{"id":143271,"date":"2022-10-11T10:59:00","date_gmt":"2022-10-11T14:59:00","guid":{"rendered":"https:\/\/www.cyberark.com\/blog\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/"},"modified":"2026-04-17T04:32:52","modified_gmt":"2026-04-17T08:32:52","slug":"ep-13-cyber-fundamentals-where-things-fall-apart","status":"publish","type":"podcast","link":"https:\/\/www.cyberark.com\/fr\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/","title":{"rendered":"EP 13 – Cyber Fundamentals: Where Things Fall Apart"},"content":{"rendered":"

Even when looking at layered enterprise solutions designed to thwart attacks and contain them, we must always go back to cybersecurity basics at the individual level. And that\u2019s what, on today’s episode, guest Bryan Murphy, CyberArk\u2019s Senior Director of Architecture Services and Incident Response stops by to talk with host David Puner about. Murphy also dives into the importance of cyber hygiene as an essential preventive measure for protecting identities, as part of a defense-in-depth strategy. It\u2019s a perfect fit for October, which happens to be Cybersecurity Awareness Month (CSAM). Raise your awareness and give it a listen!\u00a0 \u00a0<\/p>\n

[00:00:00.120] – David Puner
\nYou’re listening to the Trust Issues podcast. I’m David Puner, a senior editorial manager at CyberArk,
\nthe global leader in identity security.
\n[00:00:18.210] – David Puner
\nBelieve it or not, humans are trusting by nature. Google it. If you don’t believe me, you can trust at
\nleast some of those results, which is at least in large part to blame for our reflex to, among other
\npractices, click on that link or scan that QR code. To be socially engineered, to be phished. And that’s
\nwhy even when looking at layered enterprise security solutions designed to thwart attacks and
\ncontain them, we must always go back to cybersecurity basics at the individual level. Cyber hygiene
\nas an inherent part of identity security as a part of a defense in-depth strategy.
\n[00:01:00.500] – David Puner
\nAt their core, the basics are about practicing distrust. Practice scrutiny. Think before you put yourself
\nor your organization on the brink of cyber apparel. Despite attacker innovation and evolving threats,
\ncyber attackers often play from an album of well-worn greatest hits. Sometimes they’re incorporated
\ninto a new medley, and sometimes they inspire a new material, but the refrain is the same. And if
\nwe’re individually familiar with the first notes of those hits, we can collectively stop them before they
\nplay through, because these are hits nobody from the trusting realm should have to endure.
\n[00:01:38.480] – David Puner
\nOn today’s episode, I talk with Bryan Murphy who’s the director of architecture services at CyberArk
\nand the leader of our remediation services team, and he’ll talk about what that means and what he
\ndoes. Bryan’s always fun to check in with and we do so regularly for the CyberArk blog, because he
\ncan talk about enterprise-level cybersecurity initiatives and solutions at a level that’s simple to
\nconsume.
\n[00:02:02.750] – David Puner
\nThe complex cyber topics are inherently tied to basics, and in our conversation, the first of our
\nOctober episodes, October happens to be Cybersecurity Awareness Month, he makes the connection.
\nIf Bryan was a musician performing live, he’d continuously find ways to keep his greatest hits fresh
\nthrough evolution. Stay on to hear why.
\n[00:02:39.070] – David Puner
\nYou’re the director of architecture services here at CyberArk and leader of our remediation services
\nteam. Remediation and response teams, like the one you lead at CyberArk, are one of the first few
\ncalls companies make after a breach. How does that work? What’s that call look like? What happens
\nin your world?
\n[00:03:00.310] – Bryan Murphy
\nFirst off, let me say thanks for having me. The call can go two ways. Number one is they could call us
\nbefore they’ve called a forensics firm. I want to be a little transparent here that we do not want to do
\nthe forensics on these as the IR lead. We want to be like you introed it with the first few calls. What
\nhappens is that we can help them start to contain, start to understand what credentials were used.
\nBut normally we like to work with the forensics teams because what you find is the forensics teams
\nare good at what they’re good at. They’re good at discovering where they were, what accounts are
\nused, closing the doors the attackers were using to get in, but they’re not fully versed in identity.
\n[00:03:48.050] – Bryan Murphy
\nThose recommendations and solutions they have, they want to lean on the experts in the industry.
