February 15, 2023
EP 21 – Back to the Cyber Future: Theresa Payton on Evolving Digital Threats (Part 1)
Since the earliest digital days, cyberattackers have targeted identities in their quests for riches, chaos and even revenge. So, what if we could hop into a flux capacitor-equipped DeLorean, hammer-down to 88 mph, and go back in time to better understand how yesterday’s threats influence today’s landscape – and what history can teach us about outpacing adversaries? Today, we do that – and a whole lot more – with a fantastic guest: Theresa Payton.
Payton is the first woman to have served as White House Chief Information Officer, a best-selling author and the founder and CEO of Fortalice Solutions. In part one of our talk, host David Puner and Payton cover a lot of ground: Payton highlights some of the major cybersecurity trends and threats during her time in the George W. Bush White House – from SQL injection attacks to emerging ransomware. She also reflects on technology’s role in expanding – and complicating – the attack surface, and offers innovative insights for defenders, drawing from her experience as a veteran cybercrime fighter.
As you’ll hear, it’s a great talk – so good that we’re releasing it in two installments. Be sure to check out part two of our conversation with Theresa Payton, which will release on March 1. You can make sure not to miss it by following Trust Issues – available on all major podcast platforms.
You’re listening to the Trust Issues Podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in Identity Security.
[00:00:23.520] – David Puner
Hello and welcome to another episode of Trust Issues. Today’s guest is someone we’re particularly excited to have on the podcast. She served as the Chief Information Officer in the George W. Bush White House. She’s a US patent holder. She founded two companies. She’s been a technology leader in banking and finance.
[00:00:42.600] – David Puner
Awards Magazine named her one of the top 50 women in tech in 2021. Business Insider named her to its top 50 cyber security leaders in 2020. Security Magazine’s named her one of its top 25 influential people in security, and that’s just naming a few accolades.
[00:01:00.920] – David Puner
She was a cyber security expert on the CBS show Hunted. Oh, yeah, she’s also a best-selling author. Her most recent book’s entitled “Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth”. Her name, as you probably already know from whatever you clicked to get here is Theresa Payton. She’s CEO of Fortalice Solutions, a global cyber security and business intelligence consulting firm, which she also founded.
[00:01:28.500] – David Puner
You’ll also find her making TV guest appearances or hosting the CISO Minute Podcast. In full disclosure, she also sits on CyberArk’s board. We’re especially grateful she accepted our invitation to come onto the podcast.
[00:01:42.300] – David Puner
As you’ll hear, it’s a great talk, so good, in fact, that we’re releasing the conversation in two parts. Here’s the first installment of my talk with Theresa Payton.
[00:01:54.740] – David Puner
You served as a White House Chief Information Officer for the White House during the George W. Bush administration from 2006 to 2008. To dive right in, how does today’s threat landscape compare to the threat landscape when you were serving as CIO for the White House?
[00:02:12.740] – Theresa Payton
This is a great question. Just to put things in context, because I know people doing the math are thinking, “Gosh, that was so long ago.”, I’m not sure how that’s relevant to today’s conversation, but it is. What’s interesting is what a time of technology transformation, both in the workplace but also in the consumerization of technology it used to be, prior to 2004, that most people, the best internet access and the best device access they had was going into the office.
[00:02:44.650] – Theresa Payton
Then guess what happened in 2007? I was at the White House, 2006 to 2008. Apple released the first-ever iPhone. Think about this time frame where the first ever iPhone is released, people are literally standing in line. Blackberry, which really at the time was the superior product from an enterprise perspective, really didn’t see the threat. Use of social media was still in its early stages. Social engineering attacks at that time were fairly rudimentary unless they had some type of an insider or some type of a data dump or dumpster diving for paper information, things like that.
[00:03:29.140] – Theresa Payton
But in 2008, what’s interesting to me, it’s back to the future having this conversation, David, here were some of the major cybersecurity threats. Besides the nation-state things that I still really can’t talk about that we had to deal with and we had to face, some things are more obvious and known in the news media today, but in addition to that, 2008 was phishing scams and spam emails, botnets were sending distributed denial of service attacks and sending spam, malware was very quaint, it was typically built to steal somebody’s personal information and then try to log in their accounts, infect computers, and create botnets.
