Surviving Cybersecurity Disruption

Jonathan Goetsch

Click here to download the transcript PDF now.

Mark S A Smith: My guest today is Jonathan Goetsch, who is the CEO at USProTech, which is a leading-edge cybersecurity and software development company. I met Jonathan through LinkedIn, one of my favorite ways of finding new and bright people, and we had an extraordinary conversation about the future of cybersecurity, as well as what’s happening right now, and the massively disruptive nature of the attacks going on. If you don’t pay attention to cybersecurity, the probability is really high that your company may not survive. Welcome, Jonathan.

Jonathan Goetsch: Good morning, Mark, how are you?

Mark S A Smith: Glad to have you on the show. I want to start off by talking about something that happened to you very exciting. You met about cybersecurity in the White House. How did that go? What happened? What did you talk about?

Jonathan Goetsch: I met with several White House staff members, as well as a number of national legislatures, senators, and other representatives of our government. The agenda included a number of economic issues that are facing the country. I think some of them were relative to the new tax plan that was coming out.

Mark S A Smith: Mm-hmm (affirmative).

Jonathan Goetsch: As well as, major issues facing the country. When we say security, we mean security that deals with national security from international sources, security from cyber related issues, and security internally. During that time, I was actually given the opportunity to stand and pose questions to a number of White House staff members about the state of cybersecurity in our country. I like to keep things close to home because when we talk about international cybersecurity, it becomes overwhelming understanding that we’re being attacked constantly from everywhere.

Mark S A Smith: Indeed.

Jonathan Goetsch: How does that impact us locally, as citizens, as Americans is what I’d like to address, so it opened up a nice dialogue with a couple of key White House individuals.

Mark S A Smith: What was the essence of the conversation around the state of cybersecurity that our listener might apply to their business?

Jonathan Goetsch: The initial conversations that I brought up were twofold. One was addressing the executive order of President Trump in May, which is 13800, the need for our country to address software as a predominant problem within the industry. Today, if you were to download even the latest version of CentOS to build a, let’s say a server for whatever reason or purpose you might need, you’d be downloading with it approximately 100 to 150 vulnerabilities …

Mark S A Smith: Wow.

Jonathan Goetsch: … already baked in. Some of those are not just, you know, the low-level areas of concern. We’re talking about number 10, red, high impact types of vulnerabilities.

Mark S A Smith: Wow.

Jonathan Goetsch: That’s on the systems today. People don’t even realize their need to address what the status of their software cybersecurity is and vulnerability is as they build their server. We talked about the need for private sector and public sector to work together. Then, lastly, we specifically addressed the Social Security individual problem because all of our identities have been stolen.

Mark S A Smith: Yeah.

Jonathan Goetsch: In light of that, we see breaches as large as the one with Equifax or …

Mark S A Smith: Right.

Jonathan Goetsch: … Yahoo or so on and so forth. We have to assume that our identities have been stolen.

Mark S A Smith: That’s right and we’ve got to do something about it, both for our own protection as a business person, as well as our personal protection. The thing I find interesting is the lack of concern that most people have about cybersecurity. They seem to just float along as if it doesn’t even exist, it’s not something they should worry about and yet, it’s extraordinarily pervasive and quite frankly, as you pointed out to me in a prior conversation, that you have a 100% success rate in penetrating every organization that you’ve been asked to examine. Everybody’s at risk. Everybody. Forget about our privacy. That’s already gone. Our IP is at risk. There are so many things that are at risk unless we pay attention to this and just ask a few different things.

In fact, in a conversation with a friend, he runs a hedge fund, and they almost had nearly a million dollars stolen from them by a man in the middle attack where somebody faked an email from their controller to somebody who was going to wire money. Fortunately, they stopped it because they scratched their head and say, “Wait a minute. We don’t wire money to a foreign bank.” There’s so many ways to do this. Share with me some of your insights and some of the ideas about what we have to pay attention to, to keep our assets safe.

Jonathan Goetsch: I will. I just want to make one clarifying statement that the 100% success ratio of breaking into every client that we’ve been hired to examine spans a 18-year timeframe, which means that we just haven’t been around doing this when it became popular a few years ago. The success ratio has been specifically targeted at web-based applications.

Mark S A Smith: Mm-hmm (affirmative).

