How Hackers Exploit Human Bias and Technical Weaknesses | Interview with Kevin Beaver
Welcome to Secure and Simple Podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello. I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple Podcast. Today, my guest is Kevin Beaver, and he's an independent information security consultant with more than thirty years of experience in network security, vulnerability, and penetration testing, and and so on, and so also other, let's say, various activities in security.
Dejan Kosutic:But he's also an author of the book called Hacking for Dummies, which was translated into nine languages and has recently been published in its eighth edition. So, can you please show the book, Kevin, just for everyone to see how it looks like? Yeah. That's the one.
Kevin Beaver:That's it.
Dejan Kosutic:So in today's podcast, you'll learn how hackers think and how they exploit the various weaknesses when they attack companies. So welcome to the show, Kevin.
Kevin Beaver:Dejan, thanks so much for having me. It's a pleasure to be here. I'm excited about this conversation.
Dejan Kosutic:Great to have you here. So tell me, what do usually people get wrong about hackers?
Kevin Beaver:What do they get wrong about hackers? How much time do we have again? I think there's a general underestimation of what these people can do, both technically and operationally, especially when they're state funded. The thing that we often forget is that the bad guys have nothing but time on their hands. They've got all day, all night, literally teams of people in many cases.
Kevin Beaver:They know that they can fly under the radar. Think it's just a general underestimation of perhaps their eagerness and resilience to get in and do stuff on your network to make you look bad and come across and I guess benefit from ill gotten gains.
Dejan Kosutic:Okay, but I assume that there are state sponsored hackers, like which are basically a part of, let's say, some governments, and they're very well funded and very well organized, but they're criminally, let's say, driven organizations. For those that are not state sponsored, those that are primarily there for, let's say, profits, how professional are they really?
Kevin Beaver:I think they're extremely professional. Think they run their efforts, their hacking efforts, like a business. They have the training, they have the skills, they stay sharp, they know what it takes do what they're trying to execute on, and it's a lot more formal, I think, than what a lot of people believe. I mean, it's kind of rare to be able to see truly behind the scenes of what goes on with these guys. But if it's an organized crime ring, with people with seriously ill intent and if there's a lot of money involved, it's a professional endeavor.
Kevin Beaver:It's a true business that they're running, trying to basically exploit yours and take yours down.
Dejan Kosutic:Yep. So this definitely needs to be taken very seriously, and there shouldn't be some, let's say, half measures when a company needs to protect.
Kevin Beaver:I agree.
Dejan Kosutic:So you mentioned also previously that there are some core psychology concepts that really translate into hacking. Can So you please explain what this really is?
Kevin Beaver:You know, it's interesting. I've been studying psychology for probably thirty, thirty five years. It's an interesting field for me. It's an interesting there are interesting concepts. I'm always trying to better myself, better my business, become, you know, a better friend, son, husband, whatever, just to get ahead.
Kevin Beaver:So that was the angle where I originally got started studying psychology and listening to people like Brian Tracy and Jim Rohn and a lot of the success greats. Jordan Peterson is one of my favorites. And I started seeing these patterns of these core psychology concepts that translate directly to what we do in IT and security. And then I started writing about it. Started writing blog posts.
Kevin Beaver:I started integrating it into some of my keynote presentations. And I came across several items. I've got five or six items that we can go through briefly. I would say the biggest one that I've come across is called the Dunning Kruger effect. And it's basically a social psychologist professor and his student, master's degree student, I'm correct, from Cornell University.
Kevin Beaver:They came up with this theory back in 1999 and it can be argued it goes back even further. They were just building on it and they sort of formalized it and codified it. The Dunning Kruger effect is essentially people think they know more than they really do, and they're not as smart as they are. So the quote unquote experts are not always experts. We see this in IT a lot.
Kevin Beaver:I don't want to throw my fellow IT professionals under the bus because there are a lot of smart people, many, many smart people, way smarter than I am. I see it mostly with executives, upper management in organizations. They think, well, we're spending all this money on IT. We've got a big team of people working on all these issues. They're telling us that things are Okay, but that's not always the situation.
