organizations are protecting against the fundamental issue of poor password hygiene
How ephemeral keys and tokens can increase cybersecurity

jim_skidmore_intigrow_redcircle-1

Jim Skidmore

Vice President, Solutions Group, IntiGrow

Jim, a consultative Solutions Executive, help clients implement on-prem and cloud based SAAS Solutions to achieve desired outcomes across cybersecurity, compliance and risk management, IoT, and AI. Jim has consulting experience in a variety technical disciplines including eradicating compliance issues. IntiGrow is a Global Enterprise Information Security company delivering comprehensive security solutions empowering enterprises to achieve a business enabled defense-in-depth security posture.

Chuck_red_cir-2

Chuck Brooks

Adjunct Professor, Georgetown University

Chuck is a globally recognized thought leader and evangelist for Cybersecurity. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named by Thomson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer.” He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, and a Contributor to FORBES. He has also been a featured author in technology and cybersecurity blogs by IBM, AT&T, Cylance, and many others.

Review the Full Session Transcript

No time to watch the session? No problem. Take a read through the session transcript.

Speakers:

Jim Skidmore, Vice President, Solutions Group, intiGrow
Chuck Brooks, Adjunct Professor, Georgetown University
Bryan Christ, Senior Sales Engineer, Bravura Security

Carolyn Evans (00:01):

Good morning. Thank you for joining us today, Hitachi ID and also we have two guest speakers with us. I would like to introduce you to Chuck Brooks, who is an adjunct professor at Georgetown University and also a cybersecurity influencer ranked as number two globally top five tech people to follow on LinkedIn, top 50 global influencer and risk and compliance, and a thought leader and evangelist for cybersecurity in the industry. And we also have our vice president of solutions at intiGrow, one of our partners and Jim Skidmore and also Bryan Christ, who is our senior sales engineer at Hitachi ID. So today the team will be talking about how you can control something that many companies have not been focused on because they've been focused more on privilege or SSO or other cyber cybersecurity concerns. So we will be talking about how to control the explosion of decentralized secrets. Now I'm just going to share my screen.

Bryan Christ (01:42):

So Chuck, if I remember right, she gets muted thanks to the Zoom thing we encountered earlier. So I think you get to lead off on this.

Chuck Brooks (01:52):

Sure. I'm most happy to start the discussion. The title of course is the Control of Explosion of Decentralized Secrets. And I think everyone watching this can relate to the fact just a couple years ago, we were all working in a regular day job or doing something and covid came along and all of a sudden our one office became thousands of offices. Everyone brought their work home, whether it was on their phones or whether it was on their device or even personal devices because a lot of companies just weren't prepared for it. So what happened is you saw a quick decentralization of cyber. The longer the IT shop could be in control, watching what you do and monitoring where you go and looking at the logs to see everything is okay, all of a sudden you're on your own. And what is your first defense? Obviously your identity, your password to sign into your company or your individual even critical.

And also the fact that you need to upgrade your systems to have the right firewalls at the time, VPNs, et cetera. So it really basically went to a hybrid world with decentralization and it really changed the paradigm of cyber in a big way. First of all, you saw an upsurge in over I think 400% more attacks aimed at small and medium businesses because of it, all kinds of phishing attacks, fake websites, et cetera. The hackers basically organized crime, took advantage, they saw an open, more connected, but less fortified playing field for people in business and they went after it. So I think this is really what to start the discussion, the importance now of redefining what we need to protect ourselves. And that may come down to identity access, management privilege, access management, a whole lot of things now that we really sort of took for granted when we were under the umbrella of an office. Now that we're basically in a hybrid workforce or even if you're still in an office, these things are very important. So I would like to describe the discussion to get the impressions of my colleagues here on this too, of what does this mean? What does this mean now that we're in a new era where it's not only just the decentralization, it's also moving more and more to the edge too. So there's a lot of implications. And so with that, I'll leave it open for comments.

