Use a risk-based approach. Most organizations try to protect everything equally. This is a recipe for disaster. We all have limited resources. Critical systems and critical data should be defined and protected, based on priority. Sensitive data should be contained to only the systems necessary. It is much easier to protect sensitive data if it is on 2 systems, instead of 20 systems.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Christian Espinosa, Founder and CEO of Alpine Security, a cybersecurity engineer, certified high-performance coach, professor, and lover of heavy metal music and spicy food. He’s also an Air Force veteran and Ironman triathlete. He used to value being the “smartest guy in the room,” only to realize that his greatest contribution to the fight against cybercrime is his ability to bring awareness to the issue through effective communication. Christian is a speaker, coach, and trainer in the Secure methodology, helping to make the smartest people in the room the best leaders in the field. For more information, visit www.christianespinosa.com.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Christian Espinosa moved from Riverside, California to Knoxville, Arkansas when he was 12 years old. That was quite the culture shock. He grew up extremely poor (trailer, welfare, food stamps, government cheese) with a single mom and my two brothers. His mom was addicted to pain killers and was “out of it” most of the time. He was pretty motivated to get out of his small town in Arkansas, and out of my situation, so he worked hard to get accepted into the Air Force Academy. His initial plan was to fly jets, but when he graduated in 1993 there were no more pilot slots. He went into Communications in the military and served as an Air Force Communications Officer for 6 years on active duty. During this 6 years, he was first exposed to cybersecurity.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Christian became excited about cybersecurity during my time in the military and as a DoD contractor. The concept of cyberwar was interesting to him and he knew cybersecurity would play a major role in just about everything in the future. One thing that stands out is one of the initial war planning scenarios he went through, where he discussed how he would use a cyber attack to take out the electrical grid of an enemy city. The idea was to take out the electricity, so radar systems and anti-aircraft targeting systems would no longer work. This would allow him to fly over the city to carry out mission undetected.
Can you share the most interesting story that happened to you since you began this fascinating career?
In 2013, Christian did a penetration test for a bank in California. There are a few different types of penetration tests. There are technical penetration tests that focus around computers and hacking, physical tests, like picking locks, and social engineering tests that center on human interaction. There are also penetration tests that are a combination of all three. Regardless of the test, the general purpose is the same — to break in and steal valuable information.
For this particular gig, Christian was tasked with a social engineering penetration test. His objective was to get into a specific bank branch and steal files. Christian didn’t have a lot of time to prepare, so he pretended to be a new hire for the bank but for a different branch.
Christian approached the bank he was tasked to penetrate before it was open to the public. He rang the bell for service, and a woman (Sally, the branch administrator) answered the door. Sally eyed him wearily. “Hi, I’m a new hire at the branch on the other side of town. Bob [the general manager] asked me to stop by today to pick up in-processing paperwork. He wants me to hit the ground running.”, Christian said.
Sally was reluctant to let Christian in, but he gave her the general manager’s name (it was easy to look that information up on the internet) and looked official (he was in a suit), so she did. She then escorted Christian back to her desk and asked him to take a seat.
“I’m going to call Bob and figure out exactly what you need. Give me a few minutes,” Sally said as she left her office to call Bob. While she was gone, Christian spied three files sitting on her desk. He grabbed them and slipped them into his briefcase.
“I wasn’t able to get a hold of Bob,” she said when she came back into the office a few minutes later. (I knew she wouldn’t because he had done my research — Bob wasn’t in the branch this early in the morning.) Sally said, “I don’t know what paperwork to give you, so you’ll have to come back later. I’m sorry.”
Christian told her he understood as he stood to leave. “Thanks anyway for your help,” he said as I turned and walked back out of the bank. Later that morning, Christian met with my client point of contact, Jessica, who wasn’t very pleased to see the three files he stole from Sally’s desk. Jessica asked him to head back to the bank to debrief the team on the results of the penetration test.
When Sally found out what Christian had done, she started to cry. She never even noticed the files were missing. She broke three bank rules that morning — she let me, a nonbranch employee, in the bank before hours, she left sensitive company data on her desk, and she left Christian (a stranger) unattended.
