 From the CUBE Studios in Palo Alto in Boston, connecting with thought leaders all around the world, this is a CUBE Conversation. Everyone, welcome to this special CUBE Conversation. We're here in the Palo Alto Studios, or I am here during this critical time during the coronavirus and this work at home, current situation across the United States and around the world. We've got a great interview here today around cybersecurity and the threats that are out there, the threats that are changing as a result of the current situation. We've got two great guests, Derek Mankey, Chief Security Insights and Global Threat Alliances at Fort Agard Labs and René Turin, Deputy Chief Information Security Officer with Fort Annette. Guys, thanks for remotely coming in. Obviously, we're working remotely. Thanks for joining me today on this really important conversation. Thank you. Thanks for having us. So René and Derek, René, I want to start with you as a deputy CISO, there's always been threats. Every day is a crazy day. But now more than ever, over the past 30 to 45 days, we've seen a surge in activity with remote workers, everyone's working at home. It's disrupting families' lives, how people do business, and also they're connected to the internet. So it's an endpoint, it's a hackable environment. We've had different conversations with you guys about this, but now more than ever, it's an at scale problem. What is the impact of the current situation for that problem statement of we're working at home, at scale, are there new threats? What's happening? Yeah, I think you're seeing, some organizations have always traditionally had that work at home ability. But now what you're seeing is now entire workforces that are working home, and now some companies are scrambling to ensure that they have a secure work at home for teleworkers at scale. In addition, some organizations that never had a work from home practice are now being forced into that. And so a lot of organizations are faced with the challenge that employees are now bringing their own device into connecting to their networks because employees can't be bringing their workstations home with them. And if they don't have a company laptop, they're forced using their own personal devices. And some of these personal devices are used by their kids, they're going out to gaming sites, they could be impacted with malware. So it creates a lot of different challenges from a security perspective that a lot of organizations aren't necessarily the base for us, not only from a security, but also from a scalability perspective. You know, when I'm at home working and had to come in, I came into the studio to do this interview because I really wanted to talk to you guys, but when I'm at home this past couple of weeks, my kids are home, my daughter's watching Netflix, my son's gaming, multiplayer gaming, the surface area from a personnel standpoint or people standpoint is increased. My wife's working at home, my daughter's there, two daughters. So this is also now a social issue because there are more people on the wifi, there's more bandwidth being used, there's more fear. This has been an opportunity for the hackers, this crime of fear using the current situation. So is it changing how you guys are recommending people protect themselves at home or is it just accelerating a core problem that you've seen before? Yeah, so I think it's not changing. It's changing in terms of priority. I mean, all the things that we've talked about before just becoming much more critical, I think at this point in time. If you look at any histories that we've, lessons we've learned from the past or haven't learned, that's something that is just front and center right now. I mean, we've seen attack campaigns on any high level news, anything that's been front and center and we've seen successful attack campaigns in the past. Going to any sort of high profile events, we had Olympic destroyer last year, or sorry, last Olympic period when we had them in Korea as an example in South Korea, we've seen going, I could go back 10 years plus and give like a history timeline every single year, there's been something dominating the news and there's been attack campaigns that have leveraged on that. Obviously this is a much higher focus now given the global news domination that's happening with COVID, the heightened fear and anxiety. Just the other day, 40 guard labs, we pulled up over 600 different fishing emails and scam attempts for COVID-19. We're actively pouring through those. I expect that number to increase. Everybody is trying to hop on this bandwagon. I was just talking to our teams in the labs today, groups that we haven't seen active since about 2011, 2012, malware campaign authors, they're riding this bandwagon right now as well. So it's really a suction, if you will, for these cyber criminals. So all the things that we recommend in the past, obviously being vigilant, looking at those links coming in. Obviously there's a lot of impersonators, there's a lot of spoofing out there, people pretending to be the World Health Organization that we wrote a blog on this a couple of weeks back. It's really, people have to have this zero trust mentality coming in. It was everyone trying to ride on this, especially on social networks, on emails, even fishing and voice phishing, so the voice phishing. You really have to put more, people have to put more of a safeguard up, not only for their personal health, like everyone's doing the social distancing, but also virtual social distancing when it comes to really trusting who's trying to send you these links. Well, I'm glad you guys have the four to guard labs there. And I think folks watching should check it out and keep sending us that data. I think watching the data is critical, everyone's watching the data, they want the real data. You brought up a good point at Brene. I want to get your thoughts on this because the at scale thing really gets my attention because there's more people at home, as I mentioned, from a social construct standpoint. Work at home is opening up new challenges for companies that haven't been prepared. Even the ones that are prepared have now an at scale. So you have a spectrum of challenges. The social engineering is the big thing on phishing. You're seeing all kinds of height and awareness. It is a crime of opportunity for hackers, like Derek just pointed out. What's your advice? What's your vision of what's happening? How do you see it evolving? And what can people do to protect themselves? What's the key threats? And what steps are people taking? Yeah, I think, like