[00:04:15.380] – Theresa Payton
SQL injection attacks were very popular in that time frame, and they were actually typically made to attack websites, again, to get unauthorized access to sensitive information, either identity data, payment data, or maybe they would get lucky and they would get into the back office and there would actually be something there.
[00:04:36.800] – Theresa Payton
I guess we didn’t know at the time how good we had it, even though it was pretty bad what cybercriminals were doing. The syndicates themselves, the nation-states were operating at a different level, mainly focused on the defense industrial base and government organizations and companies with ties to government organizations. They weren’t going as much after small, medium, and large enterprises as they certainly do today.
[00:05:05.840] – Theresa Payton
Even things like ransomware, which were in their infancy at that point, you didn’t really have cryptocurrency, easy access, and things like that, so even ransomware, a lot of times, it was focused on computers and a network. It wasn’t really the big scale that it is today.
[00:05:24.850] – Theresa Payton
But what’s interesting to me in the back-to-the-future mode is phishing scams are still alive and well. Spam email, we can’t seem to get rid of it. Botnets are still used. Malware is still built to steal information and conduct other nefarious types of activities. The fact the SQL injection attack still work, that is incredible to me.
[00:05:50.230] – David Puner
Back to the Future is an interesting comparison because I think when you watch that movie and you think of 1955 or whatever it is, it seems so quaint and simple, but then when you actually go back in time, you realize, guess what, things were just as complicated in a different way back then. At the time, did it seem overwhelming or did it seem manageable, at least compared to today? Or was it seemingly equally complicated?
[00:06:18.500] – Theresa Payton
We were going through these major technology transformation efforts. For example, we had major modernization going on, many of the projects we can’t talk about, but we were leveraging big data analytics and other tools, we were changing out processes.
[00:06:35.360] – Theresa Payton
One of the things I’m particularly proud of is we stood up the first ever 24 by 7 security operations center specifically for White House operations. Up until that point, we were borrowing from the National Security Council as part of that task force. That’s not really appropriate. We really needed our 100% focus on White House operations proper.
[00:06:59.360] – Theresa Payton
What’s interesting is because we were doing these major technology transformation efforts, doing a lot of very innovative and creative things, I really felt the pressure not to mess up. When you’re doing something that’s on that cutting edge, thinking differently, you have to ask, “What did you do wrong and how do I learn from your mistakes?”
[00:07:22.100] – Theresa Payton
You’re trying to figure out, “How do I do the best job I possibly can? Every moment and every day, I need to be a better version of myself than what I was the day before because I have to constantly be thinking about what are cybercriminals going to do next, and I certainly don’t want to be the first place they try a certain type of an attack.” So I definitely felt the pressure.
[00:07:46.540] – Theresa Payton
But what I will say is there was somewhat a layer of simplicity because I had 100% support from all of the executives at the White House. When I would go talk to them about, “I heard we want to implement this type of technology.” or “Some of the staff want to use their iPhones instead of their BlackBeries right away.” or “They want their personal phone to have their White House work stuff on it.”, it was all so new.
[00:08:20.020] – Theresa Payton
I was able to say, “I’ve explored it, I’ve looked at it. These items I’m comfortable with, these items I am not comfortable with. This is what’s missing. It’s not going to be developed until this time period. Until then, I think we need to just test it in the lab.” I had 100% support on that. That always made me feel very confident that when I did my due diligence, if I said, “I’m comfortable, here’s the risk.” or “I’m uncomfortable because this is the risk.”, I felt the true weight of the support of the executive staff. That was incredibly helpful.
[00:08:58.060] – Theresa Payton
But the technology at the time, a lot of it did not consider what nation-states would do once they had access to the Internet. There was this constant battle of the arms race between us and cybercriminals, nation-states, hacktivists. There were groups of activists who weren’t delighted with all of the policies that came out of the administration. So you have to deal with that as well.
