As we head deeper into 2023, cybersecurity will continue to be top of mind for companies, especially since 82% of chief information officers (CIOs) believe their supply chains are vulnerable to cyberattacks and 6 out of 10 small businesses go out of business following a cyberattack.
PrismHR caught up with Gary Alterson, Rackspace’s vice president of security solutions, to get his thoughts on what companies can do to help shore up their cybersecurity. The following interview was edited for length and clarity.
Tell us a little bit about your background, and how you got into cybersecurity.
Gary Alterson: I’ve been in the field for 20-plus years. My degree has nothing to do with cybersecurity. I’ve got an education background. I was a teacher for a couple years, and decided that I didn’t want to be a teacher anymore. I got a job at a help desk for a small company. I grew that into a networking position, and then, ultimately, got into security right before 2000, and I ended up being one of the first actual security hires at an insurance company.
I ended up building up the architecture there, ended up in a global role, and eventually, as a CISO for the business unit. Went into consulting and ended up as a chief information security officer for a global bank for about a year, and then grew that into a consulting business.
In my current role, I lead the cybersecurity business at Rackspace. I’m responsible for our managed security services that we offer to our customers, where we help them detect and respond to security events in our private cloud as well as our public cloud. We also help them build application security and zero trust architectures and help manage them.
Do people ask you, ‘Is the cloud safe?’ And what do you say to those people?
Gary Alterson: I say, absolutely. The cloud, like any other technology, you have to be aware of your security risks and appropriately build the right architecture. [Companies should] make the right configurations, basically build correctly, and manage ongoing in a way that’s correct.
Then it’s completely safe. In many cases, it’s safer than on-prem. The tools and the technologies and the ability to build at scale via code allows a lot more flexibility, a lot more visibility than you might get in an internal on-prem environment.
DOWNLOAD OUR NEW E-BOOK!
A lot of the people who’ll be reading this work for smaller organizations. I recently read that smaller companies are actually targeted more than the larger companies, even though breaches at larger companies wind up in the news more often. So what can smaller companies do to help protect themselves?
Gary Alterson: When you think about an adversary, a hacker, whether it’s a ransomware group or a state-sponsored actor or whatnot, they’re after specific information, specific secrets, specific access, and they’ve got tons of resources.
For a small company, if a state actor is interested in their IP or their resources, there are some things they can do, but state actors have a lot of resources, probably more than those small companies do. But it’s going to be the same advice either way for that or for ransomware.
That said, ransomware organizations will go after smaller organizations, ones that probably are easier to breach than a large organization. But they’ll also do their research and make sure that the organization is going to be able to pay whatever that ransom is, and that taking down that organization is going to be enough of a catalyst for them to actually pay, right? They do their research.
So what can folks do? The advice hasn’t changed, really, in the past 20 years. Some of the technology has changed, but the advice hasn’t changed.
First of all, keep your systems up to date. Apply security patches. Apply security patches to your operating system, apply security patches to applications running on your PCs and servers and whatnot.
Apply security patches to your networking devices, and keep those up to date as well, which is an area that a lot of organizations forget about. That’s hygiene point number one.
The second hygiene point is: Harden those same systems. You don’t need fancy tools, you don’t need to spend a lot of money, but configure them so that it makes it a lot harder—and a lot more timely and costly—for an organization to try to breach them and take advantage of them.
There are best practices out there [e.g., these cybersecurity benchmarks from the Center for Internet Security (CIS)] that you can go and download and apply those templates across your organization. Those two things are going to put you leap years ahead of a lot of organizations that still don’t do that basic hygiene.
When you consider tactics like ransomware, phishing and things like that, are the cyberattackers getting more sophisticated?
Gary Alterson: Yes, advanced adversaries are getting more sophisticated. However, for the average adversary, think ransomware organization, while they have sophisticated tools at their disposal, a lot of times, they don’t need them. Because, again, organizations aren’t doing that basic hygiene.
- Recommendation No. 1 for protection is hygiene.
- Recommendation No. 2 is going to be, assume you don’t win, assume you don’t protect. The assumption that you are going to be able to always protect is incorrect.
Yes, you want to put protection out, right? You want to make it harder and slower and more noisy for an adversary to do something. It gives you more of a chance to respond. Hopefully, it makes that adversary go somewhere else since you’re not the low-hanging fruit.
But you also need to make the assumption, and ask yourself, ’OK, if we are breached and that attacker is deploying ransomware, how do I recover? Do I have backups? Do I have images that I can restore off my servers really quickly? How fast can I get back up online?’
There’s a growing set of technologies for recovery [from] ransomware that it makes a lot of sense to investigate those. Because at some point every organization will have to deal with some kind of attack, and ransomware, again, is one that’s easy to recover from.
If you’re protecting IP and things like that, recovery’s a whole lot more difficult, right? You need to have a plan to recover, but the odds are that you’ll take that financial loss.
For employees, when you have that ‘Oh, bleep’ moment when you click on something you’re not supposed to, what’s the first thing or the first couple things that you need to do?
Gary Alterson: Let me take it a step back: Before you have the, ‘Oh, bleep’ moment, what should you be doing? I’ll say that I think most organizations do a horrible job of educating employees.
The basic thing we need to do is message. You’ve got to figure out a way to do this in a very personalized way.
And the training should be simply, ‘Just be suspicious of everything.’
We need to get to the point we’re just as suspicious of a stranger playing with my child in the park as I am of email coming in, and I’m going to validate where that email comes from, if that person sent it, that they meant to send it. Was I expecting it? Those are the kinds of questions we need to teach people to ask. Treat your technology with the same suspicion as you would someone working with your kids.
