Listen to this podcast on Apple Podcasts, SoundCloud or wherever you find your favorite audio content.
On this week’s SecurityIntelligence podcast, host Pam Cobb reconnects with Charles DeBeck from IBM X-Force Incident Response and Intelligence Services (IRIS) to unpack IBM’s X-Force Threat Intelligence Index 2020. From leveraging new geocentric data points to examining endpoint detection efficacy, this year’s report offers actionable takeaways to better prepare companies for the next decade of infosec attacks. Here’s a quick look at the highlights.
Securing the Alphabet Soup
According to DeBeck, the report found “a massive uptick in targeting operational technology” compared to previous years. He notes there are several possible explanations for the increase, including an effective avenue for initial compromise, the rising value of high uptime services as ransomware targets the private and public sectors, and the chronic under-patching of these technologies.
DeBeck also calls out the need to differentiate between operational technology (OT), industrial control systems (ICS) and the internet of things (IoT). While ICS technology is a subset of OT and IoT devices can fall into either category, OT covers any technologies that are essential for business operations, such as SCADA solutions or other always-on monitoring tools.
Don’t Underestimate the Threat of Spam
Spam is now commonplace, but DeBeck warns that companies shouldn’t get too comfortable.
“In reality,” he says, “spam is a very common vector used by a lot of low- to mid-sophistication threat actors. Even if it’s not successful very often, the sheer volume makes it so that organizations can be very vulnerable to it.”
What’s more, threat actors still leverage old vulnerabilities to compromise current systems. According to DeBeck, “nearly 90 percent of the vulnerabilities that we saw were actually just these two vulnerabilities: CVE-2017-0199 and CVE-2017-1182.” The nomenclature gives it away — both of these CVEs are from 2017.
The Top Threats of 2019
While ransomware remained popular throughout 2019, DeBeck notes that “there’s still a lot of other activity out there that’s not covered under the ransomware threat.” Other top threats include:
Also under discussion is breach fatigue — organizations have heard so much about ransomware, malware and even cryptominers that it’s easy to become complacent. For DeBeck, “a good threat intelligence apparatus will also give you that broader aperture” to provide both right-now recommendations and insight to address broad attack vectors.
Which Industries Are Under Attack?
The 2020 X-Force Threat Intelligence Index also highlighted some key industry trends. While finance remained the top target for malicious actors, threats to industries such as government and retail are on the rise. According to DeBeck, “the retail industry provides threat actors with an easy way to convert their illegal activity into liquid currency that they can then use to purchase goods,” while government agencies are often targeted with ransomware “partially because government has this necessity for constant uptime.”
Healthcare, meanwhile, dropped in overall threat rankings, “not because it doesn’t have as many risk factors as a lot of other organizations or a lot of other industries, but primarily because it wasn’t the flavor of the month for 2019.”
Focus on the Cybersecurity Basics
Despite the evolving landscape of OT compromises, high-volume spam and multiple malware avenues, it’s not all bad news. To help organizations reduce risk, DeBeck recommends a three-pronged approach that focuses on cybersecurity basics.
First, patch any old vulnerabilities that exist. Then, target insider threats by training staff to identify and avoid common issues. Finally, “leverage your threat intelligence apparatus to get more highly targeted, specific recommendations for your organization so that you can prioritize based on who you are and not just based off of a broad idea of who you should be or who you might be.”
For more insight and in-depth analysis of emerging attack vectors, check out the latest X-Force Threat Intelligence Index.
Episode Transcript
Pam: David, can you guess what the leading initial infection vector is in this year’s Threat Intelligence Index?
David: I’m going to have to go with…so many choices…email. It’s got to be email, I’m going to bet on email.
Pam: Like, all the emails or like just some kinds of emails?
David: I think probably it’s going to be account takeover or like a targeted at employees, that always seems to come up. And I think it’s more pervasive than any of us give it credit for. But you’re killing me with the suspense here, Pam.
Pam: So in this year’s report, as in many years past, the good old inadvertent insider ranks number one, and some of that is in part due to email, you know, they’re clicking stuff they shouldn’t, it’s not a good look.
David: They have to listen to you, Pam, don’t click stuff.