\nWhat we do is we bring that experience, that blueprint, the framework we have, so that as they recover
\nfrom these breaches and incidents they have, the remediation team we offer to our customers fast
\ntracks anything the full IR team is doing. It allows them to shift their resources to other places
\nbecause they already have a plan on how they’re going to control their identities going forward.
\n[00:04:20.200] – David Puner
\nSo are you about helping to come up with the plan for the plan, or are you about being like the Harvey
\nKeitel character in Pulp Fiction where you’re cleaning up the mess, or is it a little bit of both or a little
\nbit of neither?
\n[00:04:33.400] – Bryan Murphy
\nI would say it’s a little bit of both because it depends on the attack. Of course, not every attack is the
\nsame, but I like to say these attacks are very consistent, they have a lot of similarities to them. So as
\nwe start to draw from all of our experience, the framework becomes a little more consistent is what
\nwe can recommend. So now at a high level, if you’re facing an incident and you call CyberArk for help,
\nwe already have a high level template to say this is what we’re going to do, and then we can provide
\nthat to the forensics company, we can provide that to the customer to get a baseline, and then we
\ntweak the baseline based on the actual events that happen. So instead of going in and having to build
\nfrom scratch, we’re building from that template or framework and we’re just making tweaks to it so
\nthat we can control identities quickly and it doesn’t become a discussion point, it doesn’t become this
\nbig conversation before any identities can be managed within your organization.
\n[00:05:31.220] – David Puner
\nYou say \u00ab\u00a0we\u00a0\u00bb. How big is your team and how often are you actually the one receiving that call?
\n[00:05:37.580] – Bryan Murphy
\nOur team right now is very small. It’s under five, but we have others within my architectural team that
\nhave experience in this field and have been doing this for years as well, they’re just not fully dedicated.
\nFrom the rotation standpoint, the on call, 24 by 7 support, you can call CyberArk just to our standard
\n24 by 7 number for support. They have a procedure for engaging us, nothing special, that a customer
\nhas to do or a prospect on their side. We do run the globe, we do run 24 by 7. One point I wanted to
\nmake on the \u00ab\u00a0we\u00a0\u00bb. For us, the \u00ab\u00a0we\u00a0\u00bb is the forensics team, customer or client, and CyberArk. So when I
\nsay we make a decision, we’re not trying to come into these incidents and replace anyone’s opinion or
\nanyone’s decision making powers on how to do things. We really want to be there to provide the best
\nguidance possible.
\n[00:06:31.810] – David Puner
\nWhat would the first question you would ask be when you pick up that call?
\n[00:06:36.730] – Bryan Murphy
\nI would ask, where are we at now, and I would start specifically with asking, was this a domain based
\nattack? Did they take over active directory? Because right away there’s a few very prescriptive things
\nwe would do if it’s related to active directory. If it’s not related to active directory, we may start at a
\ndifferent phase than we would have for our standard blueprint.
\n[00:07:01.490] – David Puner
\nOctober when this episode releases is Cybersecurity Awareness Month. This year’s Cybersecurity
\nAwareness Month theme is about seeing yourself in cyber, which is all about the people part of
\ncybersecurity. Inspired by that theme, how did you get into the cybersecurity field and when did you
\nfirst see or envision yourself in cybersecurity? What led you here?
\n[00:07:24.220] – Bryan Murphy
\nWe’re going to go in the Wayback Machine, Dave.
\n[00:07:27.020] – David Puner
\nAll right, I like that. Let’s do it.
\n[00:07:29.100] – Bryan Murphy
\nAlmost 17, 18 years ago. It started out at my previous job before I came to work at CyberArk. I worked
\nin, let’s call it IT operations, maintaining a platform doing these type of things. I was brought into a
\ntabletop exercise for an incident and they were practicing how they would respond if they were
\ncompromised in any way. We went through this and I said, \u00ab\u00a0Wow, this is amazing. This is great.\u00a0\u00bb It led
\nme down the career path with them to move into security and start to lead some of these and be part
\nof the actual incidents that happened within that organization. Once I left there and came to work for
\nCyberArk, I did the normal deployment, standard things that we would do, but because I already had
\nsome experience and interest in these type of engagements, as customers would call us and say, \u00ab\u00a0We
\nhad an incident happen, how can you help?\u00a0\u00bb my team knew that I was the one with experience.