Jim Skidmore (04:31):

Sure. Jim here. I'd be happy to chime in on that. Chuck. Having seen probably close to a thousand IAM customers over the last few decades, a couple of things we know today, people are getting better at kind of managing their own passwords. They use tools that are password management related. You may have a wallet or a password vault agent on your device currently, but the bottom line is sharing that information is where policy completely breaks down. I think as Chuck was mentioning, and even in the NIST framework, the Mitre framework, anywhere you go, there's not really any mention about secret sharing and how to deal with it, whether it's token password or what have you. So it's highly insecure, probably it if all of us are admitting it to ourselves. We probably had sticky notes under our keyboards at some point, wink wink. But moreover, in the case of a phishing attack, these credentials become keys to the kingdom. So also in different vertical markets, we see a real challenge in this because they're so decentralized. I mean, if you're looking at manufacturing organizations that have work centers that still need to be updated and upgraded at times, they have office computers, they have devices, they have people in the field.

These challenges continue to get larger and larger. Also, higher education, healthcare, I don't think I need to explain to everybody how diverse healthcare is. They have systems of every, every operating system, not all on the network. Some are on the network, some aren't laboratory information management stuff. And smaller organizations also have a little less policy with regard to that. So in many cases, there's no, what we would call IAM workflow and it's supremely challenging to manage this cross flow of secret information that we see out there. So Bryan, did you have anything that you wanted to add to that?

Bryan Christ (06:48):

Yeah, I just kind of wanted to elaborate on some of the things you raised. When we started thinking about this gap really in security, we kind of struggled at first to come up with a term to identify it. We thought, well, decentralized passwords, but then very quickly we realized it's not just passwords, it's secrets. It could be, let me maybe take a step back and just really drive home what we're talking about here when we say decentralized secrets, and this is a space that is not really well suited to privilege access management. These are credentials, use that term loosely, secrets that are technically company assets. And I give the illustration a lot that I go to trade shows and you typically have to register to attend the trade show to book your reservation, whatever. And so there's a real temptation to use the same password on a trade show website that you would use inside the company.

It's a company endeavor. It's a company asset that you're registering on the site, but it's not ubiquitous enough, not pervasive enough in the organization that you're going to vault that into some privilege access management solution. Right before we started this conversation live here, Chuck, Jim, we were all talking about what else could it be? I thought about security questions. Those have become a little bit, they've lost favoritism in the world, and rightly so because of social engineering. The neat thing about what we'll talk about today is that there is a way to breathe new life into security questions if the answers don't have to match reality. So that's an example of a decentralized secret. Also, I see this all the time. I kind of have one foot in the developer world, and when developers need to integrate with something, they often have to go up to a developer portal and they need to register for create some account that gives them access to documentation or to fetch an API key or something.

And so again, maybe it's a small team that needs that, but it's not ubiquitous enough that you're going to want to vault that. And so there's this sort of wild west mentality to just, well, I'm going to go register whatever the temptation is to use something. And then of course the risk is if that third party site gets breached and reveals whatever that secret is, whether it's the security questions or whether it's the password, then you put your actual organization at risk because now would be attacker has sort of a foothold into the organization. So just want to make sure that folks really understood what we were talking about when we talk about these decentralized secrets.

Chuck Brooks (10:25):

Really good point.

Bryan Christ (10:26):

Yeah. Yeah. Carolyn, if you go to the next slide, I kind of wanted to just keep my train of thought and I realized the next slide does that. So we're kind of looking here, well, what is the state of these things in the market? And it's really interesting, we can't share the details just yet yet, but it'll be coming out soon. But we conducted a survey and one question that we asked, it revealed that, I mean just about every organization conducts training with their employees on good password hygiene. Same survey. We asked the question, well, what do employees do? How do they manage these kinds of secrets? And the number one answer was shared spreadsheet stick up notes. I mean, all the things that we kind of joke about actually ends up being true. So that's what we find out there. And in some of the conversations I've had with prospects and clients, so what are you doing about this? And what we find is that there's actually a shadow IT initiative. Some of the folks that have realized this is a problem have turned to some consumer grade solutions or open source solutions that good for them for at least recognizing the problem and doing something about it. But there's certainly no uniform practice in most organizations. And so we really do find it to be a little bit of the wild, wild west. Jim, is that kind of your observation as well?

