The Modern Day James Bond of Cybersecurity

Full transcript

AI misunderstood

So welcome back to the podcast, guys. Today, we are joined by Ira Winkler. Ira, welcome to the podcast. Thanks for having me. So I've seen that the media has called you the modern day James Bond. Can you talk about little bit about that? Yeah. So basically, I got my reputation because companies hired me to do what I guess you'd refer to as or what is best referred to as black bag operations where I infiltrate companies both technically, physically, and have been able to essentially rob them blind, steal their crown jewels in days. I mean, it includes banks, it includes manufacturing companies, high-tech companies, pharmaceutical companies, and the like. And I just happen to be very good at it. And then at the same time, I've also investigated some pretty significant and actually even a couple of fairly well known crimes as well where I've been a key player either in instigating them or solving them. Mhmm. You are also an author of eight books, including You Can't Stop Stupid. Yep. Can you talk about more about the book and what did you meant to spread to the world? So basically,

when you look at you can stop stupid, you know, was a comment somebody put out a while ago saying you can't patch stupid talking about, you know, the like users being dumb. And I'm like sitting there thinking, that's completely clueless. The job of a security professional is to essentially patch stupid. Because you don't stop it from existing, but you stop stupid, for lack of a better term, from basically causing harm. And the job of a cybersecurity professional is to ensure that harm does not result from negative actions. Now ideally, you wanna stop the actions from happening in the first place, and I'm talking about both technically, operationally, physically, personnel wise. But the reality is you have to expect them to happen, and you have to put the appropriate protections in place eventually. So for example, when people say, oh, you know, some no matter what you do, somebody's gonna click on you know, there was like somebody said somebody was giving out stickers that say don't click on shit.

And like I and admin was there. He was like, I need a lot of these stickers. You know, I can't stop my people from clicking on shit. And I'm like, wow. You must give your users a lot of shit to click on then. And he's like, what do you mean? I'm like, well, if you if they're clicking on stuff, they're obviously not doing it on their personal systems, they're doing it on your systems. So why are you giving them so much shit to click on in the first place? And that's part of the problem. Stupid isn't necessarily the user. Stupid in many cases is the people, you know, the people in the company who set up networks that allow a single user to ruin the whole network. And so what you have to do is you, you know, like in cyber security, we're not the first people who ever had to deal with human stupidity for lack of a better term. We seem to think we're special snowflakes, we're not. You know, or like other departments like safety science proactively deals with this on a regular basis.

Security is simple

You have the actually the whole accounting and financial department is proactively looking at ways to stop financial fraud. And they have and there are profit motives to doing it. But mistakes happen as well, and they have to proactively put it in place. If a CFO ever said, for example, well, some, you know, some user accidentally deleted a file and destroyed our whole financial and accounting system, but, you know, we can't stop users. I mean, they would they're like, no. We don't blame the user. We blame you as the CFO for not putting the appropriate actions in place. And how come we're not doing that in cybersecurity? So anyway, you can't stop stupid is looking at, for lack of a better term, cybersecurity and the human aspect of cybersecurity as a safety sciences type of perspective. Mhmm. Well, very well said. What kind of trends or shifts are you seeing right now in the cybersecurity that most people aren't paying attention to? So I think I would say the trend that they're not paying attention to, but they actually are but they don't get it. For a lack of a better way of phrasing it,

is they are actually like the whole concept of artificial intelligence. I don't think people actually understand what artificial intelligence is. Because really, artificial intelligence is not this mythical entity that people are painting it as. Artificial intelligence is just a series of mathematical algorithms that are we're now able to use because these algorithms have been around for decades in many cases. And we're able to essentially use them because we now have more processing ability and we have more access to the data. And now that we have more access to the data and the processing ability, we're able to take these algorithms, which essentially have always been there, but you're now able to combine and sort data in ways you weren't before. And so this is why we have what we have. And when people are saying, oh AI's gonna do this, AI's gonna do that, it's actually literally the same as when computers first started coming out. And people said, wow, a computer is gonna take your job. A computer is gonna do this, or a computer is gonna do that. But now it's just like we are now just making better use of advanced