But if you do have that ‘uh-oh’ moment, what should you do?
The first thing I’m going to suggest is disconnect. If you’re on Wi-Fi, turn off your Wi-Fi. If you’re on a wired network connection, unclick. Take that wire out, disconnect from the network.
The reason is, the first action is, you’re probably going out to either a website that you would have had to do something on or there’s a piece of code that you just clicked on that is going out across the internet to some server to download some additional code.
So if you can disrupt that chain, and we call it the ‘attack chain,’ disrupt that chain of downloading the toolset that the attacker would then use to spread the virus or take over your machine or investigate what IP you might have or whether you have some sensitive data. That all gets downloaded after you click. So the faster you can disrupt that, the better.
How long do you have before something bad happens?
Gary Alterson: It depends on the attacker and the downloader that they’re using, and what they’re intended to do. So there’s no set answer, but the sooner the better.
The second thing, because it can take a few seconds for something that’s lightweight … or it might [take longer if it’s] beaconing back and waiting for a command. You don’t know, so the best thing to do is take it offline.
If you notice your disk starting to spin, just shut down your computer because that could be an encryption mechanism happening. Then go straight to your IT folks, who hopefully are trained and know what to do, or know who to reach out to, for next steps.
I interviewed a cybersecurity expert a few years ago, and the way he explained it to me is, ‘These hackers and cybercriminals, this is basically their full-time job.’ So they’re spending lots and lots of time trying to find new ways to basically trick people. What are some of the new ways you’re seeing that people should be aware of?
Gary Alterson: Oh gosh. A lot of the newer ways aren’t superinnovative. There’s a couple of different things. There are superinnovative really advanced attacks that ransomware organizations will use against a complex adversary that they want to go after, a bigger company.
Or, the nation state actors have really advanced, call it technology, that they’ve built. But for the average person, most of those advanced techniques are basically better ways to socially engineer you.
I think by now, most of us have gotten better at, ’Oh, there’s a picture of Britney Spears that was sent to me. I should probably delete that email, and not open it.’
I think most of us have gotten that far, but what you might get, if you’re in HR, is a, ’Hey, this email’s coming from a recruiting firm, and it’s got a list of candidates, in an Excel file.’
There’s a macro in that Excel file, which is basically some code embedded in the Excel file, that does something malicious, and probably goes and downloads some new code that’s also malicious. So that’s one example.
The other example is befriending folks on LinkedIn. If they want to target, and it’s someone, specifically, or understanding social profiles, they know something about you, and whether through Facebook or TikTok, or whatever, and then sending specifically crafted messages to you. So that it seems more believable, you’re more interested, you’re more likely to take their action.
Like, “Oh, I am interested in baseball card collecting. Oh, a Hank Aaron card. That’s pretty rare. Yes, let me go look at that website and take a look at it.’ It’s new, and constantly getting more advanced.
We’re putting more and more information out there for folks to learn about us through social media.
Then the other innovation is around those specific pieces of code that do that initial attack. Going back to that Microsoft Excel file with a list of candidates, Microsoft has gotten better at blocking malicious macros. So, being more crafty in how you get around the Microsoft blocks is an example of some innovation as well.
It’s this constant race of, if you block something, ‘I’ve got to go invent something new or a new way to do the same thing, that’s happening.’
I read this article that sounded like a little bit of a futuristic horror story to me about how artificial intelligence could cause chaos when it comes to cybersecurity. How concerned are you about artificial intelligence from cyber criminals?
Gary Alterson: I think that’s a little alarmist at this point. Will there be advanced adversities? Will nation states, who are going to go attack our defense and critical infrastructure, be able to take advantage of AI? Probably, but should the average person be really concerned about that? No. The average person still has to do the basic block and tackling.
What AI will be used for is probably more just finding new vulnerabilities, and then exploiting them, and building the code to exploit them. But the defender reaction of that is still the same thing, patch and harden, patch and harden, put some detection in, being able to respond.
I think there’s a growing concern over quantum computing, which is valid, as well. The encryption upon which so much relies on in the banking systems, even in your browser, when you go and you type in your password.
That password is encrypted before it’s sent over to wherever you typed your password into Amazon or whatever website you used. That’s encrypted. Quantum? The math behind that encryption, basically, is such that it’s really, really hard to break that encryption until you start getting into quantum computing.
As quantum computing starts to become more mainstream, the traditional encryption algorithms will become easier and easier to break, and faster and faster to break. That’s why you’ve just seen the National Institute of Standards and Technology here in the U.S. go and certify a new encryption algorithm that is more protective against quantum.
Is there any aspect of cybersecurity that I didn’t talk about that you wanted to discuss?
Gary Alterson: That’s a good question. There’s a whole lot of aspects to cybersecurity, and I think, really, what it comes down to for any individual or any organization, especially a small organization, again, is there’s a whole lot of vendors selling a whole lot of stuff. But the basics are still the same, hygiene, patch, harden.
Then there’s one thing I’ll add to it, which is authenticate, use stronger authentication techniques. Passwords are getting easier to break, but more importantly, we know people don’t manage their passwords with best practices. And we know most folks probably use their same password in more than one place. So if I’m able to get your password, and I start using it in other systems that I’m guessing you’re using, I’ll eventually find one. And I’ll probably be able to get in.
In fact, there’s a whole website out there that will just tell you if you’ve had a password breached in the past. It’s called, haveibeenpwned.
When I say that the third thing is strong authentication, what I mean is, don’t rely on just passwords. Use two-factor authentication. Basically use a password and something else.
James Tehrani is PrismHR’s digital content marketing manager. He is an award-winning writer and editor based in the Chicago area.