Jonathan Goetsch: Certain people think that, well, we have a firewall, so therefore we’re safe. I’m here to tell you that people that are interested in breaking into your network are not targeting your firewall. This is probably a very strong defensive appliance, but the problem with the appliance is that it too, ultimately, will be rendered vulnerable. If it’s not managed and maintained, then the software for it and its operating system become the actual point of vulnerability that attackers will eventually attack. We see here today everyone’s talking about next gen firewalls. Okay, that’s great, but it’s not to say that those won’t be rendered vulnerable just in the near future because all you need to know is their Mac address and ultimately what OS it’s running. You can go online and find very rapidly the type of tools and processes necessary to compromise those systems.

Mark S A Smith: Mm-hmm (affirmative).

Jonathan Goetsch: Let’s not start where the big wall is. Let’s start where everybody doesn’t realize the most pervasive and common place to access anyone’s network is through any type of external IP address that has a web application or a [crosstalk 00:06:12] database. These are the areas that experts in our company target first and foremost as we’re going to attack and usurp and ultimately take over the command and control of our client’s network. Web applications and any forward-facing database that’s used for eCommerce are the most common places that we’re going to attack. These are susceptible because they’re running on defined hardware, they’re software defined networking capabilities are attached there. They are running multiple forms of software. I don’t know if it’s Apache or SQL or anything that you would use, but we just saw on the news in the last couple of days where whoops, anyone downloading updates for Adobe, well guess what? Adobe was hacked, the updates themselves, the patching, were actually compromised, …

Mark S A Smith: Wow.

Jonathan Goetsch: … and as you updated your Adobe, you were actually downloading vulnerabilities into your system, …

Mark S A Smith: Wow.

Jonathan Goetsch: … which the hackers were intending to exploit as soon as possible and have. This is all in the last couple of days. We’ve seen this going on for years and years, so I’m here to tell you that if you don’t have a means of monitoring and managing your software versions in real time, you are a target.

Mark S A Smith: Mm-hmm (affirmative).

Jonathan Goetsch: There are products available that can solve that, but they’re very few and far between.

Mark S A Smith: That actually scares me a little more than I was before because I am …

Jonathan Goetsch: I’m sorry.

Mark S A Smith: … an Adobe software user. In fact, edit this show using Adobe Tools. Makes me wonder.

Jonathan Goetsch: Well, there’s a good update and a bad update. Unfortunately, it’s hard to discern the difference, but there are ways of doing that and the way you would have to do it, Mark, honestly is you’re just going to have to get something that can compare the version of software that you’re downloading, versus the one that’s vulnerable, versus the one that’s the patched. That’s all.

Mark S A Smith: I’ll be glad to do that with my Google search after we’re finished with this show. How can we keep ourselves safe if we need to monitor and manage as an organization? What has to be in place, and more importantly, why aren’t CIOs paying attention to this?

Jonathan Goetsch: We have our head in the sand in a lot of ways.

Mark S A Smith: We do.

Jonathan Goetsch: Ignoring …

Mark S A Smith: Listener, get your head out of the sand. This is a wake-up call.

Jonathan Goetsch: Exactly.

Mark S A Smith: I don’t want you to have a million dollars stolen and like, almost happened. I mean, literally, they were a button press away.

Jonathan Goetsch: We see this with our clients. I mean, we’re getting contacted on a weekly basis about another CEO scam or a wire transfer scam. Had CEOs hire us directly to go clean up the dark web information that exists about them because this is where the activity is going on where these people get the information, open up credit lines, open up credit cards, and even with your fraud protection, they’re usurping right to the bank and the bank is accepting the initial transaction of a penny or 10 pennies or whatever that is. Then, next thing you know, boom, the money’s gone. This a prevalent problem whether you’re using some sort of a credit monitoring or not, but you’ve got to pull your head out of the sand. Three things that I would point to potential solutions that any small business, medium business, or even enterprise can engage in to help solve this problem, number one thing is employee training.

Mark S A Smith: Yes.

Jonathan Goetsch: Employee training is lacking categorically throughout the entire United States. Most statistics that I see today with common phishing types of software that test a company, we’re seeing that even a company that has, this is a thousand plus employees or more, companies that do the phishing campaign are seeing over a 30% open rate of the email in an average of 78 seconds before the individual clicks on the link that has the malware embedded.

Mark S A Smith: Wow.

Jonathan Goetsch: It’s a terrible state of affairs and there are companies that are being funded by Goldman Sachs and other types of private equity firms and investment firms that have now got behind companies that do nothing but focus on security awareness training.

Mark S A Smith: Mm-hmm (affirmative).

