Authority Magazine
Published in

Authority Magazine

Cyber Defense: Josh Moulin of Operations Security Services at the Center for Internet Security On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack

No Executive Buy-in: Cybersecurity is not an “IT problem”, it is a business risk that should be managed at an enterprise level. Executives must understand their risks, vulnerabilities, and threats. CIOs and CISOs must also learn how to effectively communicate risk with executives in business terms, focusing on impacts to the organization.

In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?

In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.

As a part of this series, I had the pleasure of interviewing Josh Moulin.

Josh Moulin is the Senior Vice President and Acting General Manager of Operations and Security Services at the Center for Internet Security. Moulin provides executive leadership for OSS while focusing on the mission of improving the cybersecurity posture of state, local, tribal, and territorial (SLTT) organizations. He is responsible for planning, developing, and executing OSS products and services, including the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), security operations, incident response, vulnerability management, digital forensics, data and analytics, software engineering, and threat intelligence.

Moulin has been working in the cybersecurity field since 2004. Prior to CIS, he was an Executive Partner at Gartner, where he advised executives in the U.S. Federal Civilian Government and Department of Defense on shaping organizational strategy, improving executive leadership, changing culture, driving innovation, maintaining information security and assurance, and implementing technology. Before Gartner, Moulin spent five years at the Nevada National Security Site, part of the Department of Energy/National Nuclear Security Administration’s nuclear weapons enterprise. Moulin served in a variety of roles, including as the Chief Information Security Officer and Chief Information Officer, responsible for all aspects of classified and unclassified IT and cybersecurity for this global national security organization.

Moulin began his cyber career while in law enforcement. As a police lieutenant, Moulin commanded a regional, multi-jurisdictional cybercrimes task force and accredited digital forensic laboratory, and was deputized by both the FBI and U.S. Marshals Service. Over Moulin’s 11-year law enforcement career, he led hundreds of cyber investigations, including intrusions, terrorism, extortion, white-collar crimes, violent crimes, and child exploitation. He has been qualified as an expert witness in the areas of cybercrime and digital forensics numerous times in state and federal court.

Moulin is frequently requested by organizations across the world to consult in areas such as cybersecurity, risk management, leadership, and facilitation. He has a Master’s Degree in Information Security and Assurance and has earned several professional certifications, including the CISSP, GCIA, GCFA, GSEC, CFCE, and CEH.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I was born in Las Vegas, NV and after living there a few years, my family moved to a very small historic town of about 2500 people on the west coast. I found two things I was passionate about growing up; history and public service. By the age of 12 I already had a “job” (in addition to my paper route) teaching people about the history of the town I lived in. I also began taking a great interest in the town’s volunteer fire department and simply couldn’t wait until I was 16 to join its ranks. I approached the fire department about starting a junior firefighter program but was told the cost of insurance to start such a program was about $5,000 and the town didn’t have the money. Luckily for me, a few months later I was selected by a national program for my civic service and received a check for $5,000 that I could donate to any charity of my choice. Of course, I chose the fire department and the junior firefighter program was born — I even got to be the junior fire chief!

I went on to love the fire service and became certified at 16. I then spent 8 years doing that job, eventually becoming a paid firefighter/EMT and getting two college degrees in firefighting. While working in firefighting I decided that law enforcement was even more exciting to me, so I applied for a police officer position in one of the larger cities in my area and was hired. I spent the next 11 years in law enforcement working a variety of assignments including patrol, detectives, sergeant, and lieutenant.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I’ve always had a knack for technology and was the kid that adults would call to make the clock on their VCR stop flashing. I built my first computer in middle school and went on to get into ham radio and had other technology hobbies. It was while I was a police officer though that my career in cybersecurity started. When eBay and MySpace were really taking hold, I began to get citizens calling about being defrauded online or that a child had been solicited via the Internet. We had no training or experience in computer or Internet crimes and most of these cases were so small that the federal government wouldn’t touch them. This left us telling people there was nothing we could do.