Jim Skidmore (12:10):

Absolutely. Yeah. It's funny, we've spent so much time putting controls in place, making sure people are federating correctly, making sure that authentication with 2FA or SSO is encrypted and that we're meeting all the parts of Zero Trust and all the parts of security policy within organizations. And this is one of those things that just keeps going undealt with even in a hyper secure organization. I know when I first came into our organization years back, I was talking to somebody about login credentials and I said, they're like, well, we can email this to you. And I'm like, then of course now today we have policy and use safe for this kind of use case. And then they said, oh, okay, I'll just slack it to you. I'm like, no, don't do that either. But I think part of it, it's just so cultural, it's just so inherent in everybody. As you say, it's not even something privileged users, even under privileged access management or privileged identity management can control what the user population out there. So it's kind of slipped through its own crack and it continues to be a challenge for thousands of organizations around the world. So yeah, we do see this as an issue kind of almost every time out in the market.

Chuck Brooks (13:49):

And with humans, they're always going to be the weakest element. And for hackers, they're always the target and social engineering and oversharing and social media makes it easier. But also you mentioned that the trade show analogy, this is also the same problem in supply chains a lot of companies have, they'll share the same password over and over with different vendors, easy to discover, weak point. The government's recognized that, and I think if you even look at some of the zero trust mechanisms on having a stronger password than the more secure passwords and identity access management being a first line of defense and zero trust, it applies very much the same way to the commercial world, even more so because the commercial world is, in terms of having those secrets available are usually more accessible because you're not dealing usually in more sensitive security information that's already protected in different ways.

But commercial people, they tend to share everything and they don't tend to think despite what you said with a lot of training. So I think really the automating the security is really the only way to do it on a platform to really keep up with the threats and particularly the more sophisticated threats that we were mentioning, Jim, as you mentioned, particularly with attacks against universities and healthcare where there's so many different disparate networks that it's almost impossible to coordinate it in terms of the human resources area. You really need the platform to do it for you.

Bryan Christ (15:15):

Yeah, Chuck, I'm really glad you mentioned that. The comment you did about the human element being sort of the weakest link, it actually reminds me, I read a survey here, it wasn't our own, but it was with an affiliate of ours, and they asked folks, what's the number one way that you recall your password when you craft your password? It was one that was easy to remember. And so part of the struggle in all of this is we're fighting against human nature. If you start really thinking back, just wear your own shoes for a minute and think about why you make the decisions you make when you do things like create a password. I think one of the prevailing mentalities is this idea that I'm afraid I'm not going to have this password when I need it the most, right? So the easy thing to do is create a password that unfortunately is simplistic. It's probably based on some personal information or something that it wouldn't be terribly difficult to deduce.

And so one of the things that we've done with a product like Safe, which we'll talk a little bit more as we get into the conversation, which is we've eliminated that concern by saying, we're going to make your decentralized secrets available anywhere. So we have apps for the mobile platforms, we have browser plugins for all the major browsers. We have a desktop app for Windows, Mac, even Linux, and they all work offline. So this idea that I can't have a password when I need it most in the kind of craziest of conditions, it's pretty much been eliminated. So that's one of the things that we're really hoping is that we can combat this human element that you mentioned in the process. And I think, Carolyn, you can move on to the next slide, but I think that line of discussion probably segues pretty nicely into I think what Jim had next to share with us.

Jim Skidmore (17:35):

Okay, great. Alright, there we go. Thank you. Yeah, so there are a couple of other, I guess, effects of this, right? As we're talking about compliance issues, as we're talking about other standard requirements, we're looking at two-factor authentication or password sharing or pin or token sharing as becoming critical. There are a lot of discussion. I have been on the board of FFIEC for commerce standards and other areas. And part of the challenge that we see there is so many factors have been utilized as standards like SMS, your bank even will give you an SMS text. Well, SMS has been compromised as much as any attack surface out there. So the real challenge becomes, and in FFIEC guidelines for 2FA and stuff like that, there has been a lot of scuttlebutt and not just around that compliance issue, but around virtually two thirds, three quarters of them out there.