\n[00:08:26.710] – Bryan Murphy
\nI got brought into each one of those or I’d be providing guidance to the larger team on what we can
\ndo. Now you fast forward 7-10 years, let’s say that process kept growing little by little. It wasn’t a
\nbusiness we wanted to have here at CyberArk. But what we realized is it’s not about what we want to
\ndo, it’s about what do our customers need? We figured out that we were getting more and more calls
\nfor customers saying, \u00ab\u00a0Help me recover from this. Help me figure out how to do this better.\u00a0\u00bb And
\nbecause of that, we decided to form a team. That’s why the team is small right now, we’re not pushing
\nto be that forensics company. We’re pushing to really service our customers in their time of need. If
\nthe need becomes larger, we’ll make the team larger.
\n[00:09:16.550] – Bryan Murphy
\nIn a real short way, that’s how I got involved in this, it was purely out of inquiry, interest on my side and
\nthen just the fact that I was fortunate enough to put myself in a position to work on these early on in
\nmy career, that I was able to turn that into a full-fledged team here at CyberArk.
\n[00:09:37.990] – David Puner
\nWhat kind of attacks are you seeing a lot of or more of these days? We know attacks are happening
\neverywhere and often, but what particular kinds are you seeing now that are potentially sophisticated
\nor different than what we’ve seen in months or years past?
\n[00:09:55.260] – Bryan Murphy
\nI would say one of the biggest differences we’re seeing now is the MFA bypass. I’ve been saying this
\nfor four years. Other vendors have as well. MFA everything and you’ll be secure. That was the mantra
\nwe were living on there for a while. Now since the majority of organizations are MFAing, we’ll say
\neverything, the majority of their solutions, we’re now seeing the threat actors being able to bypass
\nMFA. They’re finding ways to do this, so now, we were looking at it from a strategy before we were
\ndoing Zero Trust, Least Privilege, and those were the big buzzwords, we were saying MFA. Now the
\nattackers are finding ways around this. That becomes interesting because that’s that first line of
\ndefense into the organization.
\n[00:10:47.240] – Bryan Murphy
\nI think the other trend I’m seeing is, back in the day, you would hear this person, John, obviously
\nkeeping the names anonymous here, John attacked this company or this group of people did this
\nattack. Any more with the dark web and with crypto, you’re starting to see organizations form and
\nshare more information. Maybe in the past they had the skill set to bypass MFA, they couldn’t do
\nanything else. They’ll sell that access they have to a different group, and now that different group that
\ndoesn’t know how to bypass MFA is already in and then they can do the next step. Our adversaries are
\naligning to attack and work against us, and this is making it difficult because they don’t have to be
\nexperienced in everything. They’re specializing in getting into our organizations. We as security
\npractitioners and experts need to make sure we’re doing what we can to have that defense.
\n[00:11:46.970] – David Puner
\nWhat does MFA bypass look like and is that similar to MFA bombing, MFA fatigue? All these things
\nthat we’re hearing a lot about these days?
\n[00:11:59.090] – Bryan Murphy
\nIt’s similar but an MFA bypass could be, let’s say, a vulnerability or a weakness in a configuration that
\nthey found where they can truly just bypass MFA. Maybe they find a way to take the cash credential
\nand move it through without ever being prompted for MFA, but you also have those attacks as well.
\nWe’ve seen recently where they’re saying MFA bypass has happened in some of the organizations, but
\nreally, you do the MFA bombing, these type of things. It’s more about getting the user to be socially
\nengineered, to trick them into approving it. Humans are trusting by nature. This is shifting a little away
\nfrom security for a moment but we’re human by nature and we’re very trusting by nature. It’s very
\ndifficult to get people to flip that mindset to say, \u00ab\u00a0I shouldn’t click on it. I shouldn’t do this.\u00a0\u00bb
\n[00:12:49.480] – Bryan Murphy
\nWe genuinely want to help in whatever we do. This is where the fatigue comes in, this is where the
\nbypass comes in that they can just click on something and accidentally let somebody else in because
\nthey want to help make the message go away. This is where security training and everything we’re
\ndoing is teaching them that, no, it’s okay if you get a hundred of these messages. That means that
\nyou really need to rotate your credentials so you stop getting the messages, not clicking on it to make
\nit go away. This is the educational point that we have to train people on just because of the way the
\nhuman mind is built.
\n[00:13:24.060] – David Puner
\nMFA is still important, right?