Pam: Don’t click stuff. Number one resolution of the year, don’t click stuff.
David: That’s right.
Pam: So when we think about that infection vector, it truly is just phishing.
David: Pam, I’m hoping there’s more where that came from.
Pam: Absolutely. This report is jam-packed with all kinds of research. So you may know IBM is kind of a big company, and we take a look at all of the different things that we monitor from honeytraps, and spam filtering stuff, and all of the different technologies that we have deployed. And we aggregate that data and take a look at trends that we see, things that have changed year over year, you know, new things that pop up.
This is the “Security Intelligence” Podcast where we discuss cybersecurity industry analysis, tips, and success stories. I’m Pam Cobb.
David: And I’m David Moulton.
Pam: I’m so happy that Charles DeBeck came back to the show to dig into those insights from this new research. We touched on operational technology, spam, what industries are most targeted and even revisited that topic of destructive malware. Here’s our conversation.
I’m pleased to be joined once again by Charles DeBeck from our X-Force IRIS team. So Charles, what have you been up to in the last time since you’ve been on the podcast?
Charles: Thanks so much for having me, my pleasure to be back. Since the last time we chatted, I’ve been working on the 2020 Threat Intelligence Index for IBM’s X-Force that captures all the trends we’ve seen in 2019 and helps tell people what they need to be aware of moving into 2020. Pretty exciting stuff.
Pam: I remember those days fondly. One of my previous jobs was the job of shepherding that report from the research out into the world. And it’s a lot of work because it’s a lot of good info.
Charles: It is. But I think one of the great parts about it is you get a real great chance to see just all the different assets and the avenues IBM has to really gather threat intelligence data from its global enterprise. There are so many different unique facets that we can draw upon since we have a global footprint and we’re active in so many different industries, that we’re able to really pull back a lot of fascinating data and information that we can then get these great trends out of when we look at it real in-depth.
Pam: Yeah, absolutely. So why don’t you tell us a little bit about what’s new in this year’s report? What’s changed since the last year?
Charles: Sure. One thing that was unique was we had geocentric data that we were able to pull together from across the globe. We looked at the different geographic regions and said, you know, “What are the major threats that we’re observing in these regions? What threat actors are we seeing that are active in these areas? And what malware trends are we seeing in these specific hotspots that we can sort of tell people?”
The theory here was if I’m a company, and I’m thinking about opening up a branch in Southeast Asia, and I want to know, you know, what are the major threats that I need to be concerned about when I open up this branch, that you can go to this index and now you can say, “Okay, let’s go look at this data specifically for the Asian region.” And that’ll give me a better sense of what threats to be aware of and what threat should be sort of top of mind. And while this, of course, can’t be a comprehensive list, because then that list would be 50 pages long, this is at least a good starting point for organizations to be able to use. So I’m pretty excited about this data, I think this is a really interesting set of new information that we were able to bring in.
In addition, we also brought in some new data points, some new data sets from across IBM Security, which helped us get a better understanding of some of the threats that are out there for organizations. For example, we looked a lot at our endpoint detection mechanisms and said, “Okay, what are we seeing from an endpoint perspective?” As well as at our spam traps saying, “What are we seeing coming in from a network perspective on the spam front?” And this data, that’s really provided some interesting insights in terms of what we see threat actors doing and what activity we observed in 2019
Pam: I will say when I hear the phrase spam front, I just have an image of a Monty Python illustration coming up and a giant Spam cloud coming over.
Charles: Well, it’s funny because spam is one of those things that a lot of people, you know, they don’t care that much about. They’re like, “Oh, spam, you know, it’s same day in, day out. Who cares about spam, it’s been around forever.” But in reality, spam is a very common vector used by a lot of low- to mid-sophistication threat actors. Even if it’s not successful very often, the sheer volume makes it so that organizations can be very vulnerable to it. If you have a million people being targeted, and only a half percent are successful, that’s still a lot of folks who end up getting infected.
Pam: Absolutely. So what were some of those biggest takeaways from the report? Any information that surprised you this year?