While any cybercrime was upsetting, I was particularly bothered by a rapid influx in cyberstalking and children being sexually exploited via the Internet. I approached my police department and pitched the idea of creating a high-tech crimes unit and sending me to school to investigate these crimes and become a digital forensic expert. I faced obstacles as this was both very expensive and groundbreaking — but I persisted and finally got the approval in 2003. After becoming certified, I started working part-time cybercrimes and part-time other cases as a detective, but once word got out to neighboring agencies, I was immediately flooded with work. Eventually, the unit I started became so popular that the FBI approached me and asked to partially fund the unit in exchange for me working FBI cases. This turned into me being deputized by the FBI and US Marshals, getting an FBI vehicle, funding, and more people. I did this for seven years, leaving as a lieutenant and the task force had grown to ten people from nine different agencies and the only standalone digital forensic lab accredited in the United States.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

The three character traits I believe have served me well in my career include: empathy, integrity, and communication.

From the age of 18, I’ve had a formal leadership position. My leadership experience started as a company officer in a fire department and then as a law enforcement officer. Often, I was by far the youngest person at an incident and yet I was making life and death decisions in mere seconds for people that were usually two or three times my age. As my career went on, I began leading larger teams — with my first large team being the IT and cybersecurity operations for a federal agency responsible for global nuclear weapons security, nuclear non-proliferation, special technology development, and other national security missions. In my 30’s, I was the Chief Information Officer for this agency with well over 100 people working for me. What I quickly learned with this many employees was that I spent a good deal of my time hearing one heartbreaking story after another. The death of an employee’s spouse, a cancer diagnosis, a house fire, an injured child, and so on. At the same time, I got to celebrate so many life events with my employees: their first home, a new baby, a promotion, graduation from college, a marriage. I decided to always make the time to acknowledge these circumstances and to let my employees know that I care about them as a person, am genuinely interested in their success, and as long as they are doing the right things for the right reasons, I am there supporting them.

I have found integrity to be another critically important trait to have as a leader. On its face, everyone agrees that integrity is important, but to me integrity is more than having good character and being honest (although those are clearly important). Employees want to know that as their leader, I will never ask something of them that I wouldn’t personally be willing to do and when necessary, roll up my sleeves alongside of them. I tell my teams that I will always be honest and transparent with them unless a situation doesn’t allow due to some sensitivity, but short of that, they can expect I will tell them what I can. I also believe that having integrity means that a leader doesn’t allow something to continue under their purview that is in opposition of values, policies, or norms. Not taking care of problems within an organization results in good people leaving and a spreading of bad behavior like a cancer. As the saying goes, most employees don’t quit their jobs, they quit their bosses.

I don’t believe a leader can be truly successful without having excellent communication skills. The ability to be share your vision with your employees, inspire them, and communicate important details can’t be overstated. Communication has been particularly challenging in light of COVID-19, where body language is often not available when having important conversations. Even with cameras turned on, it is still not the same as sitting in the same room as someone else.

One example of how I have ensured my message is getting passed all the way down through the organization I lead is by having skip-level meetings. These aren’t designed to cut out my direct reports, but rather give everyone an opportunity to ask me questions and hear my vision for the organization directly from me, eliminating any unintentional additions or deletions from going up through levels of management. I ask employees for feedback and listen to what they say, incorporating ideas when possible, and make sure they understand how their individual role, no matter what it is, directly ties to our mission.

Are you working on any exciting new projects now? How do you think that will help people?

I am working on several exciting projects right now within CIS. The one project that will fundamentally transform how we operate the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) is the digital transformation of our operations. This year, we will be implementing a new data warehouse solution, and Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), and data analytics and visualization platforms. Each one of these in their own right is a game-changer, but the total overhaul of our information and data management will allow us to be agile, react to sophisticated cyberattacks, provide actionable threat intelligence to our members, use automation as a force multiplier, and hunt threats across a vast data repository among many other things.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?