Derek said, kind of similar how in the physical world, we're washing our hands, we're keeping six feet away from people, we kind of keep a distance from our adversaries as well. Again, when you're looking at your emails and ensuring that you're only opening attachments from people that you know, hovering over the links to ensure that they are from legitimate sources and being mindful that when you're seeing these type of attacks coming in, whether they are coming through your emails, through your phones, take a moment and pause and think about, would someone be contacting me through my cell phone, through sending me a text message or emails asking me for personal information, asking me for user IDs and passwords, credential information? So you kind of need to take that second and really think before you start taking actions and similar to opening attachments. We've seen in a lot of cases where, someone attaches a PDF file to an email, but when you open up the PDF, it's actually malware. So you need to be careful and think to yourself, was I expecting this attachment? Do I know the person and take steps to actually follow up and call that person directly and say, hey, did you really send this to me? Is this legitimate? Yeah, gotta be careful what you're opening up, which links you click on. But while I got you here, I want to get your opinion on this because there's digital attacks and then there's phone-based attacks. We all have mobile phones. I know this might be a little bit too elementary, but I want to get it out there. Can you define the difference between fishing and spear fishing for the folks that are trying to understand the difference in fishing and spear fishing techniques? Yeah, the main difference is spear fishing is really targeting a specific individual or within a specific role within a company. For example, targeting the CEO or the CFO. So those are attacks that are specifically targeting a specific individual or specific role. Where fishing emails are targeting just mass people, regardless of their roles and responsibilities. So I'm reading the blog post that you guys put out which I think everyone, I'll put the link on SiliconANGLE later, but it's on Fortinet.com. Under digital attacks, you've got the fishing and spear fishing, which is general targeting email or individually spearing someone specifically. But you guys list social media deception, pre-texting and waterholing as the key areas. Is that just based on statistics or just the techniques that people are using? And can you guys comment on, react to those different techniques? Yeah, so I think with the, so the waterholing specifically as well, the waterholing attack refers to people that are every day as part of their routine going to some sort of usually a news source, it could be the favorite sites, social media, et cetera. Those sorts of sources, because it's expected for people to go and drink from a water bowl, are prime targets to these attackers. So those are mostly for, they can be definitely is for spear fishing, but also for the masses for these fishing campaigns. So those are more effective, attackers like the cast of wide net. And it's especially effective. If you think of the climate that's happening right now, like you said earlier at the start of this conversation, that expanded attack surface and also the usage of bandwidth and more platforms and applications. There's more traffic going to the sites and people have more time at home through color work, you'll be able to virtually go to these sites. And so yeah, usually what we see in these waterholing attacks can be definitely fishing sites that are set up on these pages because they might have been compromised though. So this is something even for people who are hosting these websites, right? There's always two sides of the coin to security of your client side security and your server side security. So spear fishing is targeting an individual, waterholing is the net that gets a lot of people and then they go from there. Can you guys, Renee or Derek, talk about social media deception and pretexting. These are other techniques as well that are popular. Can you guys comment and define those? Yeah, I mean, so some of the pretexting that you're seeing is, what's happening is adversaries are either sending texts, trying to get people to click on links, go to malicious sites. And they're also going, setting up these fabricated stories and they're trying to call, acting like they're a legitimate source. And again, trying to use tactics and a lot of times scare tactics, trying to get people to divulge information, personal information, credit card numbers, social security numbers, user IDs and passwords to gain access. To either find- So mission formation campaigns would be an example of that. Like I got a COVID virus vaccine, put your credit card down now and get on the mailing list. Is that kind of the general gist there? Absolutely. Okay. And we've also seen as another example, and this was in one of our blogs, I think about a couple of weeks ago, some of the first waves of these attacks that we saw was also again, impersonating to be the World Health Organization as part of pretexting, saying that there's important alerts and updates that these readers must read in their regions, but they're of course malicious documents that are attached. Yeah, I mean, how do people just get educated on this? This is really challenging because if you're a nerd like us, you can know what a URL looks like and you can tell it's a host's name. It's not real. But when they're embedded in these social networks is how do you know? What's the big challenge? Just education and kind of awareness? Yeah, so I'll just jump in quickly on that for you. From my point of view, it's the whole ecosystem, right? So it's not just one silver bullet. Education, cyber hygiene for sure. But beyond that, obviously this is where the security solutions step in. So having that layered defense, right? That goes a long way of everything from anti-spam to anti-virus, to the scandals, malicious attachments, endpoint security, especially now in the tele-workforce that we're dealing with, having managed endpoint security from a distributed enterprise angle is very important because all of these workstations that were within the corporate network before are now roaming from home. So it's a multi-pronged approach really. But education is, of course, a very good line of defense for our employees. And I think updated education on a weekly basis. Okay, before we get to the remote action steps, because I think the remote workers at scale