Phishing you say? Like with a pole? Cybersecurity Terms with Trava Security CTO, Rob Beeler

Jara: Gather around as we spill the tea on cybersecurity. We're talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. Fishing you say like with a pole, that could be the farthest thing from what we're actually talking about. Thanks for joining me for episode two of the Tea on cybersecurity. If you join me for episode one, then we finally know what cybersecurity actually is. But if you're anything like me, you're often in conversations and people are using different words and phrases and acronyms that you have no idea what they actually mean and you probably feel a little too silly to stop the conversation. To clarify and to be completely honest, that is something I deal with in a lot of meetings. I am surrounded by cybersecurity professionals that honestly seems like they speak a different language than I do when we're in meetings. But today we are going to figure out what some of those terminologies actually are. And I'm really excited to introduce you to the guest for this episode. I would like to introduce you to Rob Beeler, Trava, CTO and co- founder. Thanks for joining me, Rob.

Rob: Hey, Jara, it's great to be talking to you today.

Jara: I'm so excited. I can't wait to figure out some of these complicated terms. All right. So can you go ahead and introduce yourself to our listeners?

Rob: Sure. Well as you mentioned, I'm CTO and one of the co- founders at Trava. So my primary role is to help build our cybersecurity assessment platforms that help our customers and our services team assess customers' security posture.

Jara: So before we get into the terminology a little bit, can you just tell us about your experience with cybersecurity before Trava?

Rob: I've have a pretty long career as an executive in technical fields and really mostly about building products and delivering value to customers. But then over the past few years prior to Trava, we worked with a number of companies to help bring cybersecurity products to the market, including endpoint protection and other tools that helped protect customers.

Jara: You just unveiled a term that I'm not familiar with, so that's going to be the first one we dive into. So what is end point protection?

Rob: Sure, that's a great question and it's important for people and this is a technology that you run on your laptop or your desktop, whatever computer you use. It could be a phone as well. We refer to those as endpoints. So that's a good example of terminology that is confusing for people. But endpoint protection tools help monitor what's happening and on your machine or on your phone or whatever device you use. And look for security vulnerabilities. Look for attacks and help prevent those.

Jara: Awesome endpoint protection. Got it. So why do you think cybersecurity terminology is so confusing for people?

Rob: It is confusing, and I think there's a couple reasons. First, cyber attacks are becoming more and more prevalent and they're more damaging too. So as a result, all of this is moving into the spotlight. It's rare to go to any kind of news source and not see a story about a breach that happened or a loss because somebody was a victim of a cyber attack. As these things move from the computer room to the front page, that terminology comes with it. And let's face it, technical people tend to be more precise than understandable, sometimes. That doesn't help. And then of course there are the dreaded acronyms. So I think that's one thing. This is new terminology for people. It's things that they really weren't exposed to. It's also really evolving rapidly. Now this is a field that doesn't sit still. There's new threats and with that new terminology seen on a regular basis, and that makes it hard for the regular person to keep... One thing to be clear about, it goes a little beyond just being irritating that you don't know what it means or feeling silly or whatever. There's a real cost to that. When people don't understand a problem, it's really hard for them to fix it. People may go, I don't get this. I'm going to ignore it and hope it goes away or hope it never happens to me. Or that can be a really costly mistake. There's also a lot of examples, fixes or closing gaps that were delayed because people didn't understand it. If something happened, they didn't understand the severity of it or the nature of it. And that time delay, costs them in terms of further breaches or further loss. So anyway, if I think about this, I think there's some of this is learning curve. If you think back 20 years ago and what people knew about computer terminology, we were all like, what does this mean? People who do programming, they're wizards, and it's a separate language? Think about how much has progressed since much more comfortable people are talking about computers since they carry one with them all the time. This will happen with cyber as well. Though we feel it's really critical for the industry to keep focusing on simplifying. That's one of the things that we really try to do, but I think it's on the entire industry to bring that terminology down to the masses.

Jara: Definitely. Yeah, you're right about different computer terminology. I think it is, like you mentioned, it's just new for people. And so once they hear it more often and they really try to understand, it won't be as scary as what it may seem like. It's just new.

Rob: Let's hope.

Jara: I hope so as well. Okay. You also mentioned cyber attacks. We can probably figure out what that means just from the words, but can you give a couple examples of what cyber attacks are?