I started working in cybersecurity in 2003 as a law enforcement officer and spent the next 7 years as the commander of an FBI cybercrimes task force. I investigated hundreds of cybercrimes including child exploitation, intrusions, homicide, fraud, organized crime, public corruption, and others. I then spent five years working in national security as a Chief Information Security Officer (CISO) and Chief Information Officer (CIO) within the nation’s nuclear weapons complex, responsible for classified and unclassified IT and cybersecurity. Next, I spent over three years at Gartner as an Executive Partner, working with U.S. federal civilian and DoD executives as their trusted advisor, helping them with a variety of technology, leadership, and cybersecurity priorities. I now serve as the Senior Vice President of Operations and Security Services at the Center for Internet Security (CIS) and lead the organization responsible for the MS-ISAC, EI-ISAC, security operations center, incident response and forensics, intelligence, software engineering, and all products and services offered via a cooperative agreement with the Cybersecurity and Infrastructure Security Agency (CISA) for our State, Local, Tribal, and Territorial (SLTT) members. I have a Master’s of Science Degree in Information Security and Assurance and several certifications in cyber including the CISSP, GCFA, GSEC, GCIA, CEH, CFCE, and others.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?

There are a number of different types of cyberattacks, some highly technical and others basic. While not an inclusive list, here are a few of the more common attacks:

Social Engineering: Social engineering attacks refer to attacks designed to deceive a user. These attacks range from phishing emails (described further below), may include SMS messages (smishing), voice phone calls (vishing), creating fake websites that look legitimate (pharming), or other malicious activities designed to trick someone.

Phishing: Phishing remains the most prevalent form of attack and continues to be successful. A phishing attack is basically an email message sent that purports to be legitimate, but has malicious intent. It may contain a link to a site hosting malware or an attachment that has malware embedded in it.

Supply Chain: These attacks have gain significant notoriety since the SolarWinds attack. In SolarWinds, a software application was targeted by sophisticated adversaries and code was modified to create a vulnerability that the adversaries could exploit. When customers downloaded updates from SolarWinds, trusting that the update was legitimate, they were actually introducing a backdoor into their network. A supply chain attack works this way by targeting something in the supply chain of an organization — it may be a rootkit in a piece of hardware or compromised software.

Zero-day Exploits: These are attacks that exploit previously unknown vulnerabilities. Zero-day (or 0-day) attacks are problematic because cyber defense systems that rely only on signatures of known attacks are not effective and the vulnerability being exploited doesn’t have a patch available.

Web Application Attacks: Attacks targeting web services, such as cross-site scripting, SQL injection attacks, and cross-site request forgeries are very common because web applications generally house sensitive data or access databases that have information such as financials, personally identifiable information (PII), proprietary data, and others.

Ransomware: Ransomware is an attack that uses malware to infect systems and then encrypts the data on the system, making it unusable by the user. Ransomware commonly is designed to spread across a network to infect as many hosts and systems as possible, typically taking an unprotected or under-protected organization completely offline.

Denial of Service: A Denial of Service (DoS), or a Distributed Denial of Service (DDoS) attack is when attackers flood a system (usually a webserver) with so much traffic that the server becomes unavailable for legitimate traffic. DDoS attacks leverage a network of infected hosts across the world, known as botnets, to launch simultaneous attacks against a target. Organizations that don’t have DDoS protections in place can find themselves offline and out of business until mitigations are put into place.

Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals? Cybersecurity should be a concern for everyone, whether at an organization or as an individual. We have seen adversaries attack private individuals in an attempt to get access to an organization or government agency system or network. With a large amount of employees now working remotely and not necessarily behind all of the cyber defense products they may be protected by at an office, the risk of an attacker gaining access to an employee’s device or network at home is a real concern. Individuals are often the target of cyberattacks that are motivated by financial gain (e.g., phishing attacks trying to obtain banking credentials to steal money) and the sophistication of an attacker may be very low. Or, an individual may be an executive of an organization that a highly resourced adversary has interest in, so they target the person via social media or personal email. Business and organizational risk really depends on a number of factors, such as what sector they are in, who they partner with from a supply chain perspective, and what would motivate an attacker. This is why it is very important that all organizations perform risk assessments to understand what threats and vulnerabilities exist and prioritize the necessary mitigations.

Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert? The answer is, it depends. If we are talking about an individual that believes they are the victim of a cyberattack, they can certainly call their local law enforcement. Generally, if the person becomes the victim of identity theft because of an attack, they will want a police report case number to help them with credit bureaus and banks. Law enforcement will most likely not do anything though unless the crime is threatening bodily injury or death, or is of such a major financial loss that it would be considered a felony.