is like the critical problem that we're seeing now. I want to just close out this attack, social engineering thing. There's also phone-based attacks. We all have mobile phones, right? So we use our smartphones. There's other techniques in that. What are the techniques for the phone-based attacks? Yeah, a lot of times you'll see adversaries, they're spoofing other phones. So what happens is that when you receive a call or a text, it looks like it's coming from a number in your local area. So a lot of times, that gives you a false sense of security thinking that it is a legitimate call when in reality, they're simply just spoofing the number. And it's really coming from somewhere else in the country or somewhere else in the world. So I get a call from Apple support and it's not Apple support, they don't have a callback. That's spoofing. That's one way, but also the number itself. When you see the number coming in, for example, I'm in the 410 area code. Email's coming in from my area code with my exchange is another example where it looks like, it's someone that's either a close friend or someone within my community or someone in reality, if it's not. And at the end of the day too, the biggest red flags for these attacks are unsolicited information, right? If they're asking for any information, always treat that as a red flag. We've seen this in the past, just as an example with call centers, hotels too, hackers have had access right to the switchboards to call guest rooms and say that there's a problem at the front desk and they just want to register the user's information and they ask for credit card, guest information to confirm those sorts of things. So again, any time information is asked for, always think twice, try to verify. Callback numbers are a great thing. Same thing with social media, if someone's messaging you, right? Try to engage in that dialect conversation, verify their identity. So you got- That's also another good example of social media is another form of essential engineering attacks is where people are creating great profiles and say, for example, LinkedIn and they're acting like either someone from your company or a former colleague or friend as another way to try and make that human connection in order to do malicious things. Well, we've discussed with you guys in the past around LinkedIn as a feeding ground for spearfishing because, hey, don't tell your boss but here's a PDF resume job opening, paying huge salary, you're qualified. Of course I'm going to look at it, right? So a lot of that goes on. I see that happen a lot. I want to get your thoughts, Renee, on the vishing and fishing. There, the smishing is the legitimate source spoofing and vishing is the cloaking or spoofing, right? Yeah, smishing is really the text-based attacks that you're seeing through your phone. Vishing is using more of a combination of someone that is using a phone-based attack but also creating a fake profile creating a persona, fabricated story that's ultimately fake but believable and to try and encourage you to provide, you know, information, you know, sensitive information. Well, I really appreciate you guys coming on and talking about the attackers trying to take advantage of the current situation. The remote workers, again, this is the big at scale thing. What are the steps that people can take, companies can take to protect themselves from the at scale remote worker situation? It could be going on for quite some time now. Yeah, so again, at scale with people in this new normal, as we call it, teleworking, you know, being at scale is, everyone has to do their part. So I would recommend A, from an IT standpoint, I'm keeping all employees virtually in the loop so weekly updates from security teams. The cyber hygiene practice, especially patch management is critically important too, right, you have a lot of these other devices connected to networks, like you said, you know, IoT devices, all these things that are all prime attack targets. So keeping all the things that we've talked about before, like patch management, the vigilance on that from an end user perspective, I think, especially putting it to the employees that they have to be aware that they are highly at risk for this. And, you know, I think there has to be, we talked about changes earlier in terms of mentality, education, cyber hygiene, that doesn't change. But I think the way that this is enforced now, that starts to change, right? That's a big focus point, especially from an IT security standpoint. Well, Derek, keep those stats coming into us. We are very interested. You got the insights, you're the chief of the insights and the global thread. You guys do a great job at Fort Agard Labs. That's phenomenal. Renee, I'd like you to have the final word on the segment here and we can get back to our remote working and living. What is going on in the mind of the CISO right now? Because, again, a lot of people are concerned. They don't know how long it's going to last. Certainly we're now in a new normal. Whatever happens going forward as opposed to pandemic world, what's going on in the mind of the CISO right now? What are they thinking? What are they planning for? What's going on? Yeah, I think there's a lot of uncertainty. And I think, you know, the remote teleworking, again, making sure that, you know, employees have secure remote access that can scale. I think that's going to be on the forefront. But again, making sure that, you know, people connecting remotely, again, don't are introducing additional, you know, potential vulnerabilities into your network. And again, just keeping aware, working closely with the IT teams to ensure that, you know, we keep our workforces updated and trained and continue to be vigilant, you know, with our monitoring capabilities, as well as, you know, ensuring that, you know, we're prepared for, you know, potential attacks. Well, I appreciate your insights, folks here. This is great, Renee and Derek. Thanks for coming on. We want to bring you back in when we should do a digital event here in the studio and get the data out there. People are interested. People are making changes. Maybe this could be a good thing, make some lemonade out of the lemons that are on the industry right now. So thank you for taking the time to share what's going on in cyber and the cyber risks. Thank you. Thank you, we'll keep those dots coming. Okay, CUBE Conversation here in Palo Alto with the remote guests. That's what we're doing now. We are working remotely with all of our CUBE interviews. Thanks for watching. I'm John Furrier, Coast of the CUBE.