Charles: I think the thing that surprised me the most, when I was going through the report data, was we saw a massive uptick in targeting operational technology. So this was based off of network event logs that we were looking through. And we saw threat actors in 2019 much more actively targeting the operational technology field than we saw in any previous year. We actually have a great chart in the index, where we look at the last 4 years, and you can see that 2019 was head and shoulders higher than any of those prior 3 years. I’m not entirely sure why there is a significant uptick. There’s a lot of possible explanations here.
It could be the threat actors see that this is a good avenue for them to get initial access into organizations. It could be the fact that operational technology has a high uptime requirement, and so it’s something that’s potentially a good way to ransom companies that are using this technology. It could be the fact that OT oftentimes is unpatched or not patched in a very prompt manner. And as a result, it’s easier to break into operational technology machines. There’s a lot of possibilities as to why this has been targeted so heavily. But I was just very surprised at the sheer volume of target that we observed in 2019.
Pam: So can you talk a little bit about the difference between OT and then IoT? Aside from the letter I?
Charles: This is a good distinction to make because it’s a little bit unclear because you have operational technology, which is OT, you have industrial control systems, which is ICS. You have Internet of Things, which is IoT, you have this whole alphabet soup. And being former government employee, I understand how alphabet soup works, right. But it gets very complicated very quickly. So the way I like to capture it is operational technology is one category of technology that we see being used, and a subset of operational technology is ICS, industrial control systems. Operational technology also covers stuff like SCADA, right. So this is where we see that physical to internet connection of machines that have a physical impact.
So operational technology, that’s the broad category, ICS is a subcategory of OT. Now, IoT, Internet of Things, that sort of spans categories. These are internet-connected devices that can interact across the internet. But realistically, they’re not specific to any category. So this can be under operational technology, but we can see IoT being used in other categories of activity.
Pam: So, when we’re looking at IoT targeted attacks, did you notice any changes there based on the observations from within IBM?
Charles: Yeah, we actually noticed a very interesting shift. So IoT targeted attacks have been around for a very long time these aren’t new, right? People have heard of Mirai and Mirai botnet for many, many years. But what we noticed in 2019, was that we saw a shift in targeting of IoT targeting going from traditionally consumer electronics to now starting to go after enterprise-grade hardware. So what’s interesting here is historically IoT targeting has been thought of as sort of a challenge for consumers or challenge for small businesses, but not really a concern for large businesses because the things being targeted tended to be more on the small scale.
But just recently, in the last year, we observed a much greater level of targeting of enterprise-grade hardware which means that now businesses that were generally not too worried about IoT targeting probably should be starting now. It’s very difficult to discern the exact motivations of threat actors. But there could be a number of reasons for this. It might be that enterprises are more profitable because they have more money than consumers do to pay off any sort of ransom or pay off any sort of blackmail they might be receiving.
IoT devices can also be a great way to sort of leverage your way into an enterprise since IoT devices often aren’t patched as frequently or regularly as more standard endpoints. So there’s a lot of potential rationales as to why we’re seeing this increase in enterprise targeting, but we don’t entirely know why at this time.
Pam: Was there any kind of methods or attack vectors in the report that weren’t necessarily new or reinventing the wheel?
Charles: One interesting thing we observed when we were looking through our spam data in 2019 was we’d want to research what vulnerabilities we saw threat actors using when they were throwing spam out to different users. And we found they actually focused on just two CVEs. As nearly 90% of the vulnerabilities that we saw were actually just these 2 vulnerabilities. CVE-2017-0199 and CVE-2017-1182. Now anyone familiar with CVE nomenclature can immediately tell you that these are both CVEs from 2017. So both of these are two to three years old at this point. And 2017-0199 was released in January of 2017 so that’s nearly 3 years old at this point.
Both of these CVEs are from Microsoft Office, specifically from Microsoft Word. So the question kind of becomes, why are threat actors who are using spam emails in 2019 going into 2020 using CVEs that are almost 3 years old at this point? You know, it seems like if I were sending out a phishing email or spam email, I want to use a CVE that was used sometime in the last year at least or is relatively new. But realistically, these CVEs kind of makes sense, they’re super cheap to acquire builders for on the dark web. If you want to go out and build a document that leverages one of these CVEs, you can do it pretty much for free at this point. So they’re really cheap to use, they’re really easy to use.