Organizations should have an incident response plan in place already that defines who to contact. Depending on the organization it may range from their local FBI office to their cyber insurance provider. If cyber insurance is in play, the insurance company will often dictate the incident response procedures and even what companies are authorized to handle the incident response and remediation. Organizations need to have relationships in place before an incident, such as with their local FBI office and consider a retainer with a company if the organization doesn’t have their own internal resources in this area. If the organization is a State, Local, Tribal, or Territorial (SLTT) government agencies, they can contact the MS-ISAC 24x7x365 for immediate assistance, guidance, and no-cost incident response services.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

Asset Management: We have a saying in the cybersecurity business that, ‘you can’t protect what you don’t know about’. This is one of the biggest mistakes organizations make and why CIS considers maintaining inventories of hardware and software assets part of basic cyber hygiene. When organizations don’t know what operating systems they have, what software is deployed, or have visibility into their systems, it is impossible to effectively provide protection.

Employee Training: Even with all the sophisticated cyberattacks and tools available, the primary way that organizations become victims of ransomware or other attacks is through simple, yet effective methods like phishing. No matter how much money an organization puts into cyber defenses, if employees have dangerous practices such as clicking on links or opening attachments from unknown senders, the organization will continue to be highly vulnerable.

No Executive Buy-in: Cybersecurity is not an “IT problem”, it is a business risk that should be managed at an enterprise level. Executives must understand their risks, vulnerabilities, and threats. CIOs and CISOs must also learn how to effectively communicate risk with executives in business terms, focusing on impacts to the organization.

Poor Identity and Access Management: The overwhelming majority of successful cyberattacks are carried out when an adversary has been able to steal legitimate credentials. Credential stealing is done a number of ways, but one of the easiest and highly effective ways to reduce this risk (by over 90%) is by implementing multifactor authentication (MFA). The challenges of MFA from years ago (poor user experience, difficulty integrating technology, etc.) have largely been addressed and organizations should require MFA usage in absolutely anything that can support it.

No Plan: As the saying goes, organizations that fail to plan are planning to fail. All organizations, regardless of size or complexity, should have a documented cybersecurity plan. This plan should include how to respond to an incident and how they address basic cyber hygiene. The Center for Internet Security (CIS) has multiple no-cost resources including the globally recognized CIS Critical Security Controls, which provide organizations with a roadmap to enhance their cybersecurity.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why? (Please share a story or example for each.)

  1. Invest in talent management. Cyber talent is in high demand with over 700,000 vacant positions in the U.S. alone. Take care of your employees, make sure they have adequate training and stay current, sufficiently resource them, and provide them with support so they can protect your business.
  2. Make cybersecurity a board-level discussion topic. Understand your risks, properly resource an information security program, enact governance, and implement policy across the organization. Support your cybersecurity staff by requiring all parts of the organization comply with security requirements — improperly managed shadow IT is a massive risk to businesses.
  3. Create and practice an incident response plan. Having a plan is an excellent first step, but it also needs to be practiced. Use tabletop exercises to practice, make sure everyone who has a role is involved (executives, legal, HR, communications, IT, cyber, physical security, etc.), take lessons learned from tabletops, and incorporate those back into the plan. Make sure the plan includes contact information for organizations such as the FBI, CISA, and if a state, local, tribal, or territorial government, the MS-ISAC.
  4. Assess your organization. Businesses are used to having annual financial audits as a normal course of business, but most don’t do anything like that for their IT or cybersecurity programs. Consider selecting a framework (CIS, NIST Cybersecurity Framework, ISO, etc.) and begin to course a path from where you are today to where you should be.
  5. Start with the basics. Before buying that fancy cybersecurity tool, make sure the fundamentals are addressed first. Make sure your staff has visibility across the enterprise, ensuring vulnerabilities are being identified and metrics in place to measure the effectiveness of patching, implement CIS’ basic cyber hygiene controls, make sure endpoints and networks are protected and monitored, enable logging for devices, appliances, and firewalls to assist in investigations, consider cyber insurance and a retainer with a company in the event an incident does occur.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

How can our readers further follow your work online?

Readers can follow CIS, the MS-ISAC and the EI-ISAC via our website (cisecurity.org) and our social media channels. If they are interested in following me, they can connect with me via LinkedIn (linkedin.com/in/joshmoulin) or Twitter (@JoshMoulin).

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store