Rob: In a cyber attack would be what the bad guys do to get your data or to keep you from working or it's generally to inflict some kind of damage on a company. There's a lot of examples. There could be someone doing ransomware, so preventing your systems from working, locking your systems down until you pay them a ransom. That's a common attack. Phishing attacks, which we're talking about today, where people will try to use techniques to get data from you that they can use, whether it's sensitive data, credit card, or information about you they can use for other purposes there. There's a lot of other attacks with fancy names like denial of service where someone will attack a company and just prevent them from running. They will hit them with so much traffic that the company is basically disabled often for various reasons, sometimes for ransom or just malicious behavior. But yeah, there's a lot of different ways that the bad guys can use to attack companies.

Jara: Oh, those bad guys are so smart.

Rob: They're the worst.

Jara: They are the worst. Oh man. Okay. So I know one of the features in the Trava product is a phishing simulator, but before we talk about that, can you define what phishing is?

Rob: So phishing is a form of a cyber attack and this is where those bad guys that we love to hate, I try to get sensitive information from you by generally by posing as somebody that you know or trust. So a common scenario is a hacker or a bad guy will send an email and make it look like it's coming from somebody you know, and they'll generally instruct you to click on a link that they include in that email, a link or a button or something that, and you click on that. That takes a website that they owned that maybe looks very similar or it looks like a trusted site. It looks like something you've been to before and prompt you for sensitive information. So they may ask you for, enter your password, we need to verify your password, or we need your credit card number or your social security number. And then it's easy to see what they can do with that. There's also, they may ask for information that may seem innocuous, that's just maybe personal information. You think, oh, that's not a problem. But something to keep in mind is that they can then use that data on later attacks to get more information or to pose as you to someone else, because how do they know this about you, they can sound credible. So it's important to think about it beyond just your credit card number, your passwords. A little fun fact about phishing, where it came from, it is a variant of the word fishing, like fishing with a pole as you mentioned in the intro. But it also came from a word that's called freaking with a pH, just like phishing is a security attack and freaking was a technique that was used in the past. It's used a little bit now to manipulate telephone signals. So really the first hackers there were used this technique to get free long distance calls and it's a variant of that.

Jara: Awesome. Freaking wow. Yeah. So yeah, the first hackers were via telephone lines before cyber. Interesting. Look, we're learning so much. Okay, so can you just talk us through the Trava phishing simulator a little bit and then why that's important?

Rob: With Trava, we really try to assess a company security across a lot of different vectors. We look at a lot of different ways that a company could be vulnerable or could be attacked and try to help the customer identify, " Hey, these are the areas that you need to work on." So we will look at things like, we'll scan for vulnerabilities and we'll ask you questions about your processes. But another piece of this is social engineering, which includes phishing. So we want to look and see how will your employees react? If somebody sends them a phishing attack, will they fall for it or will they detect that and report it? So what we've done is we've integrated in a phishing simulation function into our product and this lets the company put their users in by, here's the people that are in my company that I want to test, lets them pick from a variety of templates that look like real emails, but they're a little bit off. And then it'll send those emails to people with a link. And then we measure how many people open those messages, how many people click on those messages, how many people actually say, " Hey, I think this is phishing, and report it." So this helps. This is a really valuable tool to help understand how your employees will actually react. A key thing is, you can put as many safeguards as you want, but if your employees are clicking on those links, they can expose you.

Jara: And we definitely don't want that to happen. We don't want someone to expose you. And we will actually talk more about employees and how they affect companies cybersecurity in a few episodes. So one thing that I'm noticing with phishing is that it's primarily via email. So what is the difference between like phishing and spam?

Rob: The big difference there is the intent, right? Phishing is intentional malicious act to steal data, to get data. Where spam is mostly harmless and it's often used as mass advertising and just to present unsolicited products and services. That's also referred to as junk mail because most of the information in there is worthless. So generally spam is irritating because it fills up your inbox. But it's not a malicious intent. Generally if you click on a link in there or if you follow that, it's typically not detrimental as a phishing message.

Jara: Got it. Okay. So another term that you used a couple times is vulnerabilities. Can you explain what that is a little bit?

Rob: So while a vulnerability is really a flaw or a weakness that can allow an attack to occur and cause damage, if we think about phishing is really a threat, it's something someone might do that could harm your system. A circumstance or event that could impact your system. A vulnerability is something that this flaw or weakness will let that attack succeed. And the result of that is you have a risk, which is a potential loss. And if you think about those terms, maybe in something that is a little more common, a threat might be someone could break into your house and rob you. Vulnerability is, " Hey, you left your door open, you didn't lock your door" and a risk is your TV gets stolen. That's the way to think about that in terms of phishing, the risk is somebody is, or the threat is someone executes a phishing attack on you and the vulnerability is you don't train your people or you people click on the link and then the risk is you could lose data you could have versus stolen or compromise.