Christian’s mindset around the situation is different than that. Yes, she broke the rules, but she’ll never break them again. She learned the hard way what can happen if you aren’t hyper diligent about data security, so one would think she would be extra cautious. Her direct experience with a data breach makes her an asset.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
From a personal development space, Tony Robbins played a huge role in Christian’s life. From the time he read Unlimited Power, he was a fan, and Tony’s message changed his perspective on life. Christian also attended many Tony Robbins events, such as Unleash the Power Within (where participates do the firewalk), Date with Destiny, and Business Mastery. Christian’s partner of 16 years, Jennifer, played a major role in his success. He went through many challenges in his career. When he was the Founder and CEO of Alpine Security, Christian didn’t have any colleagues to speak with. Jennifer was extremely supportive and acted as his sounding board. Sometimes just having someone listen to what he was going through was very helpful.
Are you working on any exciting new projects now? How do you think that will help people?
The most exciting project Christian is working on now is his book launch for my book “The Smartest Person in the Room: The Root Cause and New Solution for Cybersecurity”. His book helps leaders of technical staff develop their team’s soft skills, or people skills. In cybersecurity, there’s too much emphasis on “hard skills” or technical skills. We end up with a lot of super smart, highly technical people that, unfortunately, posture and intellectually bully teammates, clients, and managers. This is the real reason why we are losing the cybersecurity war. His book covers a 7 Step Secure Methodology that provides a framework that highly technical people can use to improve their awareness, mindset, communication skills, and more. Ultimately, the book helps you be more secure with yourself.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Know your why — why you are in cybersecurity to begin with. Your why needs to be an emotional reason — something that resonates with you, at the core. Being in cybersecurity just for the money or for career stability is not good enough. You need to have a solid why. Cybersecurity is a profession (not a job) and to beat the cybercriminals, we have to work at it. If you are unclear of your why, Christian recommends you do the 7 Levels Deep exercise, which he talks about in my book. The 7 Levels Deep exercise, if done properly, will reveal what is really driving you, or even a purpose. It’s much easier to avoid burnout if you understand your true motivation behind doing something and feel like you are living your purpose.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
3 things that most excite Christian about the industry are 1) the battle between criminals and normal people, 2) the opportunity to help simplify cybersecurity, and 3) the personality types in the industry.
For #1, many traditional criminals have moved towards cybercrime, as the risk is less of getting caught and the rewards are greater. This makes it very interesting to be on the cyber defense side — we are constantly under attack and the cybercriminals are constantly evolving their tactics. For #2, cybersecurity has been overly complicated — we have complex frameworks with 1000 items on a checklist. Many cybersecurity professionals think we need to do all 1000 things to be secure. This isn’t feasible. It is much simpler to take a risk-based approach and figure out which security controls matter most, then implement those. For #3, his book is centered around these personality types — the high IQ technical staff. There seems to be this acceptance that IQ and EQ are mutually exclusive and if someone is really great technically, their lack of soft skills is accepted. Christian believes everyone has the ability to improve soft skills, especially if given a simple method, as discussed in my 7 Step Methodology in his book.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
For cybercrime, the tactics will evolve — we will see more impersonation, ransomware, blackmail, and extortion types of attacks. These are simple, minimal risk, and lucrative attacks for cybercriminals to carry out.