Kevin Beaver:Attack surfaces are growing. Look at what AI is doing, for instance, with shadow AI and just all the complexities around that. Detection is getting harder. Breaches are getting costlier. Yet everything is okay.
Kevin Beaver:And guess to give an example of the Dunning Kruger effect would be an IT director might dismiss a pen test recommendation because he's never been breached in his past fifteen years as an IT director. So he thinks that everything is good. He's got all the latest and greatest technologies. Everything is churning along. Maybe he bought this book and maybe he's gone through it and they've done penetration testing.
Kevin Beaver:They feel like they have a good vulnerability management program, patch management program. Their users are aware. But man, this is a very humbling field to be working in. Because like I said, there are a lot of smart people, especially the bad guys who have nothing but time on their hands. They're just super, super brilliant people.
Kevin Beaver:The reality is we just have overconfident management, leadership, and even in some cases, network admins, IT directors, security managers, even developers, where they sort of deprioritize stuff, whether it be patches on low risk systems, whether it's workflows within a web application, testing, not testing everything, or assuming, well, don't need to test that environment. There's nothing of value on it. But that's exactly where the bad guys, the attackers, they tend to probe first. They know where those vulnerabilities are. So, it's a big challenge.
Kevin Beaver:Big, big challenge.
Dejan Kosutic:Yeah, certainly. This overconfidence then actually brings the company into, let's say, imaginative state that it's protected, it's not, right? Absolutely. What are some other concepts that you found useful from psychology?
Kevin Beaver:Yeah, so building the Dunning Kruger effect, there's what I call the sunk cost fallacy. It's a pretty popular one in economics and finance and whatnot, where basically past decisions should not affect what's going on right now, but they do. Again, it goes back to good money being spent on SIM and NAC and DLP and MDR, EDR, XDR, all the AI technologies. But these things are just not delivering, and usually due to some sort of under implementation. They're sort of put in place for show.
Kevin Beaver:But everyone, again, assumes it's okay because that money has been spent. So that ties into the Dunning Kruger effect. I think one of the other big ones that's a big, big problem I started talking about this one, man, like twenty, twenty five years ago when I started doing presentations at RSA and other conferences. It's called bystander apathy. And it's basically everyone waiting for someone else to step up.
Kevin Beaver:They say, well, it's not my responsibility because so and so is in charge of that. Or it kind of goes back to the whole management thing. Well, security is saying they're doing stuff, and so I'm going to assume that all is well so they don't check-in. But then days and weeks and months pass by, and the risks just sort of compound while the cycle continues. And meanwhile, everyone's having their weekly security governance meetings or project management meetings, and they're all sitting around the table and assuming that everything is okay.
Kevin Beaver:Assuming that, okay, well, yeah, we're getting some alerts at 2AM on this certain system, but there are other team members that are seeing this because they're in charge of that area. And assuming that someone else will step in to investigate, nobody does, a breach happens, and then boom, there you are in the headlines. And it's a terrible situation, but it's reality. I think a lot of these build on another concept that I want to share. It's called expediency.
Kevin Beaver:It's literally just the desire for immediate gratification. And we all have this. We're all human. Dejan, I know you do it. I do it.
Kevin Beaver:Everybody wants what they want. They want it right now. They want it with minimal cost, minimal effort. But that becomes a problem when it comes to security. And the bad guys know this stuff.
Kevin Beaver:People are going to do what they've always done in the most expedient fashion to get from point A to point B regardless of any potential future consequences. That's sort of the definition of expediency. And it's always that path of least resistance. And where we see it the most is with users. Our end users are constantly like, oh yeah, that pop up message, no, I'm not going to install that patch right now because I know it's going make me reboot.
Kevin Beaver:Or no, I don't need to do a backup of my data. Somebody else is taking care of that, bystander apathy. Hard coding credentials into a production app you know, to hit some sort of release deadline without doing it the proper way. Default password, shadow IT, shadow AI, all these things, it's people taking shortcuts over and over and over again behind your back and right under your nose if you're in charge of security. If you're in charge of security compliance directly within your organization, if you're working with your own clients on these things, these are real problems, and they're sneaking by, and we don't realize it.