\n[00:13:27.180] – Bryan Murphy
\nAbsolutely, without a doubt. It still needs to be one of the number one controls we deploy, but the
\nmindset needs to shift from some of the messaging that’s been out there. I think we’ve all seen it in
\nthe security industry where they’ll say, \u00ab\u00a0MFA blocks 99% of these type of attacks that happen.\u00a0\u00bb And
\nthat number, I think, is going down a little bit because MFA does block, but it also relies on the human
\nuser. If the human user accidentally clicks yes, we’re seeing this more and more, they push someone
\nthrough, we have to understand that we need to work on that next layer as well and have that
\ndefensive down.
\n[00:14:04.270] – David Puner
\nLet’s say I’m on the receiving end of an MFA bombing. What should I do in that case?
\n[00:14:11.310] – Bryan Murphy
\nI can give you a personal real world example here that may be fun for the audience. I was at Black Hat
\nof all places. Super scary. I say super scary from the standpoint that someone could be hacking your
\nphone, hacking your account, we’ve all heard the horror stories. They have the wall of shame over
\nthere of people who are giving their credentials up inside the Black Hat Networks. I’m out to dinner
\nwith my team and I receive an MFA push on my phone. I went, \u00ab\u00a0Huh, that’s odd. I didn’t log into that
\nsite. What’s going on?\u00a0\u00bb I didn’t know what it was, it only happened once. I didn’t get a bomb, I didn’t
\nget multiple attempts. But right away there, I went ahead and I rotated my password.
\n[00:14:52.840] – Bryan Murphy
\nThe reason I rotated the password was if somebody had my password and tried to MFA in, they would
\nhave to then know the new password to try to MFA in again. I don’t want to leave the story there and
\nsay this is just what I did. The root cause of this was, it was a site that I share with my wife and my
\nwife is trying to log in, but my device was the only MFA device. She didn’t tell me she was logging in
\nbut this is why the prompt came to my phone. Completely legitimate prompt that came through,
\nbecause we didn’t communicate that that happened, I went ahead and immediately changed the
\npassword just to be safe to make sure that the account wasn’t compromised.
\n[00:15:28.420] – David Puner
\nWhat other kinds of attack trends are you seeing these days?
\n[00:15:32.060] – Bryan Murphy
\nI think the biggest we’re seeing is a shift from trying to deploy malicious code and having\u2026They’re
\nexecutable, running on your systems to living off the land. This is not a new trend as in it just started,
\nbut this is a trend we’re seeing gain momentum. What the attackers are doing is they’re trying to
\nmasquerade as the identities you already have in the organization. They’re trying to masquerade as
\nstandard users. So when you look at traffic, you threat hunt, you do these things, it becomes
\nincreasingly difficult to figure out who’s the attacker and who’s the trusted user on your network.
\n[00:16:16.430] – Bryan Murphy
\nAs they do this, what you find is they could use their own specific tools to do work. But instead, once
\nthey’re living off the land, if you have a tool in place and they have access to it, they will go read the
\nguide and figure out how to use your tool, and they’ll start using your tools against you. This becomes
\nimperative for the defense in-depth that we don’t just look at, we’re deploying security tools to secure
\nour environment. We need to look at, we’re deploying security tools that we need to secure as well,
\nbecause if the bad guy gets it, they’re going to use that tool against us.
\n[00:16:54.340] – David Puner
\nYou mentioned defense in-depth earlier. How does Least Privilege and Zero Trust fit into this
\nequation?
\n[00:17:01.580] – Bryan Murphy
\nGlad you asked that question, Dave. Zero Trust fits in because in the conversation we were just
\nhaving, we said we can’t tell who is our attacker and who is our trusted user on the network, and
\nthey’re masquerading as each other. But if we have Zero Trust, what that means is that users are not
\ngoing to have access to anything additional once they’re in the environment. If we never trust them,
\nthey constantly have to reauthenticate or conditionally authenticate to gain access to different
\nassets. This is a balancing act and I tell all of my customers, the goal is obviously Zero Trust, but Zero
\nTrust may not be 100% attainable on all your applications that you have. What we should do is we
\nshould be doing Least Privilege as far as we can, and take Least Privilege as close as we can to Zero
\nTrust, with Zero Trust being the North Star, but understanding we may not get 100% there with all of
\nour applications in our environment.
\n[00:18:07.030] – Bryan Murphy
\nBut if we practice this and we think of it as tightening a screw and we keep turning down the
\nprivileges, we remove them slowly but surely, we’ll eventually get to a point where, when an account is
\ncompromised, they bypass their MFA, they do an MFA bombing attempt, they have some way to get
\non our network, they’ll have very little access. It puts another control in that defense in-depth where
\nthey can’t get further within the organization to get to the actual data that they’re looking for. This is
\nwhere everything ties together, this is why you’re seeing Just-In-Time access. I know you didn’t ask
\nabout that one, but Just-In-Time, Zero Trust and Least Privilege and why it’s so important for everyone
\nto really start looking at this holistically within their environment and where they can deploy these
\ncontrols.