For cyberterrorism, we will see more attacks against critical infrastructure and connected devices, such as medical devices.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Quite a few breaches Christian and his team responded to last year involved impersonation. In one breach, the attacker did reconnaissance on the CEO of the organization, who the admin assistant was, and a few other items. For instance, if the CEO’s name is “John Smith”, the attacker would create an email for “John Smith” email@example.com — or something similar to this. The attacker then sends the admin assistant an email that employs authority and urgency. The email looks like it came from “John Smith” and the admin assistant typically doesn’t take the time to question the email, as they want to do what the CEO asks. This often is a test by the attacker to see if the admin assistant will carry out a mundane task, like respond to the email, buy gift cards for a client, etc. Next, the attacker will send an invoice to the admin assistant and ask her to pay it with the company credit card or forward it to accounting for immediate payment. This impersonation goes on for some time. In one instance, we saw the attacker was able to get the admin assistant to open an infected document. This gave the attacker access to the admin assistant’s computer, where the attacker was able to carry out more sophisticated attacks. All the attacks in this scenario involved money — gift cards, fake invoices, etc.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
There are 3 main tools Christian uses. One of them is Wireshark (https://www.wireshark.org/). Wireshark is a network traffic analysis tool. It is extremely useful to determine what traffic your computer is sending and receiving. For instance, if you run Wireshark, capture traffic, and notice your computer is sending traffic to Russia and China, your computer may be infected. Another favorite tool is Nessus (https://www.tenable.com/products/nessus/nessus-essentials). Nessus Essentials is free and is a vulnerability scanning tool. You can use this on your home network to determine misconfiguration and missing application and operating system patches. The final tool Christian recommends is have i been pwned? (https://haveibeenpwned.com/). With have I been pwned, you put in your email address and it will tell you all the data breaches your email is associated with and what data was stolen. This is very useful information to know, because if you, like a lot of people, use the same password on multiple systems and your password was stolen in a breach, the chances are high that other accounts of yours will be compromised using your stolen password.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Christian believes in hiring experts and using our time for what we are great at. If you are small and don’t have a large team, find a cybersecurity consultant or fractional CISO service that can help you on an affordable and scalable basis. Too many people try to do cybersecurity themselves, at the cost of their core business. We should focus on our unique ability and generally avoid doing things just because we can. There’s always a cost. Over the counter cybersecurity software is okay, but it is typically not maintained of configured properly. He recommends a cybersecurity agency sooner than later. This is no different than hiring a bookkeeper or web developer. As for a CISO, when the organization gets to be around 10 staff members, has a plan for growth, or has compliance rules, this makes sense to put a fractional CISO in place. The CISO should help develop a strategic roadmap that aligns cybersecurity initiatives with risk, compliance requirements, and business objectives.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Certainly. The first sign is simply an anomaly. This could be your computer crashing more often, a window popping up on the screen periodically then disappearing, an increase in emails, slowness, etc. A second sign is account lockouts or failed login attempts. A third sign is partners or friends reaching out to you unexpectedly about strange emails, calls, etc.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
I recommend these five items:
1. Follow your Incident Response Plan (IRP)
2. Get Legal Counsel (Inside or Outside) involved
3. If you don’t have an Incident Response Plan, seek outside assistance to help with the incident response
4. Contact your local FBI office: https://www.fbi.gov/contact-us/field-offices
5. After consulting with the FBI, consider filing a complaint with the Internet Crime Complaint Center: https://www.ic3.gov/Home/ComplaintChoice/default.aspx/
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
Yes, these laws have affected Christian’s business and many of his clients. For his business, they simply have chosen not to do business with EU individuals that fall under GDPR. These laws sound great for consumers, but they are often extremely difficult and expensive to implement compliance for a business. Plus, these laws and regulations open up businesses to scams and fraud. For instance, if I’m an organization that must follow GDPR, a scammer/criminal could use someone else’s data to commit fraud, then invoke a right to be forgotten request. The organization must comply and prove they deleted all personal data. This has also been used to glean information. I can simply pretend I’m someone else and ask for a subject data request. The organization then has to provide all personal data to the requester.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Not doing the basics — such as patch management, configuring devices properly, and training users on phishing emails.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Yes, there has been a huge tick in cybersecurity issues. For two main reasons. One reason is fear. COVID-19 has resulted in a lot of fear. Cybercriminals play on fear. Fake COVID-19 tracking websites, COVID-19 phishing emails, COVID-19 vaccination registration sites, etc., have all been set up and used to compromise computers and steal information. The second reason is tied to working remotely. Many individuals have never worked remotely before COVID-19 and many organizations did not have a remote workforce policy. So, we end up with people working from home with personal laptops, unsecured home networks, and more. We’ve seen many cases where an individual was using a “home” laptop that 3 family members (16 year old daughter, wife, and husband) all had admin access to. This was not a secure laptop. Plus, most home networks are not secure either. This simply opened Pandora’s box. If the laptop used for remote work is compromised, so is everything on that system — all the emails typed up for work, the work passwords, VPN access, etc.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Patch systems. This includes the Operating Systems and the Applications installed on the operating systems. This also includes the routers, access points, company phones, IOT devices, etc. Essentially, anything on the company network and any application should be patched. This seems like simple advice, but it is rarely done right. Most data breaches occur by exploiting an unpatched system
- Configuration control. Similar to patching, devices that are on the network should have standard, secure configurations. I used to consult for a company that would simply buy laptops from Amazon and plug them into the company network straight out of the box. These laptops were missing patches, had extra software, had default passwords, etc.