[00:09:28.100] – David Puner
It sounds like, we already talked about this a little bit with Back to the Future, but if you could have caught a glimpse of today’s cyber landscape back then, what would have surprised you most?
[00:09:38.400] – Theresa Payton
I love this question. I do predictions every year, so I’m always looking ahead at where technology is headed, what the futurists are saying, what the big companies say they’re investing in. I love to study human behavior and technology implementations. I typically have a pretty good handle on where things are headed because I’ve been so steeped in financial services industry before the White House, sadly, I know cybercrime profiles, so I typically have a pretty good handle on predicting them.
[00:10:10.560] – Theresa Payton
I got to tell you, the thing I would have never predicted is that insurance companies would encourage victims to pay ransom. I never ever would have predicted that. I didn’t see that coming. When it started, I remember the first time somebody told me, “The insurance company told us to pay the ransom, that it was going to be cheaper than recovery.” I said, “That sends a really bad message. It’s like paying the schoolyard bully your lunch money. They’re just going to come back tomorrow.”
[00:10:43.940] – Theresa Payton
I was a little taken it back. I had to be candid. When I looked in a crystal ball, I definitely saw a lot of the trends and patterns coming. That one never saw it coming.
[00:10:54.900] – David Puner
How can organizations fight back against ransomware?
[00:10:58.480] – Theresa Payton
This is a tough one. I don’t care for victim shaming and blaming. I don’t think that’s appropriate. It’s odd to me that one of the crimes where when it happens, like a ransomware incident or even just data breaches in general, sometimes everybody’s first conclusion is, “What did the organization do wrong? Did they not take this seriously enough?” Or sometimes you’d hear people say, “Who should be fired?” I don’t like that.
[00:11:27.580] – Theresa Payton
Stepping away from the victim naming and blaming and saying that companies don’t take it serious enough, and that’s why ransomware is so bad, I think we have to look at it more in a bigger holistic sense.
[00:11:40.140] – Theresa Payton
A couple of things I would advise organizations to do is just assume one day you’re going to be facing a ransomware event of some kind. It may not look like how they execute them today, but this is around to stay. Ransomware is around to stay.
[00:11:58.520] – Theresa Payton
The first thing you can do, if you don’t have a lot of resources or a lot of support is take the example of some other organization who had it play out in the news media and just erase their name and insert your organization’s name. Just ask key people around the table, “What would we do? How do we get to the answer of not having to pay?”
[00:12:23.900] – Theresa Payton
A lot of times people focus on encrypted, air-gapped backups, and that is excellent, a protocol for being able to access those backups so it’s not the bad guys accessing them and locking them up. Just assume at that point if it’s already too late when you figured it out and they took your data, what have you done to render the data absolutely useless to them?
[00:12:51.810] – Theresa Payton
They could be like, “We took terabytes and exabytes or gigabytes or whatever of your data.”, and you could say to the public, “The way our data architecture works is we tokenize access, we anonymize our customer data, and we encrypt our data. So chances are it’s rendered useless. Even if they can de-encrypt some of the data, it’ll be fragments of data and virtually unusable.” I don’t think enough companies think through that strategy.
[00:13:27.560] – Theresa Payton
I would say the other thing to think through is a lot of the solutions that you provide at CyberArk because if you do continuous authentication, authorization, continuous monitoring instead of just like, “Hey, you signed in. Good. You passed the bouncer at the door and have a good time once you’re in. Make good choices.”
[00:13:53.250] – Theresa Payton
How do you know? How do you know you didn’t have a session hijacked? How do you know beyond that if there’s anomalous behavior unless you’ve got this continuous requirement for authorizing and access controls? It shouldn’t be one login all day long, forever and ever and ever, lets you access anything you want.