Jonathan Goetsch: I encourage all your listeners to seek out, I’ll give you an example of a particular company that we happen to like. It’s called KnowBe4, K-N-O-W-B-E number four. You’ll find that they have free training programs that you’re able to utilize within your company. Of course, they have paid for services as well. I mean, it’s not just a complete free service, but you’ll get a lot more comprehensive capability of training and it can be very specific and it can also be somewhat customized. I like the idea that you can track your employee’s ability to get through the training modules. You can identify who’s having challenges. You can even take those people and give them some additional training. We might see that over a course of time. You can identify individuals who perpetually click on inappropriate links …

Mark S A Smith: Mm-hmm (affirmative).

Jonathan Goetsch: … or are fooled by these phishing emails. This is one thing that I would say is a super important attribute and aspect of cybersecurity, which is identifying who the people that you need to train are and provide them with essentially the right training, so that’s number one block.

Mark S A Smith: I am 100% in agreement with that. Employee training is going to solve a lot of issues, but not all of them. What’s your second recommendation?

Jonathan Goetsch: Second recommendation is that once you pull your head out of the sand, you realize it is time for us to address it. Internally, you have to make some decisions. We have to be accountable and many companies are already mandated under federal regulatory law to have a security and a compliance risk officers who are managing these types of cybersecurity risk profile. What are they supposed to do? They’re supposed to, with regularity, be able to tell, let’s say, the board of directors through the CEO or somebody of the C-level suite, to say, “This is what our cybersecurity profile is from an outsider’s perspective.” They can only do that through some sort of vulnerability assessment.

Mark S A Smith: Mm-hmm (affirmative).

Jonathan Goetsch: This is the very origin of USProTech. We date back to 2001 when we were doing vulnerability assessments for our first billion-dollar company.

Mark S A Smith: Mm-hmm (affirmative).

Jonathan Goetsch: I remember we were very proudly parading through the office going we’ve achieved something, we’ve arrived at working with some of the most impressive companies in the country who are taking cybersecurity seriously. Unfortunately, what we found was sort of an incubation company, about four billion in IP, 80 companies participating in the incubation, and it was a flat network that was completely open, so you could understand that there was a lot of risk. They’re clients to this day. Amazing, right?

Jonathan Goetsch: What we’ve learned and what they learned is that doing the cybersecurity assessments needed to be more frequent. Today, the common problem is that people do it too infrequently. If you were to scan your network today, by tomorrow, it would be out of date. In fact, it would be out of date probably within 15 to 20 minutes in terms of software time, but realistically, how fast can you react? That becomes the question. You have to have a means of continual scanning …

Mark S A Smith: Mm-hmm (affirmative).

Jonathan Goetsch: … the evaluation that provides a trend analysis between what our snapshot was yesterday and what it was last week or …

Mark S A Smith: Mm-hmm (affirmative).

Jonathan Goetsch: … yesterday or 15 minutes ago until you get to the point where in real time you can measure that, which is one of the exciting things I want to talk about later in today’s call.

Mark S A Smith: Yes.

Jonathan Goetsch: You actually have to conduct vulnerability assessments and you don’t just want to go out and hire anybody. You want to make sure that it’s an established company and you want to make sure that these companies have credentials, not just a couple of guys in a garage that made some really cool software. It’s open source and all of the other problems that come along with that. What we recommend, rather, is that you look for a standard. Some people have adopted HIPAA or PCI. We operate under the NIST guidelines. NIST is the oldest, you know, government agencies that you have never heard about.

Mark S A Smith: That’s right.

Jonathan Goetsch: It was founded in 1902. It’s part of the Department of Commerce. It’s the National Institute for Standards and Technology.

Mark S A Smith: Located in Boulder, Colorado.

Jonathan Goetsch: It writes the framework.

Mark S A Smith: Yes, indeed. I’ve been there.

Jonathan Goetsch: It’s awesome. The point is, they write the framework for how government agencies can talk with each other and how government agencies can share information with private industry, whether they be prime contractors or otherwise and it’s a trickle-down effect. Take a standard and then adopt it. Follow those recommendations within that framework so that you’re doing regular vulnerability assessment and ultimately, part of that assessment is what people refer to as pen testing, which is really penetration testing. This is the service that our company is very well-known for, for many, many years because of our success record in penetrating those web applications and then showing what the corrective actions plans are to solve those. What is the difference between some penetration testing and other penetration testing? I think your listeners would really value the notes that I’m about to give them because a lot of pen testing happens remotely and it actually has to be done remotely because you can’t do it from inside of your office. That would be internal. We can talk about internal risk versus external risk, …

Mark S A Smith: Mm-hmm (affirmative).

Jonathan Goetsch: … but for the moment, let’s leave internal risk aside and let’s look at external risk.

Mark S A Smith: Yes.