or advanced algorithms to the extent they're advanced and being able to apply it to problems. And it's really not any sort of advance in AI, it's just sort of advance in programming and making use of what's already available to us. Mhmm. Yeah. Definitely a lot of people misunderstand AI. So, Ira, you started your career at the NSA as an Mhmm. Intelligence analyst. Right? Yep. How did that experience actually shape the way you think about security today? And is there anything that it teach you that the private sector still hasn't figured out yet? So at a high level, I don't think people realize that the security problem is is actually pretty simple. Because, you know, when you're an NSA, like you have general awareness, and the general awareness is things p anybody should theoretically do. Like, you know, you walk into the NSA and they're like, put your badge away at the end of the day. You know, don't wear your badge. Don't show your badge to the lovely merchant who's offering, you know, NSA workers a 10% discount if they show their NSA badge. You know, that type of stuff. And like fundamentally,

Ai: blessing or curse

you're sitting there thinking, okay, most people are just giving away their information right and left, you know, by just extrapolating the lessons from normal, like what they told you to do working at NSA. I wish people didn't have to bring work home because now I work, you know, like at NSA, all your work you know, you left the building, your work was done for the most part. And but now when you start looking at it, even then when I was at NSA and looking around, most security problems are actually pretty basic. You know, you look at things, systems aren't well patched. You know, how do hackers hack? They hack because fundamentally there's vulnerabilities built into the things or people just use it improperly. And people underestimate how improper usage of computer systems leads to vulnerabilities and the pretty obvious vulnerabilities. And so for example, guessing passwords, you know, on unpatched software and things like that, it's pretty basic. You know, I'd love to say, you know, what NSA does in many ways is advanced.

In many ways, it's not advanced based on, you know, some of the people that they are targeting because the people they're targeting aren't as savvy as they were. I mean, obviously Iran had to grow to be savvy. But it was just for example an article, I I can't I can't remember the article, but, like, Russia had I'll give you this example. So there was a GRU hit squad and GRU special operations units, you know, the Russian military intelligence group, the Spetsnaz. I I don't know if they're necessarily Spetsnaz, but there's a lot of overlap to their their emissions. And what happened was, like, there were people who were caught as spies, like, a bunch of years ago because all of their driver's licenses or something like that was tied to a single address in Russia, which was like their international driver's license or passport was issued from a very specific location in Russia, was a GRU office. So then all people around the world had to do was go ahead and look to see who had a passport or whatever it was, you know,

tied back to that specific address. And they would know that person's, you know, tied to Russian special operations. So now, just recently, there was just another case where there was something awfully stupid where, like, the the replacement for the Russian hit squad was now identified because of somebody doing something really dumb. I there was an god. I had that article on my browser link. Sorry. I don't mean to, like, put you off, but I just wanna look at it because as I yeah. Well, how Russia's new elite hit squad was compromised by an idiotic lapse in tradecraft, you know, that the insider put out. So it's center seven ninety five full scale war in Ukraine. And basically, it's an article on how an idiotic lapse in tradecraft allowed the replacement for that activity to be now detected. So you're getting there and people are thinking everything's really advanced. The thing is never underestimate the stupidity of a criminal, never overestimate the capabilities of a hacker as well. Mhmm. What do you love the most about your job, Ira? So I mean, I I I love the whole concept of protecting people. And fundamentally,

right now, a large part of my job involves, how would I phrase this? You know, basically outreach and talking to people because you know, right now I have a field CISO, you know, type of role where, you know, I do do CISO level work but I still have, you know, I still go out and speak, I talk, I write. You know, I don't know if you've heard, but I also run a conference called CruiseCon where we hold cybersecurity conferences on a cruise ship and such, and that's a lot of fun and everything, so I love doing that. And so sorry. I'm just getting back into the window where you are. I was finding the I I was finding the other link to that article. But, you know, CruiseCon allows me to go ahead and like because when I was chief security architect of Walmart, I got invited to some awfully great events