What are the other ways that we'll be able to share these token results? Not that they're not coming from an encrypted source for the second factor, but what's the venue? How are we providing to the user in a safe and timely manner? And this is going to continue to change over time. We have the advent of quantum coming and all the cyber threats that are presented there. We have a whole bunch of other attack surface possibilities and compliance requirements that will continue to change and get stronger. So I think we're just at the tip of the iceberg, Bryan, to mention that to you, that I don't see how that's not going to change at this point. And I also, even when we're doing standard internal compliance things, access recertification at the station, stuff like that, we rely on a standard medium to bring that back. We don't have a safe way to do that. Yes, users will use third party mobile device apps like WhatsApp or Signal or whatever they might use, but that's a non-integrated solution and there is no methodology to kind of make that happen. And ultimately we won't be able to stay compliant in the realm. So just kind of a food for thought for folks out there.

Bryan Christ (20:15):

Yeah. Chuck, what about you? What are you kind of seeing around this same thing?

Chuck Brooks (20:21):

A lot of the same thing, and I'm also seeing it in government. You're talking about CMMC, new requirements for vendors that do work. Really there's a movement there to do this, to be able to sort of control the flow of information to make sure that you have the right standards for security already prepared before you even move to the next step of being a vendor in government. So that is definitely in the works. It's being negotiated a lot with the private sector, but it's not just government. It really is now all over. I see this, there's just too much risk. And as we mentioned earlier, I mean the actions of the threat actors are just much more sophisticated and the stakes are higher. And you're seeing a lot of smaller businesses that don't even follow any of these basic cyber hygiene practices and just rely on just being opened.

And you're seeing 'em close. 40% of them that get attacked, particularly with ransomware, go out of business. So it's an alarming scenario right now. And this decentralized secret is one of the easiest access points for hackers. It really is the basis of social engineering. So to neglect it is a very dangerous thing. And I think just by talking about this today, hopefully we call attention to the vulnerabilities that are out there and there is solutions. So it's not that you have to sit there and be totally susceptible to any kind of fisher or negligent insider. You can do stuff to fortify your own security. The problem is that you need to know and have a risk management strategy in place that it prioritizes this in accordance to, as I said earlier, to zero trust and to a lot of other frameworks that basically say protect your identity first.

Bryan Christ (22:17):

Yeah, I'm glad you brought that up. I had intended to talk about this earlier, but I think it's still appropriate to bring it up. You mentioned that these being sort of an easy attack vector just for folks on the line who've never really considered this or given any thought to it, most ransomware attacks, and Chuck, you and I were talking about what happened with the, I think it was in Illinois, it was the higher education institution up there that shuttered its doors because

Jim Skidmore (22:51):

Lincoln College. Yeah,

Bryan Christ (22:53):

Lincoln College. So if you think about the anatomy of an attack, how a ransomware attack plays out, I'm not saying that there aren't novel approaches, but they do tend to be somewhat cookie cutter. If you pay attention to the Verizon reports, the last two say basically the same thing, lost or stolen credentials are the number one source of a data breach. And then they'll specifically call attention to cloud-based email. And that of course makes sense because if you think, well, if I get into cloud-based email, imagine somebody got into your email account, what kinds of things would they be able to glean from what you've traded back and forth in email? And so basically they just need that foot in the door. In the case of what we're talking about today, that's those decentralized secrets falling into the wrong hand, having been used in multiple systems that obviously can lead to a bad place.

And then once they're in, do a little reconnaissance move laterally. If you can elevate, rinse, repeat, and ultimately you get to the keys to the kingdom where you can exfiltrate the data and then you can dangle that ransom in front of your victims. So that's really kind of what we're looking at on this is really stopping this at the very beginning, making sure users minimize the attack vector, the opportunity for an attacker to gain that initial foothold. I don't know where we intended to do this, but I think Jim, you were going to share with us Astoria or two about something about that, don't you?