[00:14:15.780] – Theresa Payton
That segmentation, continuous authorization, continuous monitoring, looking for anomalous behaviors, those are easier said than done, which is why I often tell people, “If you’re not sure where to start and you have limited time, limited resources, limited budget, limited support, start with the playbook, then go to what are we doing with our data, assume compromise. It could be ransomware, extortion ware, could be something else. How do we render the data absolutely useless? Then how do we make sure we don’t have unauthorized access?” Those are all very complicated things to do.
[00:14:47.520] – Theresa Payton
A lot of times I’ll hear lawyers or the courts or the Hill or the media, and everybody means well. But they’ll ask these questions about, “Why does this keep happening? Don’t businesses take this seriously enough? Why isn’t the technology team doing more?”
[00:15:04.410] – Theresa Payton
It’s like, “Have you ever visited the technology team? Do you know what’s on their plate? Do you know how hard this is? Do you know how serious this is to them?” They can be the best, the absolute best at thinking about risk and compliance and security and privacy and still be a victim of a crime. So we got to stop having that narrative. Instead, let’s just assume we’re all going to get hit.
[00:15:28.620] – Theresa Payton
What are we going to do to make sure that when they get it, it’s like decoy data or it’s bad data, or maybe they got good data, but they’re not actually able to use it?
[00:15:40.960] – David Puner
Theresa, what does it take to render data useless?
[00:15:44.120] – Theresa Payton
It’s really a data governance and data classification strategy. First of all, “What are your digital assets? Who creates them? How are they created? How are they stored? Who has legitimate access to them?” That’s not always people, sometimes it’s systems. It’s not always you, sometimes it’s your third-party vendors. It’s really understanding your data architecture and your data governance structure.
[00:16:08.740] – Theresa Payton
Then, once you sit down and actually do your human user stories, “How do customers interact with us? How do our employees interact with data? How do our third-party vendors play a role?” And actually, write up those human user stories. That’s where you understand the access points to data and whether or not those access points are through APIs.
[00:16:32.860] – Theresa Payton
Are you feeding something to a third-party marketing campaign when your customer is visiting your site because you want to do customer listening? When they’re storing data and accessing data, who’s accessing it? Then that’s where you can find those moments in that data architecture around classification and handling because you can’t treat every element of data. Everything is a super secret, highly sensitive piece of data. You’ll never get the work done and it won’t be seamless and elegant and it’ll be way too clunky for your customers. They’ll leave you.
[00:17:07.320] – Theresa Payton
Understand your data classification. For example, data classification at the highest level could be, this is very sensitive confidential business information, it could be intellectual property, due diligence on a merger and acquisition, or some type of a divestiture.
[00:17:23.000] – Theresa Payton
Another highly regarded classification could be things that all of your regulators tell you is basically a regulatory fine if you don’t handle the data the right way. Whatever that is, could be credit card data, could be email addresses. Only you know which regulatory bodies have jurisdiction over you and your data.
[00:17:45.860] – Theresa Payton
Once you understand that, that’s when you start rendering those particular classifications of assets useless. Figuring out, “Do we always have to give all of the information when it’s requested? Or can we actually tokenize the authorization and the access control so I will give you a piece of data and then I will stop until there’s authorization and access controls passed again? When I send you the data, do I only send you what you need? Is it encrypted at the highest level encryption in motion at rest when it’s duplicated, when it’s created in a backup for resiliency purposes?” You could just focus on those top-most critical classifications of assets.
[00:18:36.960] – Theresa Payton
In the event, there is a data breach or an insider threat compromise or an extortion ware ransomware event. You can then say, “What did they take?” Here’s how we know we treat that data. Therefore, assuming everything’s configured properly and working correctly, we should be okay. You can test that. Once you’ve set that up, you can simulate a compromise and then see whether or not your ethical hacking team, your red teamers, can do anything with the data.
[00:19:08.220] – David Puner
Really interesting. To keep with ransomware for another minute or two and attack methods, COVID-19 obviously changed everything about the way people work. Many government workers went home and some of them become long-time remote workers. With distributed endpoints everywhere beyond traditional government IT networks, what trends or new ransom or attack methods are you seeing now?