\n[00:18:52.600] – David Puner
\nYes, I think that’s an important point you brought up about the balancing act, and I know we’ve talked
\na little bit about this in other places. Do you want to elaborate a little bit on that metaphor? Because I
\nknow you like to go deep on it and I think it’s a really interesting area.
\n[00:19:08.940] – Bryan Murphy
\nAbsolutely, and I’ll end it with a story of an actual incident I worked years ago on trying to do exactly
\nthis. But yes, the problem I see is that we get excited. We like these new controls and we say, \u00ab\u00a0Yes,
\nthis is going to make our environment safer. It’s going to keep our business safe. We should do this.\u00a0\u00bb
\nBut what we don’t understand initially is either the technical debt that we have to work through,
\ntechnical debt being legacy configurations, certain user accounts, the way the business functions,
\nand not disrupting that, because security needs to make sure they enable the business still to get their
\njob done.
\n[00:19:51.190] – Bryan Murphy
\nThis is where the balancing comes in. An example of this I can give you is I had a customer years ago
\nthat wanted to do shared accounts. A shared account would be an administrative account instead of
\nbeing personally tied to Bryan, or personally tied to you, David, it would be a generic account, say,
\nserver admin, server admin 1, server admin 2. They wanted to go this route and they were in the
\nmiddle of just recovering from an incident. They said, \u00ab\u00a0Now’s the time. We need to do this.\u00a0\u00bb Told them,
\n\u00ab\u00a0Don’t do it, don’t do it\u00a0\u00bb I said keep everything the same and slowly start turning on these permissions
\nand gradually move people over to these accounts.
\n[00:20:30.490] – Bryan Murphy
\nThey just wanted to capitalize on it because of internal corporate reasons. They hadn’t had funding,
\nthey weren’t able to move on. Just to help you with the justification as to why they chose to do this
\nright away. As they did that, what they found a year later was they ran into a singular roadblock, they
\ncouldn’t figure out how to get a file share access or if I remember correctly, something along these
\nlines to the shared accounts, and it ended up stopping the whole process. What my message here is
\nto everyone who’s listening is that if you just make that absolute change and you move over, the
\ntechnical debt may come back to stall the North Star you’re heading towards because you don’t know
\nhow to solve one problem or you don’t have time to invest in this part that you weren’t planning for,
\nand then it never takes off.
\n[00:21:20.650] – Bryan Murphy
\nWhereas if we would have done it originally where we said, \u00ab\u00a0Okay, we’re still using personal accounts,
\npersonal admin accounts, let’s remove who doesn’t need it, let’s start removing permissions from
\nthose.\u00a0\u00bb We could have slowly ratcheted this back and then migrated to those shared accounts. Little
\ntechnical example, but this is where it can be a trap, where we try to make this big shift and then we
\nend up not benefiting from any of the security features we wanted to deploy.
\n[00:21:46.860] – David Puner
\nI wanted to get back to tax again, briefly. Leveraging hard coded credentials. What’s been going on
\nwith hard coded credentials and how are they being used to unlock high risk access?
\n[00:21:59.890] – Bryan Murphy
\nI’m going to start, David, by saying it’s nothing new. This is where many people who know me will
\nsay\u2026In the world of attacks that come, unless it’s a nation-state targeted attack, these type of things,
\nmany organizations are hitting it where the attackers are just playing the hits. They’re playing the
\ngreatest hits of the records they have. They’re using the same types of attacks, so when you look at
\nthis, they know to scan the environment. They know to look for certain places where credentials will
\nbe embedded. For example, you may have software that needs a configuration file, and that
\nconfiguration file may hold the credential to something. They’re going to know this. They’re going to
\nlook for it or they’re going to say you’re using this piece of software, look at that software and see if it
\ncontains this in the online documentation.
\n[00:22:48.420] – Bryan Murphy
\nThis is part of that living off the land and finding what they have access to. It’s really important that
\nwe make sure we remove those credentials from our scripts, from our applications, config files and
\nplaces where they live. It’s not just enough to encrypt them. Encrypting helps so they can’t see the
\npassword in clear text, but it’s just an extra step. The idea here is not to minimize the extra step, the
\nidea here is to have so many steps in the process that our threat actor or attackers here, let’s say, give
\nup or can’t get any further in the environment. Not give up that they don’t get what they want, they give
\nup because we detect. They give up because we found they were on our network.