Jim Skidmore (24:35):

Yeah, yeah. We've seen a lot of that happen. And it's funny because even in the mid-market, there are so many people now, the MSPs that are out there are becoming what we call bulletproof hosting sites. So it's been so easy to people work back and forth across internal user groups, even within their Ms P and other tenants that they basically gain control over an MSP. We've seen that. We've obviously seen people jump in and get control in the ldap, understand the attributes of every user, start generally sending out phishing emails from each compromised user. If you're in the average organization, you may have seen this yourself. This is not an unusual thing. And this is one of the ways, as Bryan was mentioning previously, that the algorithms now that people are using are able to identify passwords and other information. And we've seen it also in hipaa, even printers, when people are printing patient information, we've seen printer compromises. So the attack surfaces, as Bryan mentioned, are spreading wider and deeper and it's not ever going to change. So sadly, we don't want to learn to be vigilant from someone else's trials and tribulations. But this has definitely been the case in many, many cases. Unfortunately,

Chuck Brooks (26:17):

I noticed just a couple days ago, the Department of Homeland Security CISA put out an announcement alerting that MSPs are under attack and to be protective and also was reinforced by law enforcement. So it is just something that's being obviously looked at in a big way because it's elevating in its lethality, I guess.

Jim Skidmore (26:38):

Yeah, fortunately CISA is doing some nice things about it. They're offering free scans to different state members and stuff like that. So if anybody has the opportunity to take them up on that, it's free. So it's a good thing. But yeah, it's growing across public and private sector. It's something that we really need to think about and manage and control.

Bryan Christ (27:04):

Well, thanks, Jim, appreciate that. I kind of want to shift gears here for a minute as we've moved on to the next slide and talk about another problem space that is associated with these decentralized secrets. I think we all will recognize the problem once I characterize it all, encountered it, but I don't know that there's a lot of emphasis that's been placed on this. So that survey that I mentioned earlier, there was another question that we asked, and it was basically, how sure are you or how confident are you in your offboarding processes that when somebody leaves the organization, they're not leaving with some password or account access to something else? And guess what? Most of 'em weren't confident. And the illustration I like to give when I'm talking to folks about this is not necessarily on the risk side. That's a huge issue. I think we've spoken to that quite a bit, but there's also this business continuity element to it.

Again, go back to that illustration I gave about the developer who you've got a project going, you're going to build out some new tool. They go off and they register an API key and the developer portal and all that, and they basically had it tucked away on their own computer and all of a sudden they leave right now, guess what? That project grinds to a halt until somebody can figure out how to go get access to that account that they stood up. And so how do you deal with that? So one of the things that we intended as we dealt with these decentralized secrets is also to bring an element of business continuity back to the table for the organization so that they can ensure that these assets which are theirs, continue to stay within the organization and don't affect business continuity. Jim, what are your thoughts on this?

Chuck Brooks (29:11):

Yeah, well, I think you hit it on the nose right here. And traditionally this has been viewed as an HR problem and HR has no expertise in cybersecurity for the most part. And maybe it's changing a little bit and you're leaving all kinds of open avenues for attack and finished business and all kinds of loopholes when an employee leaves. And often it's just based on negligence and it could be nefarious if the employee has a grudge. So that's a big issue, and I think you're seeing a now more where the C-suite has looked at this issue as being vital for, as you mentioned, for business continuity, for reputation, and primarily for security. So there's more of a role now I think for the IT shop with HR and monitoring this and looking what logs have been used, et cetera. But it's still a big vulnerability. And again, when you talk about most companies, you're looking at the big companies that have the full IT shops and the CISOs and the CIOs that have the availability and the people to do this. But when you look at small and medium businesses, they don't have a clue. And this is another thing that really needs to be provided for them if at all possible because it is just too big a void.