Kevin Beaver:It's a problem.
Dejan Kosutic:Can you just explain how experience actually negatively affects cybersecurity?
Kevin Beaver:Yeah, I mean, it's taking shortcuts and getting to the shortest, quickest possible outcome, and we'll do it the right way later. And you can't do security the right way later because the bad guys are going to step in and exploit that. So that's the essence of it. It's kicking the can down the road, I like to call it.
Dejan Kosutic:These are very, very interesting concepts. Then, you know, when you say, when you explain those, I mean, they sound very, very convincing and actually very true, unfortunately, right?
Kevin Beaver:Unfortunately.
Dejan Kosutic:Let me ask you, so when you do, let's say, penetration testing for your clients, what actually what is the first thing that you're looking for? And, you know, where would you actually typically expect the company to be weak? Are these the areas that you now mentioned? The psychological, let's say, areas?
Dejan Kosutic:Basically, what are aiming at when you do pen testing?
Kevin Beaver:There's psychology behind all of the stuff that I see, and I think that's why I get so fired up about it, because I see it literally in every project that I You know, I go for that low hanging fruit. I've always been a guy who's argued for fixing the basics first, the trivial few that cause the greater many security problems. It's the whole Pareto principle, the eightytwenty rule. Basically, it's the 20% of vulnerabilities on your network that are creating 80% of your risks. And without a doubt, I can start out with some basic scans and at least find a handful of items.
Kevin Beaver:It's missing patches. Usually going back to it's that MS what is it? MS17-ten, the one for EternalBlue, that ransomware vulnerability? It goes back to 2017. I see that on most networks still today.
Kevin Beaver:And I'm not talking about small businesses. I'm not talking about midsize businesses. I'm seeing this on large enterprise networks as well. It's across the board. I still see the there was a plug and play vulnerability.
Kevin Beaver:I can't remember the actual name for it, but I use the CDE and then the Microsoft numbering. It's MS08-sixty seven. It's one of those vulnerabilities that, when exploited, you can get a remote command prompt with Metasploit. And it's still on, I would say, 20% or 30% of the networks that I look at. Dan, this is a vulnerability that goes back almost twenty years.
Kevin Beaver:And people are still not patching those systems. So that's where I look. That's where I start. Another big thing, I look at network shares. Every network has a ton of open network window shares, NFS shares, even FTP servers and whatnot, usually without credentials or weak credentials.
Kevin Beaver:And man, when you go to those shares, they're usually named like legal, HR, so and so, project. You just go and browse around, or you can use certain tools to sort of seek out PII and intellectual property. Man, there's a ton of stuff on those network shares that I, as a regular domain user, should not have access to. And it's people again, that goes back to the expediency factor, where people will they want to share out their drive, or they go to a server and let's maybe they have domain admin rights on a server or local admin rights on their workstation. They right click, they share it with everyone since several other several people within the organization need access.
Kevin Beaver:And man, you wouldn't believe that the finance stuff, the intellectual property, source code, passwords, all of this stuff is just out there on the network for not just employees or contractors or consultants to see. And again, know what? I'm not doing this for ill gotten gains. I'm just finding the vulnerabilities and pointing them out. But there could be some bored employees that go poking around.
Kevin Beaver:There could be you could have malware on your network that's creating a backdoor that's allowing remote access into your network environment and these shares and all this sensitive information. It's a big deal. It's a real big deal. So those are just two of the things that I look at.
Dejan Kosutic:Anything else that you typically aim first?
Kevin Beaver:Web apps. I do a lot of web application testing. Man, I see vulnerabilities in web apps all the time, especially behind the login prompt. And this is the interesting thing, Dejan. You've probably seen this or heard of this, where a lot of times, my clients, they just want to black box pen test.
Kevin Beaver:They don't want to do it with authentication. No, we're not going to do it with any user authentication. We're just going to see what an attacker on the outside could get to. So we don't log into the web app. We don't do anything.