There’s videos YouTube that you can go find on how to craft documents that leverage these CVEs. So if I’m a low sophistication threat actor using spam emails, I don’t have to try too hard to make spam emails that use these CVEs. And they’re actually very effective when they do work. Even though both vulnerabilities have been patched, if for some reason somebody doesn’t have the vulnerability patched, the one nice thing about these particular Microsoft Word vulnerabilities is that they don’t require the individual to do anything really special after they open the booby trap document.
So whereas a lot of vulnerabilities we see in Microsoft Word require the user to enable macros, and then click a thing or click a link that’s in the actual word document, these vulnerabilities automatically execute something once the Word document is opened. So it requires less user interaction, making it more successful if the system is unpatched.
Pam: So talk to me a little bit more about the types of threats that you’ve seen be the most active in 2019.
Charles: So of course, anybody who’s keeping track of cyber threat trends will be able to tell you that ransomware has been very active in 2019, and our data also highlights this fact. But what I thought was really interesting was from the research we saw, it wasn’t just that ransomware was the only thing out there. Even though a lot of the news and a lot of open source may lead someone to think ransomware is, you know, the number one thing and nothing else is even close. Realistically, there’s still a lot of other active activity out there, that’s not covered under the ransomware threat.
A couple of the major things that we continue to see being active, for example, are crypto miners and banking Trojans, which are both very active malware groups that we see continue to be developed by threat actors. But we don’t see as much reporting on those, partially because they’re just not as interesting. Crypto miners continue to kind of do the same thing crypto miners have been doing for the last couple of years. Which is they go onto a machine and they start mining for cryptocurrency and then they leave when they get cleaned up. Similarly, banking Trojans continue to be active and continue to be developed.
And again, the activity here hasn’t changed much, which means that we’re not seeing a lot of new stories about this. But what’s really great about this index, I think, is that we’re able to pull back all this data and kind of get behind the headlines. And the data shows that while ransomware, of course, is still very, very popular, crypto miners and banking Trojans are also very popular. These threats don’t just go away just because ransomware becomes popular.
And in a few years, ransomware might quiet down, but ransomware won’t go away either. It’s a constantly evolving space. And just because we’re not hearing about something today doesn’t mean it’s disappeared, it just means it’s at a quiet period for now, but it could come back at any moment.
Pam: I wonder, too, if it’s similar to the discussion we had about spam earlier and the idea of breach fatigue, which kind of came up in news provenance a few years ago, where so many massive data breaches happened, and everyone’s like, “Oh, great, another data breach, the same PII that already got breached got breached again.” And I wonder if that’s a little bit of, of what’s happening in the market of well, of course, there’s ransomware, there’s always going to be ransomware, and there’s nothing really new to report about ransomware. Is it truly a lull, or is it just fatigue we’ve been hearing about it?
Charles: I think it’s a very fair point. I think realistically, there’s sort of a fatigue element here. There’s only so much you can say about a lot of these different pieces of malware. No one’s going to read a news article that has the headline “Ransomware still active.” That’s not super interesting. Or, “Crypto miners still mining things,” that’s not very interesting. But they constantly are and how do we keep juggling all these continuing threats, rather than just focusing on the threat of the day?
And that’s really, I think, where threat intelligence has a key role to play is that we have to focus not only on what’s the key threat of the day. But a good threat intelligence apparatus will also give you that broader aperture and say, “Hey, you need to also be thinking about ransomware, you need to be thinking about crypto miners, you need to be thinking about banking Trojans, you need to be thinking about something like destructive malware,” which is a low rate of incidents but high impact event. And if you’re not thinking about that, it could have a major impact.
Because at the end of the day, it doesn’t really matter what’s making headlines, what matters is what malware types and what threat types are going to be the greatest threat to your organization based on your needs and your priorities.
Pam: So talk to me a little bit more about destructive malware because I’m seeing in the report, there’s a little bit of an exploration about uniqueness of code. And I’d really love to understand more about that and how that plays into some of the data that you found.
Charles: Absolutely. And I know we talked about destructive malware previously on this podcast. We did see destructive malware continue to be active in 2019 through the second half of 2019. So the levels of destructive malware activity remained about the same. There’s sort of an upside downside here. The bright side is at least it didn’t get worse. So I’ll take that as a win. The downside is, unfortunately, it didn’t get better.