\n[00:23:37.250] – Bryan Murphy
\nThis is really the goal. The goal is not to say don’t encrypt. The goal is not to say don’t have
\ncredentials in your scripts. If you have it hard coded in there, that’s making the path easier for them to
\nretrieve the credential, this is why CyberArk recommends using our solution and our capabilities to
\nremove those embedded credentials because it adds a step in the process, making you more secure.
\n[00:24:03.270] – David Puner
\nThey rotate the embedded credential, but do you see customers doing that?
\n[00:24:10.390] – Bryan Murphy
\nWe don’t, and I’m glad you brought this up, David. You reminded me of a great point, which is
\ncustomers should take their service accounts and, forget about all the automation we can put in place
\nfor a moment and do this. They should at least rotate their credentials once. Please don’t go in your
\norganization and rotate them all at the same time. We should methodically do this one by one.
\n[00:24:34.970] – David Puner
\nWhat happens if you do try to do it all at the same time?
\n[00:24:38.930] – Bryan Murphy
\nYou may inadvertently take down applications you weren’t aware of. We’ve seen this firsthand from
\ncustomers where they’ll use CyberArk, they’ll bring in service accounts and they just say password
\nchange. Next thing you know, there’s five, 10 P1 tickets that applications are down. A lot of times it’s
\nbecause the developer had access to a credential. They went ahead and built application A, but now
\nthey took over application B, they needed the same access. They leveraged the same credential, but
\nnobody else knew that they did this, the application just worked.
\n[00:25:15.510] – Bryan Murphy
\nWhat I hear from all of our customers at CyberArk is, \u00ab\u00a0How do I discover where my service accounts
\nare used at?\u00a0\u00bb We have detection tools, there’s tools out there to detect a lot of places it’s used, but we
\ncan only detect the places we know. It becomes very tricky when they embed it into an executable,
\nthey put it into a script somewhere that you’re not scanning for and looking for the password field, or
\nthey call it in a very unfamiliar way, for how the credential is embedded. If you just do that manual
\nrotation once, what happens is, let’s say you think it works for one application, you go to rotate the
\ncredential for that one application, you schedule the change and you take down 10. All of a sudden
\nwe’ve created this major P1 incident.
\n[00:26:02.090] – Bryan Murphy
\nWhat you can do is go back in and reset the credential back to what it was before. This goes on the
\nnotion, you know what the credential is ahead of time. Sometimes there’s cases where you don’t, but
\nthis helps minimize the damage because we can restore back quickly so we don’t have to touch and
\nfind every application. Now we know that when we change this one credential, it doesn’t impact one
\napplication, it impacts, in this example, 10. We can start to break those apart slowly through the
\nprocess, and that identification and inventory of what you have is very helpful, but it also helps from
\nthe security side by at least rotating those service confidentials once, to start to expire all the hashes
\nand everything that’s out there in the environment that the attackers would use to move laterally with
\nthose accounts.
\n[00:26:50.340] – David Puner
\nMoving on back to Cybersecurity Awareness Month. Your appearance on the podcast happens to
\ncoincide with Cybersecurity Awareness Month, as we mentioned at the top of the podcast, and that
\nseems apropos considering you live and breathe cyber awareness 365, 24\/7, or at least it seems like
\nyou do to us. What’s something simple you’re seeing that both cybersecurity professionals and
\nregular civilians might benefit from, as far as a little cyber hygiene brush up?
\n[00:27:19.990] – Bryan Murphy
\nI would say go look at your passwords. I think every one of us has a specific password that they like
\nto use or a combination of it in most of the things we do, and we have to set that first password or
\npasswords to generic sites that we go to. What I try to recommend people do is use a password
\nmanager solution. CyberArk has workforce password management as an example. Anything that’s
\nout there that can help you randomize those. Because what you have to assume is that when you put
\nthat password into a website, that website, that back end, you’re trusting will not be impacted,
\ncompromised in any way. Once you put the password into that tool, it’s out of your control, where it
\nlives at, it’s on the company or the website you’re working on’s control. So as you see recent breaches
\nwhere they compromise websites and different web applications that are out there, credentials are
\nbeing exposed.