Kevin Beaver:But what's being overlooked in that particular use case is there could be compromised credentials. They're out there everywhere. I do OSINT testing. I do OSINT scanning, looking for credentials that I can almost always use to log in to websites, web apps. And those credentials no doubt provide access and allow me to get in, just do whatever I want.
Kevin Beaver:And it just looks like the regular user is in there using the web application. And they don't have alarms, they don't have triggers, alerts, no incident response. And that's a problem. You've got to look behind the login prompt of your web applications. I think that's a big oversight.
Kevin Beaver:It's a big assumption. Well, everything's good because it requires credentials, but not any longer.
Dejan Kosutic:Okay. How do these psychological aspects that we spoke of before, how do they actually help you find these kinds of vulnerabilities?
Kevin Beaver:One of the other things that I haven't mentioned, I'll mention it briefly, I just call it myopia. It's literal shortsightedness, not seeing the bigger picture of what's going on. And a lot of that starts in the scoping process. When we literally scope to do these penetration tests. What are we going to be testing?
Kevin Beaver:How are we going to be testing it? With authentication, without authentication, what tools are involved? What's that going to look like? A lot of times people just, they just want vulnerability scans, maybe a quick pen test so they can check a box. And that's myopia.
Kevin Beaver:That's shortsightedness. That's not looking at the bigger picture of, hey, how are we really at risk here? It's not looking at AI. It's not looking at unstructured information, how it's scattered across the network, users, how they're choosing their passwords, little things like that. So that allows me, literally from start to finish, when I'm doing the scoping, when I'm doing the testing, and even when I'm doing the reporting, I'll often, in my reports, I'll say, hey, look, this was the scope.
Kevin Beaver:It was a limited scope. Next time, we should consider doing X, Y, and Z in addition to what we've already looked at because we don't know the full picture. And unless and until you look in literally every nook and cranny of your network, everything's fair game. There's always more that you can be doing. This is something that I learned in psychology and studying success is there's always more that you can be doing that you can be throwing at these problems.
Dejan Kosutic:And in your opinion, are hackers actually using a similar approach like you described now? I mean, what to look for first or do they really approach them in very different way?
Kevin Beaver:I think so. I think they're definitely looking for the low hanging fruit. They're doing their OSINT scans. They're looking for credentials out on the deep and dark webs. They're looking for open wireless networks.
Kevin Beaver:They're gullible users that they can send phishing emails to. And now with AI, that's really changing everything in terms of phishing, the reality of phishing, how realistic it all is, even phone calls targeting and all that can be AI based. So yeah, I think they're starting I would say the majority of them are likely looking for the low hanging fruit. That's why you've to fix that low hanging fruit and not get distracted doing necessarily everything up front. You need to do everything eventually, but not everything right now and every single time necessarily.
Kevin Beaver:I know I'm slightly contradicting myself, but you do need to get to everything eventually. But yeah, they're looking for low hanging fruit. There are exceptions. If it's a financial institution, if it's a medical device company, manufacturing company, pharmaceutical biotech company that's looking for formulas, looking for schematics, looking for very unique data, then it could be in those situations. That's what they're going for.
Kevin Beaver:But almost always, they're going to find low hanging fruit that they can exploit. Global users, weak passwords, all that stuff, to get to what they're looking for.
Dejan Kosutic:Do you think that hackers also study psychology?
Kevin Beaver:It wouldn't surprise me if some of them do. Wouldn't surprise me at all. I mean, they're super smart people in many cases. There are some that are clearly dumb that just go out and they don't think about their actions, then they get caught, and then boom, it's all over. But yeah, I suspect a decent amount of them understand.
Kevin Beaver:Maybe they don't have psychology degrees necessarily. They're probably not listening to success experts to learn about psychology, but they get it. They understand where people are gullible. They understand that leadership is often looking the other way, or they're disconnected, or they just don't want to be involved. They've got their blinders on because this is all IT stuff.
Kevin Beaver:The technical folks are doing this. They don't want be bothered with it. So they know that. They know that. So you got to give them credit.
Dejan Kosutic:Okay. Let's speak a little bit about AI and actually how it helps the attackers. So, you mentioned, I don't know, phishing phone calls, think. So, can you give a couple of examples on really how hackers are using AI nowadays?