Jim Skidmore (30:26):

Yeah, I would add that there are point solutions that people use. As I mentioned earlier, password management. Apple users love their key chains and they love their key app, but that's no way to do enterprise identity governance. I mean, it doesn't work. And we've seen plenty of people, we automate provisioning for a lot of folks and deprovisioning, but they'll have other security concerns or let me call them risk concerns about keeping the LDAP accurate, keeping that entry in there for 30 days for legal reasons and others. And there are times when they're still not managed or controlled that even disgruntled folks can kind of get back in and do things. So that's not the bigger part of the attack surface, but it nevertheless is critical part of the workflow. And I would tell you that we do policy for large and mid-size organizations, and this is part of policy requirement now, and I think people are kind of looking at it like, well, we don't really look at that as a serious thing in the whole grand scheme of things after doing all the identity planning, all the risk planning, all the compliance automation stuff.

But at the end of the day, it is, and it's a very simple thing and it's kind of a simple solve. I think when we all came together to think about it, why not take care of this too? It's crazy not to. We're doing phishing awareness campaigns, we're doing all these other things, but this is one way to foolproof a genuine issue that exists.

Bryan Christ (32:12):

Yeah, I'm glad you brought that up, Jim. I mean, this isn't not really a discussion on identity and access management, but these two pieces go so much hand in hand because we talk to organizations all the time, so if you have a really good strong identity access management solution and your de-provisioning is rock solid, great, but I don't think that's what we saw in our survey results. I don't think if you can't say that you're confident in it, that tells me you've got some business processes, maybe they're fringe accounts or whatever, that you're not governing, and that's where these decentralized secrets, if they act or leaves the organization and they're malicious, or again, maybe not, maybe just they fall into the wrong hands. You've got that open account that somebody can log into, and again, it's a predictable pattern. They'll camp out there until they figure out something else and move on. So it would definitely be remiss not to mention identity and access management, all of this because it's a great way to stop that. But the other part of it is with something like managing the decentralized secrets,

Chuck Brooks (33:27):

Actually, I saw evidence of this happen by a state threat actor when I was at a company, which I won't mention. They got through this human resource opportunity vulnerability, and they were able to steal a lot of, not just decentralized secrets, but basically the personnel files. Everyone in the company went overseas very quickly, and this was not an isolated case. I think there's a systematic intention by state threat actors to use these vulnerabilities to get as much information on the people and the processes that are being used and also the IP that sometimes is left open too.

Bryan Christ (34:10):

Absolutely. Carolyn, if you want to go ahead, we've got about 10 minutes left before we want to open the qa, so let's give Jim an opportunity. I think Jim's got something I think the audience will find really interesting. Let's let him share.

Jim Skidmore (34:26):

Yeah, yeah, sure. Absolutely. I mentioned a little bit about CISA earlier, and a lot of us work in, I know Chuck does, I know I do. We work in advisory roles with federal organizations and others with the goal of pulling everybody together. We see the shield kind of messaging that's out there now, and even as a nation, if you're in the US today are looking at this in terms of standard best practices, if there are issues that you believe that you have, we do have kind of an offering out there for folks that basically doesn't cost money. It's kind of like the CSO one. Our goal is to help people shore up their edges and to make sure that they're in a good posture way, I guess you can say in this very realm here. And it's critical that we think about all aspects of the compliance and security journey here, not just kind of what's put in front of us month to month as a project by project, but really looking at it holistically.

We also do zero trust pre-assessments for folks too, and the goal for that is really just to overall mitigate risk and create and foster a culture of least privilege. So we're available to do that with folks if they're interested in doing it, and we can even share if we go under NDA, we can even share confidential other experiences that we've had or ways that we've solved specific issues. So yeah, that's definitely something that we're happy to do. We also can help people through planning of things like implementing a safe solution, which is really quite easy. You provision the users originally that are going to participate in your organization to make sure that they can't share passwords or secrets. And basically what the workflow comes down to is you get an email basically like your bank that says, Bryan has sent me an encrypted message. I log in, it's the password thing I needed to get close, that browser completely encrypted, and then whether it was a token, a password, whatever the secret was, we're able to safely kind of pass that along. So if people are interested in taking that further journey discussion to another level, we're happy to do so.

Bryan Christ (37:20):

Yeah. Thanks Jim. Sure. I guess at this point, let's open the floor for q and a. We did discover that thanks to something with Zoom that our gracious host, Carolyn is unable to both share and speak at the same time. So I think what we'll do is we'll tear down the slide. She can stop sharing and then she can unmute her microphone and see if we've got any questions that have come in while we were on the line. Carolyn, are you back?