Jara: That makes a lot of sense because I often get confused about the difference between threats and vulnerabilities and risks. So you explaining it that way, clarifies so much for me. I appreciate it.

Rob: Great.

Jara: Awesome. And it's actually one of our most common blog posts about threat, the difference between threats, vulnerabilities and risk is that a lot of people have. It's super helpful. Are there any other thoughts or comments you would like to make around phishing or any other common like cybersecurity scam?

Rob: I think it's interesting to think about the scope of phishing attacks and what they mean. They may not seem so serious to people, but if you look at the statistics on it, almost 50% of phishing attacks result in compromised accounts. And those kind of stolen accounts and credentials lead to about 20% of data breaches in the past year. And that's a pretty big number. And those breaches on average cost people about 4. 5 million, so they can be really catastrophic to a company. Another stat that I always find interesting is that these kind of problems, these kind of attacks tend to be the longest lasting, the longest ones to detect and fix. I think the average is over 200 days for somebody to detect and fix these kind of breaches. And we go back to this analogy of somebody robbing your house, another thing they could do is sit in your house and hide until they hear you talking and say, oh, I'm getting paid on Friday, and you come home with your paycheck. And then they wait a while until something big happens and then steal that. And that's what hackers do as well. They may get in and not immediately do something, may not detect it for months or even years, but they're waiting for the opportunity to really cause some damage.

Jara: Oh my gosh.

Rob: I think those stats are interesting. The other thing that I think we always have to talk about with this, and this is one of the things that Trava, we really try to bring to our customers, not just, " Hey, this is a problem, but how do you fix it?" What are the things that we prevent our users from being the victim of a phishing attack? There's a couple important things you can do. One is you can install an email filtering system, an email, I'll refer to as email, that all your emails will pass through. You can use those systems to try to pair down what messages get through. You can detect messages that are obviously bad or coming from known bad sources. And those systems have become pretty sophisticated to help filter out bad emails. That's one thing that really all companies should do. Another, and maybe the most important thing since this is all about people, messages will always get through is training. Know it's often referred to as security awareness training, but training people to know the common signs of a phishing message, to know how to detect that something isn't coming from who you think it is or how to avoid clicking on links that can get you in trouble. Maybe the most important thing that a company can do to prevent from a phishing attack.

Jara: Oh, for sure. We definitely have to make sure we're all knowledgeable of these things to make sure that we don't let the hackers get the goods of our companies. So thanks Rob. I really appreciate your knowledge. So now that we've spilled the Tea on these different cybersecurity terminology, it's time to go over the receipts. One thing that I took away is that cybersecurity terms are just not widely known. It's a relatively new subject matter for a lot of people. And just because it's new doesn't mean that we should be afraid of it or feel intimidated. So if someone is actually talking about something cybersecurity related or they throw out a term like phishing, even though we know what that means now, we should stop and ask those questions. We need to start educating ourselves on these terms. So let's make sure that we all stay diligent with asking questions. Let's not feel silly. The second thing I took away is just because you don't know what something is, doesn't mean that you get to ignore it. If you ignore something, it's only worse in the end, especially when it comes to cybersecurity, since our hacker friends are smart and they, it's just a never ending web of different attacks and breaches and all those things that are not fun for us. And then the third thing is phishing. So we know about phishing now with a pH. Phishing is just when some not nice person decides to disguise themselves as someone you know and trust and email you for you to give them information that they want. Whether that could be a phone number, a address, your social security number, important information that you just don't want any stranger to get. So if you get an email from someone you work with or that you're friends with or a family member that is asking you for information that just doesn't seem all that they should be asking you, especially via email, stop and look at that email a couple more seconds and decide if you should actually go through with the action that they're asking you to. So that wraps up episode two of the Tea on cybersecurity. The next episode, Trava's CEO Jim Goldman, will be back with me to talk about why cybersecurity is important for small and medium sized businesses, especially SASS companies. And that's the Tea on Cybersecurity. If you like what you listen to, please leave a review. If you need anything else from me, head on over to Trava security, follow wherever you get your podcast.