Our special guest for episode 322 of the award-winning EDGE of the Web podcast was Arlie Harman, Chief Information Security Officer at BraunAbility. Site Strategics CEO Erin Sparks spoke with Arlie about how companies can protect their customers and themselves in the brave new digital world of the 21st century. Here’s what we learned:
Arlie Hartman: His Background and Experience
Arlie Hartman has been an IT Security Specialist, a Senior Security Officer, a Security Operations Manager, Head of Information Assurance, Cloud Information Security Officer, and is currently the Chief Information Security Officer and Director of Information Security at BraunAbility.
Arlie spent several years in the Marines, where you learn a lot about how to make sure things are fortified and secure in the physical kinetic space. But he also picked up a little bit of IT along the way. He came back to Indianapolis and started working for a couple IT shops, got his associate’s degree and then transitioned fully into IT and then security. Arlie likes tearing things apart and figuring out how they work. Having the curiosity of the way systems and people and processes work, and organizations are built, all of this serves him well in information security. And it’s a career that challenges him to continually keep up and learn as he goes. At its core, it’s about managing risk, system risks and information risks, for an organization and then working with folks in IT systems to make sure they understand the domain they’re in and the hazards they face. It’s important because the risks aren’t always apparent to the IT folks or the business-side folks. In this sense, Arlie is often acting like a translator to get everyone on the same page.
The Big Picture of Digital Security
When asked about what’s the riskiest component in cybersecurity, Arlie notes how it is a very loaded question. At the end of the day, there are only so many ways that systems can be tricked into doing things. The recent data breach at Capital One was an example of the “confused deputy” scenario where a woman was able to conduct a “server-side request forgery” to trick a proxy into doing something that it normally shouldn’t do.
Any company that makes it’s systems available online in order to serve people faces risk. The company I work for, BraunAbility, makes vans for disabled people. We want to make sure people can always interact with our systems to get what they need, which is all about system availability. The security industry speaks of what it calls the security triad: Confidentiality, integrity, and availability. And these three aspects of security bump up against each other. You want to maintain the integrity of the data (two plus two will always equal four), and you want to keep it secret, but you also want it available for viewing to those who need to see it. You have to achieve a tricky balance between these three aspects. Upping the availability aspect can result in both integrity and confidentiality going down. Upping the confidentiality factor can force availability down, and so on.
Verizon publishes an annual Data Breach Investigations Report (DBIR) where it looks at what kinds of attacks are happening in different industries and how they work. Webmail and email are still chief avenues for getting malware into companies.
There’s also a lot of “pre-texting” going on that can go something like this: The hacker will contact the company several different times and several different ways (phone, fax, email) with a special offer for, say, insect extermination. The hacker then shows up at the company, fully outfitted in exterminator getup, cheerfully announcing they’ve arrived to spray the data center, along with a fake work order signed off on by someone in the company (of course it’s forged). Enough pre-texting makes the person at the company think it must be legitimate. The hacker is granted free access to the data center.
Company email becomes a channel for other scams. A hacker strikes up an email conversation with employee A, then employee B, and after enough communication, the hacker can email employee B posing as employee A and get employee B to pay a vendor with a wire transfer – but the “vendor” is the hacker’s bank account. Eventually, employee B will mention to employee A how they took care of the payment, at which point employee A will say, what payment?
There are many, many different ways for hackers to trick their way into getting companies to give them access to systems or to trick companies into doing things that aren’t legitimate.
The Ongoing Issue of Passwords
Where should a person store their computer password? Interestingly, there are those who say on a piece of paper under your keyboard is a better option than having it stored anywhere on the Internet. Do you trust the security of the Internet more than the locks on your own home? But if the locks on your smart home are connected to the Internet…
Each decision you make about passwords is a decision about risk. If you have to write down five different passwords and put them under your keyboard versus using the same username and password for five different sites, go ahead and use your keyboard. There are several things people have debated since the beginning, such as password complexity versus password length. Arlie prefers length every time over complexity. Nest would agree. It’s also better to make sure you don’t use the same password everywhere. If you need a password tool, like LastPass or RoboForm or something with the ability to help you create unique passwords and store them each time, you should probably use that. But you’ll have to remember the password for the tool.
Passwords continue to be a challenge. Arlie recommends always using multifactor authentication anytime you can. Very few people are doing SIM card swaps to get security information. It’s possible, but rare, which is why multi-factor authentication is better than only using the standard username/password combination.
Speaking of passwords, people still choose the dumbest ones. Here in 2019, the most common passwords are the following:
- Password one
Passphrases are good. This is where length over complexity comes into play in a good way. Come up with a 15-character passphrase you can remember and don’t continue to use it over and over again. That’s what Arlie would put on a password manager and then allow it to just do pseudo generated random gibberish that are 15 to 20 characters long for each one of your other passwords. All the better.
What About VPNs?
VPN stands for virtual private network and what it allows you to do is create a tunnel, if you will, over the normal everyday internet that’s a direct connection between your computer and another server and then that server will then proxy your connection to websites, wherever you’re going online. It covers your tracks in terms of online browsing.
A lot of the web today is TLS and it has that little lock on it representing the SSL/TLS connectivity between you, your endpoint and the web service encrypted. Now, a lot can still be gleaned from that traffic. You can still determine that Jacob went to Facebook. You can’t tell exactly what he typed into the password field, but there are ways he could be tricked. The VPN just adds another layer of encapsulation so can’t tell exactly where you’re going. But the rub there is understanding who you’re signing a contract with in order to get that VPN. There’s been speculation that the majority of the VPN providers are actually shell companies for intelligence agencies to collect data about you. Who do you trust more, the CIA or America Online? Arlie runs a VPN server in AWS and controls the logs on it. It’s a good idea to obfuscate your traffic. Just understand, once again, like your password manager, you have to be a little bit worried about the VPN service provider or do your own. As a consumer, you do have a responsibility to know what you’re getting into, so do your homework on knowing what’s really in those “terms and conditions” most people just agree to without reading.
Connect with Arlie Harman and BraunAbility
Twitter: @BraunAbility (https://twitter.com/BraunAbility)
Facebook: @braunability (https://www.facebook.com/braunability)
Instagram: @braunability (https://www.instagram.com/braunability)
Is Your Digital Marketing ROI Everything it Could Be?
Learn what your real digital marketing ROI is with a Site Strategics report examining your SEO, content, social media, and PPC. Visit https://edgeofthewebradio.com/roi/ to get 30% off a comprehensive review of your digital assets!