[00:19:33.040] – Theresa Payton
Isn’t that the great thing about cybercriminals, their behavior, whether it’s a nation-state, a lone wolf, a cybercriminal syndicate? When we improve the kill chain and our resiliency and our recoverability, they don’t say, “Wow, this is really hard. I should give this up and be a good person and be a Park Ranger or bake pies for my neighbor.” They just up their A-game, too. They don’t go away. They don’t suddenly become good people not committing crimes.
[00:20:02.840] – Theresa Payton
In one sense, it’s almost as if we need to pat ourselves on the back because a lot of organizations have those encrypted backup stored out of band, can restore without paying, dealing with the fallout from data being dumped on the internet, if and when that it’s dumped. So they are devising new tactics. We are seeing where the ransomware event does have a destructionware event coupled with it. That’s happening more often than it has in the past.
[00:20:42.720] – Theresa Payton
Basically, I gave you a sample of your data, I have your operating system, I’m deleting things. In some cases, organizations are finding it time consuming to restore from their backups. Now they’re stuck with, “Oh, my gosh, they’re actually deleting our data if we don’t move quickly, if we don’t pay. What are we going to do?”
[00:21:08.500] – Theresa Payton
We’re also seeing where they’re very, very particular about what they steal. It’s basically to publicly shame the organization into paying them, not to unlock their systems because the organization may be prepared to unlock their systems, but basically not to dump the full data block that they stole after they send them the sample. That could be internal comps, it could be documents, it could be a variety of different things that would be embarrassing.
[00:21:48.620] – Theresa Payton
After working on so many cases of trying to help them recover without paying or helping them deal with the fallout, I have to tell you, you are negotiating with a criminal and they’re not going to keep their word. Even if the one you negotiated with might personally keep their word as an individual, which is debatable, it’s so distributed and outsourced these days that somebody else in the organization may not honor their word.
[00:22:21.560] – Theresa Payton
It’s not like you’re dealing with a Nasdaq or New York Stock Exchange company that’s got a governance board and some level of a moral compass and ethics. It’s like, they give you their word, their word is worthless. Just remember, it’s a criminal. They broke into your systems. They didn’t deserve to be there. They took data that doesn’t belong to them. They broke the law by stealing that data. Why would you trust them that if you pay them off, they’re not going to dump your data? I think those are all things that people need to be aware of that we’re seeing happen.
[00:22:54.580] – Theresa Payton
I actually have a prediction that in 2024, the better that we get at shutting down ransomware certificates on systems and data, that they will actually go to a different place in the kill chain. Ransomware will pivot to the Internet of Things devices, the access control cards, thermostats, TVs, you name it, and basically hold them for ransom.
[00:23:21.230] – David Puner
You’re talking about things that are smaller than critical infrastructure itself, things that are critical to individuals’ everyday lives.
[00:23:29.140] – Theresa Payton
Yeah. I mean, the plethora of not just Internet of things because people say, “Wow.” We need to make sure that anything that is control access cards or retina scans or building access. If you’re watching the statistics of technology transformation, the amount of service robots that are doing cleaning now, for example, delivering mail, delivering your food… I see in some cities service robots that are delivering mail between county buildings.
[00:24:00.580] – Theresa Payton
These are all helpful. Of course, we don’t want to get rid of them, but each one of these is a point of presence for a cybercriminal to hijack and then create mayhem.
[00:24:14.500] – Theresa Payton
Maybe the one that’s delivering the mail isn’t the biggest thing everybody’s worried about, but there is this opportunity for ransomware to pivot and truly go after physical spaces, whereas right now, it’s been fairly confined around critical infrastructure systems, data, maybe even things like SCADA. But it’s going to pivot and it’s going to pivot to the physical spaces, which are now basically physical buildings controlled by computers.
[00:24:57.290] – David Puner
There you have it. Part One of my conversation with Theresa Payton. Stay tuned for Part Two with Theresa, which will release two weeks from today on March 1st, or as they call it in the biz, the first day of the last month of Q1. Thanks for listening.