Kevin Beaver:Well, yeah, I suspect a lot of this is going to get into the wrong hands. A lot of these tools, OpenAI, Anthropic, and I'm sure countless others are putting out there like Mythos, that are basically go and find anything, anywhere, vulnerabilities that have been missed for the past thirty years. That's going to be big, and it's going to create a lot of challenges for IT and security teams in terms of vulnerability management, patch management, even SOX, security operation centers, managed security providers that are monitoring for these things. It's just going to be just create this, I think, an exponential level of complexity on the network in terms of being proactive and being reactive to try to clean this stuff up. The reality is these vulnerabilities, these exploits, they're going to get out there.
Kevin Beaver:They're going to get in the hands of the bad guys. In many cases, I'm sure they already are in terms of AI. And I don't you know that they're leveraging all this stuff? And granted, I've done some of this stuff to try to come up with exploit code and whatnot on the projects that I'm working on in a professional, ethical way. And these tools, they'll redirect you quite often, but you can sit there and those guardrails run out, or there's gaps in the guardrails eventually if you poke around hard enough and ask the right questions.
Kevin Beaver:So I suspect that's what the bad guys are doing, and they're going to leverage a lot of that to their advantage. And it could be, it's going to be an arms race. It's going to be like a game of whack a mole with these AI companies, the bad guys, the defenders, and we're all just kind of, you know, like, oh god, what do we do now? One deep thought I've been having over the past, I don't know, few months is that I think we're going to see AI agents, AI applications, LLMs running internally, all that stuff. We're going to see them attacking one another potentially.
Kevin Beaver:And so you literally have a fight that is broken out on your network. And you're like, Hey guys, not on my network, you know? But it is on your network, and they're literally attacking each other. And who knows? Maybe they're going to collude and make your problems even more difficult.
Kevin Beaver:I don't know where this is going, but man, based on what I've seen with AI, I think anything is possible.
Dejan Kosutic:So you're saying basically that biggest threats in the future might not be hackers themselves, but actually AI, which you are using internally in the company, right?
Kevin Beaver:It wouldn't surprise me. It wouldn't surprise me at all. And that kind of leads to one of the other things that I wanted to mention about psychology. I think most people have heard this term cognitive dissonance. It's basically the gap between what we know and then what we choose to do about it.
Kevin Beaver:So we know that something's going on with AI. Are we going to choose to truly fix it? Are we going to choose to get our AI programs under control? It's one of the new service offerings I have in my own business. I'm doing like an AI governance assessment.
Kevin Beaver:Hey, what AI is running on your network? What are you doing about it? What is your policy? Who's in charge? How is management involved?
Kevin Beaver:And I've got a lot of clients that are like, Wow, yeah, we haven't even thought about that. We don't even know where to start. And that's where something like cognitive dissonance would come into play. So what do you do? Do you review new information and accept you were wrong, or do you just ignore it, and then you just keep supporting the bad choices you've been making?
Kevin Beaver:And I think we're seeing that already with AI. So it's another tie in with that. And this is a real problem with security that I think and I think the bad guys know this is that leadership executives are often exempt from the very policies that their business is trying to put in place. Because leadership, they don't want be involved with that stuff. They're traveling, they're talking to important people, they're having big conversations, they're networking, they're making sales and running the company.
Kevin Beaver:They don't have time for all these policies, all these security controls to get into play, get into their way. So they're exempt. And everybody's like, Okay, I'm not going to enforce this policy because that's the CEO or the COO or the CFO because people are afraid to lose their jobs, I can't blame them for that. But it's a bit ironic that leadership is like, Oh yeah, we have a strong cyber program. We've got cyber insurance.
Kevin Beaver:We have a board. We're doing all these great things, but yet they don't want to be bothered with those policies. I don't know. That kind of stuff, it's like, I call balls and strikes when I see it with security, and I like to call that kind of BS out, you if know what I'm saying Dan. We see this in all aspects of life where there's a certain group of people that are exempt.
Kevin Beaver:It's kind of like in politics. There's that group out there that's exempt.