\n[00:28:19.600] – Bryan Murphy
\nWhat I try to do is, I don’t want to say it’s impossible, it’s something I do, but a unique password for
\nevery single site you go to, it’s not for everyone. What I’ll say is I try to keep what I do for enjoyment,
\nsuch as looking at fantasy football, reading blog posts, those type of things, separate from what may
\nfinancially impact me. This is the line I draw between the two. I don’t use anything the same between
\nthe two of those because they’re held to different security standards on the back end, but for me, it’s
\nmore impactful if I lose money versus somebody is able to hack into my CNN account.
\n[00:29:04.770] – David Puner
\nWhat’s your advice for someone considering a role in cybersecurity?
\n[00:29:09.010] – Bryan Murphy
\nMy advice to those looking for the role is start following cybersecurity groups online. Start following
\nthe blog posts, start following the industry as to what’s happening first. That’s going to help tee up-
\n[00:29:25.100] – David Puner
\nLike the CyberArk blog, right?
\n[00:29:27.740] – Bryan Murphy
\nYes, this blog, exactly. That’d be perfect. Start here and start to understand the trends, start to
\nunderstand the mindset. I think that the hardest thing to do is to flip the mindset that we have as
\nsecurity practitioners. Once you start to do that, now you dip your toe into the certifications and
\nunderstand the concepts. I think one of the biggest challenges we have in cybersecurity is, you can’t
\nsecure something if you don’t know how it works. You can’t say this is how you have to secure it
\nwithout understanding how Windows or Linux or the web browser is working that you’re working
\nwithin. It requires a little bit of knowledge about the underlying system that you want to secure or the
\npassword or credential you want to secure.
\n[00:30:13.670] – Bryan Murphy
\nThen you can start to see ways to control that. You can read through the settings of the tool to see
\nwhat controls they offer. A lot of times some of them will say, this is good, this is better, this is best.
\nThis will help you to get that mindset and to figure out how to secure things further. Then beyond that,
\nyou want to start dipping into an IT role or position.
\n[00:30:38.130] – Bryan Murphy
\nAs you start in the IT side, you want to align with the security team. Now you’ll start seeing how
\ninternally the security team operates and functions and what controls they have, and that’s how you
\ncan start to make that move into security. It’s not to say you can’t find a security role out the gate, you
\nabsolutely can, but I really feel the balance is making sure you understand the tech before you go into
\nimplementing security controls on top of the tech.
\n[00:31:04.120] – David Puner
\nBryan, thanks so much for coming on the podcast. Appreciate it.
\n[00:31:07.880] – Bryan Murphy
\nDavid, thank you for having me.
\n[00:31:09.920] – David Puner
\nAppreciate it. Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If
\nyou have a question, comment, constructive comment preferably, but you know, it’s up to you, or an
\nepisode suggestion, please drop us an email at trustissues@cyberark.com. And make sure you’re
\nfollowing us wherever you listen to podcasts.<\/div>\n","protected":false},"featured_media":214341,"template":"","class_list":["post-143271","podcast","type-podcast","status-publish","has-post-thumbnail","hentry"],"acf":[],"yoast_head":"\nEP 13 - Cyber Fundamentals: Where Things Fall Apart | CyberArk<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"EP 13 - Cyber Fundamentals: Where Things Fall Apart\" \/>\n<meta property=\"og:description\" content=\"Even when looking at layered enterprise solutions designed to thwart attacks and contain them, we must always go back to cybersecurity basics at the individual level. And that\u2019s what, on today’s episode, guest Bryan Murphy,...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/\" \/>\n<meta property=\"og:site_name\" content=\"CyberArk\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/CyberArk\/\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-17T08:32:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2022\/10\/cnR3b3JrLmpwZw-3.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1400\" \/>\n\t<meta property=\"og:image:height\" content=\"1400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@CyberArk\" \/>\n<meta name=\"twitter:label1\" content=\"Dur\u00e9e de lecture estim\u00e9e\" \/>\n\t<meta name=\"twitter:data1\" content=\"28 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/\",\"url\":\"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/\",\"name\":\"EP 13 - Cyber Fundamentals: Where Things Fall Apart | CyberArk\",\"isPartOf\":{\"@id\":\"https:\/\/www.cyberark.