Destructive malware continues to be an avenue though that threat actors can use to really hammer companies and cause significant damage. Look at something like zero clear, right, where we have an organization being hit by a piece of destructive malware and causing significant potential operational losses. And that’s a big risk for organizations that aren’t prepared to handle something like destructive malware.
So realistically, this is a continuing field, this is something we continue to see being active. And I was kind of hoping that after our last podcast, I’d be able to come back and say, “Destructive malware, well, it seemed like it was going to be a big deal, but it wasn’t.” Unfortunately, I can’t come back and say that, it still is with us here. And I frankly just don’t see it going away anytime soon, but I always hope I can be wrong on that one.
Pam: I look forward to proving you wrong in the future. So let’s talk a little bit more specifically about industry. So one of the things that we like to impart on every year is kind of the effect in different industries that we’ve seen different types of targeted attacks, you know, are some industries more attacked than others. And we know, you know, it’s pretty easy to see that heavily regulated industries are heavily regulated because they tend to have more valuable assets to protect, whether that’s information or whether that’s money. So tell me a little bit more about some of the industry views that we saw in the report?
Charles: In 2019, we observed that the financial industry continued to retain its spot at the top of the charts for targeted industries. Not a big surprise there. It’s been at the top of the chart every year we’ve done the threat index so that makes sense. Interesting changes, though, that we saw or that we saw the retail and the government sectors actually move up in the overall rankings, in terms of targeting by threat actors. And then meanwhile, we saw healthcare, which historically have been pretty high, dropping down a bit in the overall rankings. So there was some shifting around in the industry rankings in 2019.
Pam: Why do you think retail and government rose in those rankings?
Charles: There’s a lot of possible explanations, but I think the easiest one to me to understand would be simply money. The same reason we see the financial industry being targeted, right, is because it’s where the money is. And there’s a strong argument to be made that the same can be said of retail.
The retail industry does a lot of monetary transactions, there’s a lot of point of sale components to the retail industry. The retail industry provides threat actors with an easy way to convert their illegal activity into liquid currency that they can then use to purchase goods which ultimately is the end goal of any criminal activity or criminal enterprise, right, is to be able to buy stuff. So retail provides those good money laundering opportunities. So it makes sense to me that retail would be heavily targeted because it’s where the money is, and it’s where they can convert their money very conveniently in a channel that already exists.
Government is an interesting sort of side-channel here because we often see government being targeted by ransomware and I think that there’s an argument to be made here that that’s partially because government has this necessity for constant uptime. What that means is, if I’m a government entity, there’s a decent chance I’m not allowed to not be active. I have to be out there and I have to be able to provide these services for individuals, and as a result, if I get hit with ransomware, I’m much more incentivized to pay that ransom.
At the same time, government oftentimes struggles – especially local state, municipal governments – often struggle with limited resources to combat cybersecurity issues. As well as they may have a higher level of cyber insurance so that if they do get hit by something like ransomware, then they’re more likely to payout. And then there’s also something to be said here, where when there’s a lot of headlines of local state governments paying out ransoms, that threat actors read the news, too. And it sort of becomes a trend they say, “Oh, I saw it worked for my buddy, I might as well try the same thing, might work for me.”
And we’ve seen this in the past a number of times where threat actors sort of bandwagon on when they start seeing success and trying to replicate it. And so that could also partially be what was driving a lot of the targeting of government in 2019. Because if you recall, the beginning of 2019 is when we really started to see this renaissance of ransomware targeting state and local governments. And it kind of just continued to snowball throughout the year.
Pam: So then what happened with healthcare, why would it drop in the overall rankings?
Charles: I would say for the most part healthcare dropped not because it doesn’t have as many risk factors as a lot of other organizations or a lot of other industries, but primarily because it wasn’t the flavor of the month for 2019. Historically, healthcare was a very, very popular industry for threat actors to target if you think back to 2017, 2018 healthcare was, as I like to call the bee’s knees. Everyone and their brother was going after healthcare organizations because they were finding good ways to make money there.