Dejan Kosutic:Okay, but how do you then achieve in a company that you actually set, I would say, clear security rules which are then valid for everyone and without any exemption? So what exactly do you need to do?
Kevin Beaver:Yeah, so literally policies that are in place that are supposed to be for everyone, but it's always exemptions, always. I see this across the board. Small business all the way to large enterprises is privileged accounts. It's not putting MDM on mobile devices because they can't be bothered with it, getting rid of web content filtering, opening up for personal AI usage so that these certain groups of people can upload all the company data and PII into these LLMs that are learning from that data.
Dejan Kosutic:What to do about it? I mean, there surely must be a way to resolve this.
Kevin Beaver:There is. I think it takes a strong set of cojones at the CISO level. I think CISOs need to step up and say, look, I see what's going on. With all due respect, I understand what you're trying to accomplish and that some of these controls are getting in your way. Here are the risks that are surfacing because of these choices that are being made.
Kevin Beaver:So it needs to come from as high of a level as possible, maybe even the board level, but definitely the CISO, and I know a lot of CISOs don't get the respect they deserve. A lot of times they're figureheads, they end up trying to do what's right, but they can't because nobody believes in security. So the CIO kind of is protective over that in many ways. Just, again, I'm calling things that I see. I think it's going to take the right attitude and perhaps some stronger personalities and pushback and relationship building on the part of security professionals that are lower within the organization saying, again, with all due respect, we understand what you're going through and we're going to try to make that better.
Kevin Beaver:Here's the risks that's here are the problems that it's causing. This is what we've already found. This is what continues to happen. So something needs to stop. Or something needs to change.
Kevin Beaver:Or you put it on them and you say, Look, here's what's happening. I need your blessing. You know, If we're going to continue down this path, we know the risks. I need you to give me literally a verbal or ideally a written yes or no. This is our approach to security.
Kevin Beaver:Just to protect yourself. For security professionals, if you're a compliance manager, IT director, security admin, just to protect yourself. Just get it in writing. Okay,
Dejan Kosutic:so one way is obviously to kind of build this consensus, if possible, around security, that security is needed and so on. But is it also the case that the security rules themselves or security processes need to be, let's say, redesigned or some kind of, let's say, adapted to the business and the company?
Kevin Beaver:Absolutely. It's funny you bring that up because that ties into the last big thing I want to talk about when it comes to psychology it's confirmation bias. Basically it's that mindset that well we've always done it this way so it stays that way and so security ends up getting in the way of doing business and I used to blame leadership executives and all those folks on on most security problems but I've seen a lot of my own peers, I've seen people at lower levels within the organization literally shooting themselves in the foot, creating their own problems, making things difficult without stepping back, looking at the bigger picture like, can we do this in a better way? There's almost a thousand ways to do anything in IT and in business. Maybe not as much in business, but in IT we can always come up with solutions, especially with AI now, right?
Kevin Beaver:Because AI can help us, they can help facilitate it, AI agents, whatever. Yeah, so this is a team effort. This is definitely a team effort. We cannot be stuck in our old mindset of this is how we've always done it, so this is how we're going to keep doing it. It's got to be mutual.
Kevin Beaver:It's got to be we've got to get away from those hard line tactics that the bad guys know that we have. We're set in our ways. We've got certain detection thresholds. We've got certain features within our tools, and that's how we're going to leave them. And the bad guys know that they can just go around all those settings and whatnot.
Kevin Beaver:And it just creates problems within the culture of the organization. I think this is how security and IT professionals end up getting a bad name. They end up making people mad at them. And it becomes sort of an us versus them situation. And we have to be so careful with that.
Dejan Kosutic:Yeah. Yeah, from my experience, it's always good to think about security as a business enabler, right? So, okay, you need to have certain level of security, which is, of course, risk based, and then but try to figure out, you know, how not to stop the business doing its part, right? If you can So download these two things, it's always the best.
Kevin Beaver:Absolutely. I actually have a section in my book. Called the Part of Tens, I talk about a lot of this stuff: 10 Tips for Getting Security Buy In, 10 reasons hacking is the only effective way to test, and then 10 deadly mistakes. And in the deadly mistakes section, I talk about these things where we cannot get in the way of doing business. As soon as we get in the way of doing business, we're done.