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2022\/10\/cnR3b3JrLmpwZw-3.jpg\",\"datePublished\":\"2022-10-11T14:59:00+00:00\",\"dateModified\":\"2026-04-17T08:32:52+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/#breadcrumb\"},\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/#primaryimage\",\"url\":\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2022\/10\/cnR3b3JrLmpwZw-3.jpg\",\"contentUrl\":\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2022\/10\/cnR3b3JrLmpwZw-3.jpg\",\"width\":1400,\"height\":1400},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cyberark.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"EP 13 – Cyber Fundamentals: Where Things Fall Apart\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cyberark.com\/#website\",\"url\":\"https:\/\/www.cyberark.com\/\",\"name\":\"CyberArk\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.cyberark.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cyberark.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"fr-FR\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cyberark.com\/#organization\",\"name\":\"CyberArk Software\",\"url\":\"https:\/\/www.cyberark.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\/\/www.cyberark.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2021\/02\/cyberark-logo-dark.svg\",\"contentUrl\":\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2021\/02\/cyberark-logo-dark.svg\",\"width\":\"1024\",\"height\":\"1024\",\"caption\":\"CyberArk Software\"},\"image\":{\"@id\":\"https:\/\/www.cyberark.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/CyberArk\/\",\"https:\/\/x.com\/CyberArk\",\"https:\/\/www.linkedin.com\/company\/cyber-ark-software\/\"]}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"EP 13 - Cyber Fundamentals: Where Things Fall Apart | CyberArk","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/","og_locale":"fr_FR","og_type":"article","og_title":"EP 13 - Cyber Fundamentals: Where Things Fall Apart","og_description":"Even when looking at layered enterprise solutions designed to thwart attacks and contain them, we must always go back to cybersecurity basics at the individual level. And that\u2019s what, on today’s episode, guest Bryan Murphy,...","og_url":"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/","og_site_name":"CyberArk","article_publisher":"https:\/\/www.facebook.com\/CyberArk\/","article_modified_time":"2026-04-17T08:32:52+00:00","og_image":[{"width":1400,"height":1400,"url":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2022\/10\/cnR3b3JrLmpwZw-3.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_site":"@CyberArk","twitter_misc":{"Dur\u00e9e de lecture estim\u00e9e":"28 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/","url":"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/","name":"EP 13 - Cyber Fundamentals: Where Things Fall Apart | CyberArk","isPartOf":{"@id":"https:\/\/www.cyberark.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/#primaryimage"},"image":{"@id":"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2022\/10\/cnR3b3JrLmpwZw-3.jpg","datePublished":"2022-10-11T14:59:00+00:00","dateModified":"2026-04-17T08:32:52+00:00","breadcrumb":{"@id":"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/"]}]},{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/#primaryimage","url":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2022\/10\/cnR3b3JrLmpwZw-3.jpg","contentUrl":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2022\/10\/cnR3b3JrLmpwZw-3.jpg","width":1400,"height":1400},{"@type":"BreadcrumbList","@id":"https:\/\/www.cyberark.com\/podcasts\/ep-13-cyber-fundamentals-where-things-fall-apart\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cyberark.com\/"},{"@type":"ListItem","position":2,"name":"EP 13 – Cyber Fundamentals: Where Things Fall Apart"}]},{"@type":"WebSite","@id":"https:\/\/www.cyberark.com\/#website","url":"https:\/\/www.cyberark.com\/","name":"CyberArk","description":"","publisher":{"@id":"https:\/\/www.cyberark.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cyberark.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Organization","@id":"https:\/\/www.cyberark.com\/#organization","name":"CyberArk Software","url":"https:\/\/www.cyberark.com\/","logo":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/www.cyberark.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2021\/02\/cyberark-logo-dark.svg","contentUrl":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2021\/02\/cyberark-logo-dark.svg","width":"1024","height":"1024","caption":"CyberArk Software"},"image":{"@id":"https:\/\/www.cyberark.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/CyberArk\/","https:\/\/x.com\/CyberArk","https:\/\/www.linkedin.com\/company\/cyber-ark-software\/"]}]}},"_links":{"self":[{"href":"https:\/\/www.cyberark.com\/fr\/wp-json\/wp\/v2\/podcast\/143271","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cyberark.com\/fr\/wp-json\/wp\/v2\/podcast"}],"about":[{"href":"https:\/\/www.cyberark.com\/fr\/wp-json\/wp\/v2\/types\/podcast"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cyberark.com\/fr\/wp-json\/wp\/v2\/media\/214341"}],"wp:attachment":[{"href":"https:\/\/www.cyberark.com\/fr\/wp-json\/wp\/v2\/media?parent=143271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}