Carolyn Evans (37:58):

I believe I'm back. Can you hear me now?

Bryan Christ (37:59):

All right, we can hear you. Yes.

Carolyn Evans (38:01):

Awesome. Okay. So yeah, if you have questions, please put them in the chat. We had one come in so far about what are the risk elements.

Bryan Christ (38:15):

Chuck, do you want to talk about that? I mean, I feel like given our conversation that we had just before this, that maybe you want to share again with the folks on the line, some of the risk elements that you've seen.

Chuck Brooks (38:29):

Yeah, I mean, I think we're in a sort of a morphing world with digital where the capabilities of the adversaries are growing exponentially, particularly with the use of artificial intelligence, machine learning, other factors, and also the fact that they're sharing their tools on the dark web and coordinating it is a moneymaking enterprise. So from a business perspective, obviously in looking at what we just spoke about, obviously you need to be able to protect your decentralized secrets, but you also need to fortify your cyber hygiene things you can do inexpensively. And that is of course, having a strong password, having what Jim mentioned, the multifactor authentication, particularly if you can use biometrics, which makes another level of difficulty, but also having an awareness. Are your routers secure? Is your wifi secure? Is your data encrypted? Do you have your sensitive data, isolated, segmented? All these procedures are really just sort of could be self-evident for most people practicing cybersecurity, but most businesses just don't follow 'em.

And if they could just do these basics and keep this basic cyber hygiene, they'll be able to repel some of the risks out there. The bottom line is if they go for the low hanging fruit, and if you make yourself less of a victim, less likely you're going to be attacked. And the other thing I would say for every business is also have an incident response plan because you can't guarantee that you won't get attacked. It's just too easy. And phishing attacks are still the predominant method. Everyone is vulnerable. Even the former director of CIA clicked on a personal email phishing attack. So it just happens. So have a response plan, have a business continuity plan. All these things could be built in with tools and built into your platform too, if you know where to go and how to do it and just generally be aware and it's going to be a wild ride. As I think we said, it's a wild west out there and it's with IOT coming on board and other things, connected devices, it's just going to get wilder and wilder.

Carolyn Evans (40:35):

Sorry, go ahead.

Bryan Christ (40:36):

Carolyn, can you hear me? I just wanted to just reiterate one thing when it comes to risk. So in terms of what we're attempting to address here with raaf, it's really three things. It's risk of reuse of secrets or weak secrets, risk of sharing them in insecure manner, and then obviously the business continuity. So I just want to package that up in a quick soundbite so that folks that have been attending today, if they walk away with nothing, they remember that. Sorry about that, Carolyn, go ahead.

Carolyn Evans (41:14):

No, that's good. Thanks, Jim.

Jim Skidmore (41:16):

Yeah, if I can mention one other thing kind of as a closing statement, and first of all, I'd like to say, oh, Philippe, hello from Strasburg. Yeah, hopefully you're at the UE headquarters. We've had the chance to go and speak there in the past at the UE headquarters, if that's where you are. And by the way, a lot of great collaboration happens there. One of the, I think what Chuck said is really critical. If you have a feel for that, there are major gaps that you have just from standard posture and policy do go re-review those, get a second opinion if you need to look at what your posture and your policy truly needs to be. So many organizations don't develop standards that people work from or what we call posture and or do a gap analysis to see how they would get to what their security policy statements should really be.

A lot of people have that in a PowerPoint slide or something like that. But at the end of the day, that governance is critical now, and to Chuck's point, you'll reduce your risk by exponentially. There's still risk regardless, but the odds catch up with people that don't take care of those things. And if you're not sure about certain aspects of your infrastructure, about your identity process, about whether servers should be hardened in certain places, what your recovery scenarios are, if you have HA environments, which is step three of the resilience kind of response plan, these are all things you really should button up because you're just making the odds larger. So just a little thought,

Carolyn Evans (43:14):

If you had one piece of advice, something that companies could implement quickly or today, what would it be?