Recently, it just hasn’t been as popular in threat actor circles for any number of reasons. But this could change overnight, right, just like we’re talking about with government, how that suddenly became very popular. So healthcare did drop in the overall rankings, but there’s still a number of significant risk factors associated with this industry.
Pam: So let’s turn this around and give people some hope because it’s been a lot of really intense, potentially scary stuff. So what kind of security measures should organizations prioritize to address some of the threats that we’ve been talking about?
Charles: Well, I’d say when it comes to prioritizing security measures, the first thing to consider is the basics. The basics are there for a reason and they’re extremely effective. And one of the most effective security measures you can take is ensuring that you’re patching old vulnerabilities and that you have a good patching cadence in place for your organization
The main reason for this, in my opinion, is because old vulnerabilities are easy for threat actors to leverage. It’s easy for them to be leveraged by anywhere from low sophistication to high sophistication threat actors. And oftentimes, they’ve been used so many times that threat actors are familiar with them and are able to use them much more effectively than newer vulnerabilities. But at the end of the day, patching old vulnerabilities, it should be a very straightforward thing for organizations to be able to do, and/or protect against a wide variety of potential ills that are coming their way.
Additionally, beyond sort of that technical solution, there’s always the people problem. One of the biggest things we ran into when we were looking through our data was that people often became the inadvertent insider for their organization, there was a lot of human error issues. You might have something like a misconfigured database that was leaking credentials or make credentials accessible to a wide variety of people. For example, misconfigured servers accounted for 86% of the records compromised in 2019 that were from publicly disclosed incidents. So only 14% of these issues were not misconfigured servers.
That’s astronomical, that blows my mind when you think about it, because almost all the records were because somebody made a human error. So that right there should tell you the value of better training of individuals and better training of your personnel, and monitoring for this sort of human error element. Additionally, phishing still remained the leading initial infection vector for threat actors. So all the action vectors that we studied, phishing was 31%. So almost a third of the time, phishing was the way that threat actors attempted to get in. Meaning that from a threat actor perspective, at least, targeting the human is still very, very effective. This led over something like scanning and exploiting using a more technical method.
So threat actors are still trusting that when it comes to trying to trick a computer or trying to trick a human, they’re going to keep trying to trick the human. And until that changes, we need to be training our humans to be more effective, because threat actors apparently don’t even think computers are worth messing with, because they know humans are so dependable for screwing something up. So training people patching all vulnerabilities, I think those are the two most critical components for what security measures that organizations should prioritize.
But beyond that, I think when you’re looking at what other security measures you need to prioritize, let’s say you got these two things down, I would say it’s going to be very difficult for me to speak to any specific organization because every organization is a little bit different. And this is where threat intelligence really comes in. Threat Intelligence will help you understand what are the threats to your organization specifically. You know, for an organization of your size and your geography, and your industry, doing the type of work that you’re doing.
A threat intelligence apparatus can come in and have a better understanding of what the threat is for you, based off of who you are, and then provide tailored recommendations, rather than cookie-cutter broad-based recommendations that are meant to apply to any variety of organizations. Because at the end of the day, those cookie-cutter recommendations, while they’re still good, and they’re still valuable, if you don’t have anything else to work with, are not going to be nearly as efficient or nearly as cost-effective as specifically tailored recommendations based off of what threat actors are actually doing out in the wild, which is what threat intelligence provides.
So I would say if I were to summarize what security measures should we be using? Patch old vulnerabilities that’s got to be done. Train your people so they’re not the biggest vulnerability within your organization, try to prevent that sort of inadvertent insider issue. And then from there, leverage your threat intelligence apparatus to get more highly targeted specific recommendations for your organization so that you can prioritize based on who you are and not just based off of a broad idea of who you should be or who you might be.
Pam: Excellent advice. Well, Charles, thank you so much for taking the time to speak with me again, and any closing thoughts that you want to share before we wrap up?
Charles: I think in closing, the main point I want to capture here is the 2020 cyber Threat Intelligence Index is meant to capture the trends that we observed in 2019. What vulnerabilities we observed being used, what technology we observed being targeted, the different threats that we saw from threat actors across the globe, as we found them in 2019. But this is a constantly changing and constantly shifting landscape. And throughout 2020, we’ll almost certainly start seeing shifts in different directions. New threats will arise, old threats will come back from the dead and start being active again. We’ll see different vulnerabilities being leveraged, maybe new ones, maybe old ones.