Jonathan Goetsch: If our fear is from the outside, then we need to attack from outside, but most penetration testing are a group of hackers working from maybe a variety of different locations using their own tool chest of software programs that they use to knock on the door of your website and eCommerce site.

Mark S A Smith: Yes.

Jonathan Goetsch: When they knock on the door, they’re looking for the application to respond to it. To say, oh, I’ll open up some sort of a contextual box that you can write like notes, for example, get something to, you can hold sticky key down and all of a sudden, the note box will pop up. When the note box pops up, I can start to inject data into the system that will later respond to me. I’ve already made my first foot in the door to usurp your security on your web application and what did I do? I literally pushed my finger on a single key on my keyboard, sticky keys, and it opened up a text box. That’s all it took.

Mark S A Smith: Wow.

Jonathan Goetsch: It gets a lot more complicated than that, but I will tell you that the difference between most penetration testing companies that are servicing the community are very commonly working with multiple engineers from different locations, different tools, and you don’t know exactly what they did, which is why USProTech created a process very unique from a core, which is our, let’s say our data center. We have a stack and all of the applications that the engineers use log in with their encrypted credentials, virtual private network connections, use applications, imagine this, in an encrypted tunnel that allows us to track all ingress and egress of data as it goes from the data center, which is the attack vector, to the target. Now we can, for the first time, show a client exactly what it is that’s happening during a pen test. This is revolutionary and very disruptive in the world of penetration testing as it relates to cybersecurity.

Mark S A Smith: Indeed.

Jonathan Goetsch: Our customers are extremely elated. The get screen shots. We can run by minutes or half hours or seconds what’s happening on the screen shot. What tools are being used? What data’s being pushed? What’s being extracted? We want to know and customers and clients and your listeners should want to know, what is going on during this pen test? They might be the good guys, but did they take something?

One of the solutions that your listeners can glean from this conversation is there is a way to conduct vulnerability assessment and penetration testing that provides 100% transparency and documentation of the process. You just need to find the right vendor and they’re out there. I don’t want to say that we have exclusives on anything. What I want to tell you is that we have a process that customers love. The second part of that block is definitely assign your team members and do regular assessments.

Mark S A Smith: Makes total sense. We absolutely have to do it. I think the concept of being 100% transparent in the pen testing is a critical concept because if you don’t pick a trustable vendor, they can be the people that are hacking you and I can imagine there’s more than one organization out there that acts as a front to extract data that is used against somebody in the future.

Jonathan Goetsch: It sounds like the old KGB. Remember, you would travel to Russia and you would hire private security to keep you protected from the KGB. Only the contractors that you hired are actually KGB members. Right?

Mark S A Smith: Right.

Jonathan Goetsch: Well, there are many ethical hacking individuals and companies. I don’t want to smear an industry inappropriately. I want to tell you that there are literally thousands of ethically certified hackers doing this type of work. They’re not all bad guys, but they don’t all have processes that can provide you the transparency. I recommend to your listeners that they look for and seek out a company or a contractor that they currently work with to show them that they can bring transparency to the process.

Mark S A Smith: Mm-hmm (affirmative).

Jonathan Goetsch: That’s just good housekeeping.

Mark S A Smith: Indeed.

Jonathan Goetsch: The third one and the final one that I would like to make is, we looked at, hey, we’ve got to train our staff. Right?

Mark S A Smith: Yes.

Jonathan Goetsch: B, we need to test our environment and C, one of the things that is really important to justify these efforts is understanding internally what’s at risk.

Mark S A Smith: Yes.

Jonathan Goetsch: I’ll give you an example. There usually is somebody, I don’t know, maybe in sales or human resources or a department where they have been bringing data into, let’s say, an Excel spreadsheet. Sales people are notorious for this where keep down, you know, what’s the wife’s name or what’s the husband’s name? What are their birth dates? Do they have kids?

Mark S A Smith: Right.

Jonathan Goetsch: Make a reminder to send out birthday cards for the kids and so on and so forth.

Mark S A Smith: Yes.

Jonathan Goetsch: We need their home address and what are the dates of birth. Now, we’re tracking company information, decision maker, spouse, children, private address, company address, date of birth. Do you understand where I’m going with this concept?

Mark S A Smith: We have personally identifiable information that we’re holding within an unsecured system.