Jim Skidmore (43:26):

Is that for all of us or?

Carolyn Evans (43:30):

Yeah,

Jim Skidmore (43:33):

I would say like Chuck said, a response plan is critical in the event that anything occurs, obviously that's good. Make sure that you're in touch also with your government resources in the event that something were to occur. I've been involved in a couple of situations that I was brought in after the fact that we, in one case, even needed to go rip open a crypto wallet and take $9 million back. So there are some very large ramifications and some of these things, but also, again, an ounce of plan of prevention is worth a pound a cure. If you're not having looked really holistically at your policy, now is the time to go do that because things are getting unusually active. There are more state and syndicated actors by a factor of 20 than there were two years ago. It's a very different world.

Chuck Brooks (44:36):

Someone elses soapbox. I'd echo that. I'd say it really is a risk management strategy and that includes people's processes and technology tools. And so you have to look at all those and you have to look at the full gamut from the very beginning, how to stop it, be preventive, and what you need to do to be reactive. So all that and more and what Jim just said.

Carolyn Evans (45:04):

Bryan, any thoughts?

Bryan Christ (45:07):

No, I was just noticing that we had another question that surfaced in the channel.

Carolyn Evans (45:13):

Yes. Did you want to,

Bryan Christ (45:15):

Yeah, I'll just read that aloud for everyone. So the question came to us, what advice would you give to US Congress politicians around decentralized secrets? I would give them the same advice that I would give anyone, which except for the idea that make it policy that federal entities absolutely have to, sometimes when I'm talking to people, I call 'em ungoverned secrets because that's really what they are. There's no central control on 'em. There's no policy oversight with a tool like Bravura Safe, you can do that, you can bring that to bear, and Congress could mandate that federal entities, just like what we've seen with multifactor authentication and zero trust, we have some mandates that came out of the White House to federal entities have to pursue that. I would say that politicians should be looking at that decentralized secrets and mandating policy around it. For anybody federal, for any entity funded by the federal government

Jim Skidmore (46:25):

And policy has to stand far above politics, right? This is something we're all in together. There is no partisan protection of our core assets, right? This is mission critical. That's critical for all of us.

Bryan Christ (46:43):

Absolutely.

Jim Skidmore (46:45):

Yeah. I would just share one last experience. I don't want to go through, and this is well documented, it is public domain information, but I do not want to go through another OPM situation like we did in 17 where I was part of a SWAT team involved in that. And it was a very similar use case that caused a challenge in that regard to the person asking about the US Congress posture or policy there. So we can prevent all this. We really can.

Carolyn Evans (47:18):

Okay. Any closing thoughts?

Bryan Christ (47:25):

I would just simply be remiss in saying that we appreciate everybody attending today. If you want to take Jim up on his offer or you're even thinking about it, reach out to him please. They would be happy to pull that together for you. And if you'd like to see Bravura Safe in action, which will do all of the things that we've talked to, we would be happy to throw together a comprehensive demo, walk you through the product, give you a tour. So please just reach out to us on that as well.

Carolyn Evans (48:04):

We will send a follow up email after this session with the recording so that you can watch, share, and also those links so you can request demo or an assessment with Jim and intiGrow.

Bryan Christ (48:16):

Carolyn, real quick, just I know we talked about a survey that is forthcoming. When should folks just be checking our website to see when that comes out, what folks are interested in the details, when

Carolyn Evans (48:29):

That will be released next Wednesday. So we will actually email that out next week as well as a follow up.

Bryan Christ (48:34):

Alright. Very good. Awesome.

Carolyn Evans (48:39):

Okay, well thank you Bryan and Chuck and Jim, it was a pleasure to have this conversation. And yes, we had a comment here thanks to excellent speakers, especially Chuck from

Jim Skidmore (49:00):

Give our best to beautiful Strasberg also.

Carolyn Evans (49:05):

Okay. Thanks everyone for your time today.

Bryan Christ (49:07):

Thank you all.

Jim Skidmore (49:07):

Thank you.

Chuck Brooks (49:08):

Bye-bye.