And so this isn’t something where it’s just a one and done deal where you can look at this index and say, “Great, now I know everything that’s going on in the threat intelligence world, and nothing’s ever going to change, good to go.” This is something where it’s a matter of maintaining that knowledge, but using this as a good benchmark and saying, “Okay, here’s where we are now starting in 2020, and this is where we’re coming from. And now this is how we move forward.” But this will be a continual process for organizations, they’ll have to keep learning as we move forward and keep watching as we see new trends emerge in 2020. And of course, we here at IBM will keep reporting on these trends as we see them.
So make sure you keep monitoring keep watching this activity throughout the year, so that when we get to the threat index for next year, hopefully, you’ll start seeing things that you recognize along with some of the new data that we’re able to pull out as well. But I think that’s what I want to say as my closing thought is, this is a snapshot in time, and an analysis of historical trend information. But this is an evolving field, an evolving situation that will continue to change as time progresses. Which is why it’s exciting.
Pam: Awesome, thanks so much, Charles.
Charles: Thank you so much for having me.
David: And you know what, that report’s out now. I’m actually a little jealous that you got that sneak peek, Pam.
Pam: That is one of the perks of my role. One of the things that I really loved in that report was kind of the discussion that we had around the really old vulnerabilities. And it’s one of those things that we hound on all the time, it’s just like basic security practice of, you know, keep your patching up to date. And we see that a lot ironically in spam because, you know, as those spam messages come in, they’re taking advantage of those old unpatched vulnerabilities.
David: It actually reminds me of the types of things that you put on your list, and the to-do’s get longer and things get pushed down, and you just forget about it. And it happens anywhere you can think about, like your car, or your home, or your corporate infrastructure. And if nothing bad happens, it’s so easy to ignore but I think that’s what makes it such a delightful target. It’s known, it’s exploitable, and, you know, the attackers know that there’s a good chance when they send out their spam, they’re going to get a return on their effort. And that comes at the cost of, you know, anyone out there who hasn’t made the time to go through and knock out their security hygiene.
Pam: Absolutely. So David, do you have any good news for us this week?
David: I do. I really do. It was actually something that I just read about. It’s a U.S. cybersecurity talent program, and it has about 7,000 high school girls participating in the first 4 days of this multi-week program. So the program is actually already underway. It started back in January and it’ll complete April 23rd. And it’s called Girls Go Cyber. And it’s where high school girls will master new skills while working their way through an online training, and battle for cash prizes. So if you’re up for learning things like ethical hacking, forensics, or Linux, or you just like cash prizes and challenges, I think you should go out to girlsgocyberstart.org. There are a couple of dates to note depending on when you’re listening.
So, CyberStart Assess started back in January on the 13th and it’ll go through February 14th. CyberStart Game starts on February 10 and goes through April 17th. And then finally the CyberStart Compete, and this is the one where the top teams from different states compete, begins April 23rd and wraps-up the next day on the 24th. One other thing to note, if there are schools that have five or more girls that are really making great progress, then the boys are invited to join in too.
Pam: I really love the idea of this program. And I, in fact, shared it with the high school where my son goes, and they were immediately like, “We’re absolutely getting a team together.” And so I’m trying to figure out how I can keep an eye on the leaderboard to see what they’re doing.
David: I poked around and depending on how you cut and segment their leaderboard, it’s really fascinating to take a look at, you know, who’s in the lead. Texas, strong showing in a couple of those categories right now, I’m pulling for it. But, you know, with something like this, there really aren’t anyone that loses. I mean, if you participate here, it’s awesome. I think I was reading on there that girls that participate in this program are more likely to go into a computer science career. And ultimately, I think that’s the real goal, is to expose girls to cybersecurity and to encourage them to go into the field. We need that so much in our industry.
Pam: Absolutely. And that’s going to do it for this episode. So much thanks to Charles DeBeck for joining us again.
David: Subscribe to this podcast on Apple Podcast or SoundCloud, and make sure you never miss an episode. Thanks for listening.