- User awareness. Users are the weakest link. We need to train and test them on phishing emails, vishing (voice phishing), social engineering, and other common attacks. Without awareness, we can’t improve.
- Processes. Processes should be implemented to safeguard against attacks. This could be something like an Incident Response Plan or a process for paying vendors. We’ve seen many organizations get burned by paying bogus invoices because they didn’t have a process. A process for accounts payable could be as simple as validating the vendor did the work with the appropriate person in the organization and having a two-person approval process.
- Use a risk-based approach. Most organizations try to protect everything equally. This is a recipe for disaster. We all have limited resources. Critical systems and critical data should be defined and protected, based on priority. Sensitive data should be contained to only the systems necessary. It is much easier to protect sensitive data if it is on 2 systems, instead of 20 systems.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)
Christian’s movement would be to pick one step from my book and focus on improving in that single area over a 30 day period. After 30 days, reflect on how your life has improved.
The 7 Steps in my Secure Methodology are below with a quick summary from my book:
Step 1: Awareness
- we talked about blind spots and how putting ourselves in the shoes of others will broaden our perspectives. We discussed the difference between uninformed optimism and informed realism and that awareness means preferring the latter.
Step 2: Mindset
-was mindset, and without the right one, we aren’t amenable to change. We also aren’t motivated to make a commitment to change. To succeed in cybersecurity and win the war, we need to take the red pill, not the blue one, and embrace growth and change.
Step 3: Acknowledgment
-teaches that without recognition, technical employees become disengaged and focused on the wrong thing. We also talked about the “sandwich approach” and how to build rapport quickly using acknowledgment.
Step 4: Communication
- followed to balance the other six steps, the center support of the seesaw. First, we familiarized ourselves with the negative impact of “geek speak,” “robot talk,” and poor listening skills, and then we covered the difference between left- and right-brained people and how to alter communication to be more effective.
Step 5: Monotasking
-explained about how multitasking makes you a slave to everyone else’s time. We learned that multitasking can lead to anxiety and a lack of presence and quality and that to reclaim your agenda, you need to monotask and schedule block time.
Step 6: Empathy
- the focus was on the human connection and mankind’s inherent — albeit misguided — need to focus on differences. We talked about two different categories of empathy (cognitive and affective) and ended with the goal to find and emphasize similarities.
Step 7: Kaizen
-we highlighted the need for constant and never-ending improvement. We discovered there are two types of people in the world, masters and dabblers, and that true mastery takes time. We learned to embrace uncertainty and take baby steps.
How can our readers further follow your work online?
They can visit my website www.christianespinosa.com or follow me on social media.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
About the Interviewer: Jason Remillard is the CEO of Data443 Risk Mitigation, Inc. (Publicly Traded as Symbol: ATDS). Data443 is a leading Data Privacy and Security company with over 40,000 customers worldwide.
Formerly of Deutsche Bank, TD Bank, RBC Bank, IBM, Dell/Quest Software, TUCOWS and others, Jason has been in information and data security for over 30 years with customers in virtually every country in the world.
Trusted to deliver — All Things Data Security — he is leading the charge in bringing data privacy as affordable, deployable and realistic solutions that every business owner can take advantage of.