that were held by venture capital firms or were held by, know, actually not necessarily vendors, I wouldn't necessarily go to those. But you know, there's a lot of unique events and you know, that gave people really great retreat style activities. So I wanted to recreate that with CruiseCon. And that has essentially created, you know, an environment for a lot of people to really, know, network, establish good friendships, and get some really interesting content as well. Mhmm. AI is obviously changing right now. Right? Mhmm. But it's a two sided weapon. Like, it's it serves also as a tool for the defenders and also as a weapon for the attackers. Do you think the impact that it has is more positive or more towards the negative side? So fundamentally, say it's irrelevant an irrelevant question. My talk I have two talks next week at RSA. I don't know when this is gonna be released, but you know, we're this the week before the big RSA conference, and one of them is I created this almost as a buzzword joke, but it it's actually a good presentation. It's like, you know, using AI,

you know, to you know, to prevent the human and the AI and the human element of cyber security. Because those were the like I just looked last year, and it's like those were the two most popular terms for, you know, at their conference. So I just put that together to create a presentation. And what I'm doing in that presentation, it's both attack and defense, showing how AI can be applied to that whole chain I spoke about, like You Can Stop Stupid, where we're looking at things from an end to end perspective, like stopping the phishing email from being in the inbox. Now the thing is we have been using, and I hate the term, I use Dr. Evil quotes when I say AI, like so AI, basically is has been used for decades by both good guys and bad guys. AI's been used I mean, optical character recognition, which has been around since the late nineteen eighties, is an example of AI in many ways. Siri and Alexa are both versions of AI. Predictive text on your computer and your iPhone are all versions of AI.

Now these are all commonly used, and we're we just take them for granted because really those are just different mathematical algorithms that are using machine learning and predictive, you know, generative AI to do different work. Now when you ask about is AI a benefit or a curse, we've had AI, specifically machine learning, embedded in anti malware software for decades now. I was actually on a naval research grant back in the nineteen nineties that was implementing machine learning onto malware detection. And so it's been around for a while. It's kind of just ubiquitous when people are saying, like, example, phishing detection built into security mail gateways, that's using AI and has been. And nobody when they started using it, nobody ever said we're we're an AI company. It was just a software algorithm that they embedded within everything else. Because really, AI is just software algorithms. So has it been helping or hurting? I mean, it's kind of an irrelevant question because it's gonna be used because we now have the processing power and everything else. And the same way, for example, deep fakes can be used to try to convince people We have AI technology

that can flag data or or Zoom conversations even from coming from places it's not. We can actually pick up, you know, deep fakes in transmission if you have the right software on there. So, again, it's a little bit of an arms race, but it's kind of irrelevant because it's just like, or am I am I using a computer today, or am I not using a computer today? It's the same thing. Am I using AI, or am I not using AI? And it's just pretty much if I'm touching a computer, I'm using AI. Mhmm. Ira, I have one more question for you. If there are companies out there that are listening to this and you you could give them some kind of advice regarding the security and protecting their selves, their data, what advice would you give them that they could apply today? Frankly, it's advice that they should be applying this already, which is never forget the basics. Updates, you know, have automatic updates turned on. Set the configurations turned on. You know, make sure you have default all the security defaults turned on in general. And

well, I would say do backups, that's kind of a I would say it's almost less important these days. And the reason I'm not I'm saying that is because cloud computing is backing up data in real time, so it's not like all of a sudden if your computer hard drive crashes, you lost your data. The data's being stored on a cloud drive, and you expect the cloud providers to have some form of reasonable backup security as part of it. But otherwise, really at the end of the day, it's just the fundamentals of computing. The you know? Back up your software oh, sorry. No. Not back up. Again, update your software, make sure you have strong passwords, implement multi factor authentication, and that'll take care of 99% of the problems. Mhmm. Really the basics. Okay. So thank you, Ira, for coming on the podcast. I will make sure to add links so people can check you out if they don't know you already. And thank you guys for watching.