Kevin Beaver:People are going to find ways around it. They're going to go back to that expediency factor. They're going to find shortcuts. They're going to start up. They're going to spin up their own servers, their own cloud services, shadow AI, all of this stuff.
Kevin Beaver:And we're literally doing ourselves a disservice at this level with security, as security implementers, as security professionals. We have to be so careful with that.
Dejan Kosutic:You mentioned also this security culture. So when you do, let's say, some kind of penetration testing, do you find that companies that do have a stronger security culture, that they actually have a lower number of vulnerabilities or security culture doesn't really influence the findings that you have?
Kevin Beaver:No, it definitely influences it. I haven't shared this with many people other than my client, but I did a penetration test of a web application just recently, and I literally found nothing. That is the first time in over two decades that I've had a clean report. There's almost always something. There's always a server misconfiguration, something silly with the application that's being done.
Kevin Beaver:With this one in particular, I didn't find anything. I'm like, hey, guys, here's my methodology, here's my tools, here's the screenshots, here's all the data. You can look through it. I did a thorough test. I didn't find anything.
Kevin Beaver:But I do think that, yeah, security culture definitely enables better outcomes when it comes to penetration testing. It enables cleaner reports. And this organization has a great security culture. It's a smaller company, so that helps. It's much easier to have a good security culture in a 10 or 20 or 50 person company than it is with a few thousand or tens of thousands of people, for sure.
Kevin Beaver:But yeah, that's a great analysis.
Dejan Kosutic:How do you then suggest to your clients how to raise the level of security culture?
Kevin Beaver:Do think it starts from you could argue it starts from the top, but I think it starts from the bottom, and it's about relationship building. It's about reporting on what you have, you know, the professional, security professionals in charge, whether they're doing it internally or they're hiring someone like myself. It's reporting on, hey, here are our findings, and this is how it's impacting the business. The executives, leaders, the board, they don't care about technical details. They don't care about bits and bytes and encryption and attack pass and threat vectors, all that stuff.
Kevin Beaver:They want to know, how is this affecting us? And we, as security professionals, can do that. I've worked on that a lot in terms of my reporting, to shape the findings around, like, Okay, this is how your business, this is a likely outcome, and this is how it's going to look to your business, not just, Here's a missing patch. This is you need to fix it kind of thing. And it takes some confidence, it takes some relationship building, it takes some sales skills, getting buy in and maintaining that buy in.
Kevin Beaver:Probably the number one question I get this from my own clients. I serve as an INS faculty member and consult with some very large organizations. And it's always, how do we present to the board? How do we present to leadership our current state of security? And one of the things that's often overlooked a lot of people are, oh, we're metrics.
Kevin Beaver:Which metrics is it going to be? What do we we talk about these incidents, these findings. I actually recommend go to these people. Go to the board, go to executives, say, hey, here's generally speaking, this is what we're doing. What would you like to hear from us?
Kevin Beaver:What would you like to see reported? And if they don't know for sure, and they may not in every case, then you say, well, here are some options. We could talk about some metrics around this, how things are looking with our user base, how our vendor management program is going. What would you like to hear? How would this enable you to make better decisions for the business?
Kevin Beaver:And I think it's a great way to approach establishing the relationship and maintaining the relationship with executive leadership, board members, and whatnot. Because otherwise, you're just assuming that they want to hear what you're willing to present or whatever data you might have. So going and asking them, it not only gives them what they want to hear and see, but it helps to establish that relationship. It helps them realize like, Oh, wow, this person just came to me and is actually concerned about my role as a leader of this organization and is trying to facilitate. And man, that can create a really strong bond longer term to help build out the security program.
Dejan Kosutic:Yeah. And what kind of information do they usually ask for?
Kevin Beaver:Talking about executives and boards?
Dejan Kosutic:Executives and boards, yeah.
Kevin Beaver:I think a lot of times they're looking at trends around patch patching, trends around failure rates for user, phishing, user education. Are users are they taking the courses? Are they passing? How many times are they clicking? What problems are they leading to?