Jonathan Goetsch: Many of these lists also have information such as credit cards or worse, health information. These are very, very attractive targets for the dark web and they exist in every company that we’ve been asked to assess what their internal risk is. Think of it in terms of a data breach, risk intelligence. What are we holding in our environment? I think that if you do some soul searching, you’ll realize that the chances are that in your environment, you can know that these types of files exist. What do you do about it? There are products and services on which we, of course, also provide that can actually scan those servers all the way to the endpoint and tell you in finite detail where the information exists, whether it’s on a file server or individual workstation. We can tell you whether it is one or hundreds or thousands of these files that exist. We can tell you the drive path right to the file, the file name, take a look inside the file and tell you is it a credit card, is it a date of birth? What are the key factors that make this personal, identifiable information file. Now, we can discern whether it’s Social Security numbers, credit cards and evaluate the risk. Now, the Health and Human Services has the big club, if you will.

Mark S A Smith: They do.

Jonathan Goetsch: The Office of Civil Rights is the one that lays down the fines. They will fine an entity based upon the number of records that have been compromised and we are, unfortunately, regular finders of entities that have so many Social Security numbers that have been kept on file that their risk of fines exceed 10, 20, 30, 40, 50 million dollars.

Mark S A Smith: Yeah, the fines are egregious. They’ll put you out of business.

Jonathan Goetsch: Absolutely. All they needed to do, and I want your listeners to hear this, had they encrypted that data, it would not be so readily available. If that was the case, then we’ve actually solved the problem of the risk of being fined. The ultimate thing is, know what the risk is, where these records lie. Know how to clean them up and what to do about them, so that we cannot just delete the information, of course delete the bad stuff, the redundant stuff, but one of the best pieces of advice that I can give is when building a form, use meta tags to that form. Now, once the form has been created, now we can sync the data into the form. Now, we can track this form in many different ways, but ultimately, one of the things we need to do if it’s going to contain PII is to encrypt it. Now, we’ve alleviated many of the problems. We’ve looked at three building blocks that are really significant that your clients or listeners would like to know about and the last, very last thing, and I’m just going to be very brief about this, you need a set of comprehensive policies and procedures.

Mark S A Smith: Absolutely.

Jonathan Goetsch: This gives a wonderful framework for what you need and if you need to know what table of contents, what policies and procedures should we have, we’d be happy to provide them to you and your listeners on a complimentary basis.

Mark S A Smith: I think that’s fantastic. Thank you for that offer. I absolutely agree. Comprehensive list of policies, as far as I understand it, if you do not have a security policy and you’re breached and you’re sued, you have nothing to defend yourself with. You are found as negligent in that scenario.

Jonathan Goetsch: Absolutely correct. Absolutely correct.

Mark S A Smith: Listener, if you have a business and you don’t have a security policy that’s up to date and been tested, quite frankly, you’re at risk of being disrupted. That could happen from a competitor, could happen from somebody completely different, but I want you to stay in business, protect that data. Data is the gold of today. You’ve got to protect your data, just like you would protect your money. This has been such a great conversation Jonathan. You have such wonderful insights into the world of cybersecurity and how to protect ourselves. Your list of suggestions are so simple. Employee training, number one. Number two, understand your cyber risk profile. Number three, understand internally what’s at risk and protect it, and then number four, finally, you’ve got to have a security policy and if you don’t, you’re at severe risk. How does my listener get a hold of you?

Jonathan Goetsch: Thank you for asking. Very simply, we have telephones, just like everyone else, and websites. Our website, of course, is USProTech.com.

Mark S A Smith: Okay.

Jonathan Goetsch: You can reach us at our company telephone number, which is area code 949-629-3900. We’d be happy to take any of your caller’s calls and explain to them what they could do, as well as provide them with some basic information. Especially a table of contents on the policies and procedures.

Mark S A Smith: Right.

Jonathan Goetsch: I really thank you for bringing it up. I want to let people know we’re about helping others achieve their objectives and doing it in a way we consider to be minimum essential so that they’re not spending an inordinate amount of money in order to achieve the objective. When you find a good consultant, they can almost bring zero cost to you in that you can redirect certain funds that are allocated in certain places into a better technology that actually achieves the objective that’s outlined in the policy procedure and adheres to a federal law. Look for somebody that can really advise you on, not just how to spend money, you know, spend money more wisely, or at least minimum essential.

Mark S A Smith: Indeed. Well, as I like to remind people, in the world of security, if you’re not paying for protection, you’re going to pay for clean-up.

Jonathan Goetsch: So true, Mark, so true.

Mark S A Smith: Thanks for your insights and your wisdom and for being on the Selling Disruption Show.

Jonathan Goetsch: Absolutely. Thank you, Mark.

• Here’s How »

• sellingdisruptionshow.com
• Selling Disruption Show Facebook
• Selling Disruption Show LinkedIn