Kevin Beaver:If they're more technical and they understand what's involved in security incidents, they'll ask about, what is our mean time to detection for security incidents or exploits? What about malware? Do we have indicators of ransomware or malware? And they'll get down into the weeds with looking at that, even from a forensics perspective, if they need to. Okay, we have had some security events, which is like, that's what we probably should call them until we verify that it's actually an incident.
Kevin Beaver:I know that's what lawyers do. We have this number of events. How do we know that things are cleaned up? How long did it take to respond? Yeah, it's kind of across the board.
Kevin Beaver:It depends on their level of technical proficiency and how long they've been around security and whatnot. Yeah, it's all over the map.
Dejan Kosutic:Okay, so let's wrap up the call. And so what would you say are kind of top things that companies should do to be, let's say, better prepared for an attack or to prevent an attack?
Kevin Beaver:Yeah, I always say the same things. Every time I'm giving a presentation, if it's an interview like this, whatever, I always say the same stuff. It's three things. Number one is know what you've got. Most organizations don't know what's on their network still to this day because of the complexity.
Kevin Beaver:And now with AI, it's making it infinitely worse. So know what you've got, understand how it's at risk. A larger number of organizations, arguably most organizations, don't understand how everything they've got is at risk. So that's the first two. And then number three is to do something about it.
Kevin Beaver:I tell you, I can't tell you how often, Dejan, I see, Okay, we know what we've got. We've done an inventory. We have our system. We're understanding how it's at risk. We've done our vulnerability scanning, our penetration testing.
Kevin Beaver:We're doing data mapping. We're understanding business classification, data classification, business impact analysis, all that stuff. We're doing all that stuff, and it's creating a lot of busy work and noise, and it looks good on paper. But that third item, doing something about it, that's where we often fall short. Because of budgets, it's tough because of politics and culture and all that, but that's a problem.
Kevin Beaver:It's just like going to the doctor, they do the blood work or the imaging. Okay, you have insulin resistance, or you have a tumor or whatever. You need to take the next step. You need to change your diet, you need to go get an additional work, see an oncologist, whatever. They may go do that, and then, Okay, I have insulin resistance, or I have a cancerous tumor in my body, and then a lot of times they don't do anything about it, especially when it comes to metabolic diseases and whatnot.
Kevin Beaver:Live in such an unhealthy world, but it's that doing something about it part where we tend to fall short. And people, they often lack the willingness and the discipline just to make it happen. It's like they just can't put one foot in front of the other and make work.
Dejan Kosutic:That's actually a very good point. I had a couple of interviews ago. I spoke to one auditor for ISO 27,001, and I asked him, okay, what is the most common non conformative he finds? And he said that companies are not having this risk treatment plan, right? Exactly what you're saying.
Dejan Kosutic:So they did the risk assessment, but they didn't really plan on what to do So about it's, yeah,
Kevin Beaver:And so, it's you know what it does? They take the report and they literally just put it on the shelf Or it sits out on the network and they know it's a to do item that follows them every week, every month, every year. And before they know it, it's time to do another audit, another pen test. I've done a lot of pen tests over the years where literally zero issues have been resolved the following year. And I'm thinking, man, that's not defensible.
Kevin Beaver:And that's the approach that we need to take. We need to take a defensible approach to security So if something bad happens, it ends up in a legal situation, in court or whatever, you need to be able to show that you were taking the right steps to do the right things.
Dejan Kosutic:Great. Thanks for these insights, Kevin. It was a pleasure talking to you.
Kevin Beaver:Absolutely, Dejan. Thanks for having me on. Really appreciate it.
Dejan Kosutic:Thanks again and thank you everyone for listening or watching this podcast and see you again in two weeks time in our new episode of Secure and Simple Podcast.
Dejan Kosutic:Thanks for making it this far in today's episode of Secure and Simple Podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website, you can check out various tools that can help your business.
Dejan Kosutic:For example, Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. White label documentation toolkits for NIS2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information.
Dejan Kosutic:If you like this podcast, please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today, stay safe!
Creators and Guests
