Sphera’s Ron Palermo provides his tips on helping companies improve their cybersecurity while staying in compliance.
The following is an edited transcript of the podcast.
James Tehrani: Welcome to the SpheraNow podcast. I’m James Tehrani, Spark’s editor program. We have a very special guest. His name is Ron Palermo and he’s Sphera’s Chief Information Security Officer. We will be discussing trends in cybersecurity. Thank you so much for joining me today, Ron.
Ron Palermo: Hey, thanks for having me. I appreciate it.
James Tehrani: Thanks for being here. Before we begin, can you give us a little bit of background on yourself?
Ron Palermo: Sure. So I’ve been with Sphera now for two, two and a half years as their Chief Information Security Officer and pretty much my entire career has been in the information security space. It is truly an evolved career and evolved field. I wouldn’t change it for anything. I enjoy it. It’s fun. It’s difficult, challenging, but it’s a very rewarding field so I like it.
Want to spark more ideas? Read: “School’s in Session: Security and Vulnerability Assessment Is Cybersecurity 101”
James Tehrani: Definitely. And so you talked about kind of the evolution or you mentioned the evolution. So I guess the first question is what keeps you up at night these days with everything that’s out there?
Ron Palermo: Kind of staying in the present with what’s going on with the pandemic and COVID-19, many organizations have had to go mobiles. So right now it’s how do I keep my colleagues and my people safe and secure while they’re working remote. Our organization was we were fortunate. We had a lot of the technology in place, but others weren’t.
Ron Palermo: A lot of organizations had to scramble to put in different technologies and controls to make sure their colleagues and employees were operating in a secure environment, that they could do their day-to-day jobs, and maintain privacy and security and confidentiality.
Ron Palermo: So it’s been a challenge across the industry and across the globe. When we look at the risk space for the pandemic and business continuity, this is one of the areas that we look at is how do we protect our people when they go remote. In the event we lose a building or a facility, how do we make sure they can still operate and do their jobs?
Ron Palermo: So keeping me up at night has been how do we protect our people and, honestly, how our customers are protecting their people, and helping any way we can.
James Tehrani: Definitely. And so the companies that are struggling in this regard, what are some of the areas they’re struggling in? Is it just that they didn’t have the technology at hand when all of this went down earlier this year to be able to deal with a mobile environment, or is it more to it than that?
Ron Palermo: That is the primary reason is that they just weren’t ready. They just didn’t have the technologies in place to support a mobile workforce. Our organization did, right? We have a virtual private network that we use to connect to our network. And we have ways to access our production environments and our test environments in a way that’s secure. It’s protecting ourselves, ensuring that only the right people get in to systems they need and making sure the bad guys are able to stay out. So that’s been the primary driver is that companies, they just weren’t ready for this. Not many companies were, to be honest. It’s been a once in a lifetime event.
James Tehrani: So it’s interesting to think about when you think about cybersecurity, you think about the technology that has evolved to keep people safe. But it’s also on the other end those bad guys that you’re talking about. They’re always evolving, too. So what are some of those cyber concerns you’re seeing today that maybe you weren’t thinking about, or nobody was thinking about even a few years ago?
Ron Palermo: Good question. Good question. We look at cybersecurity as a whole space, and it is vast, right, when we look at from protecting our customers information, our personal information, making sure data is available and making sure our systems are available to our customers. So there’s a lot of space to cover. As things have evolved, we know that the attacks have gotten more personal. We know that the bad guys have taken a very personal approach through phishing attacks to go after and they’re going after very specific people within an organization. And it’s a concern because they are getting really good at it. They’re able to craft messages and communications that essentially mirror what we would do internally and what other customers would do internally.
Ron Palermo: There’s been a huge increase in security awareness across the industry and security awareness training has always been there. But over the last, I would say five to seven years, organizations are investing heavily in security awareness training. They’re figuring out that their weakest link is their weakest colleague. The colleague that clicks on that one link or is fooled can infect and affect an entire company. So focusing on training, focusing on awareness has been something that’s changed, I think, over the last five to seven, it’s really grown.
James Tehrani: Definitely. And I think just the type of emails I get on my personal email account and they say they come from Amazon, they come from Apple. And a few years ago they were pretty obvious because there were a lot of typos and things like that, but they look much more sophisticated now. What are some of the areas that people can look at those types of emails to ensure that they’re coming from where they think they’re coming from and not click on a nefarious type of link?
Ron Palermo: Right. That’s another great question. The first thing you do is ask yourself, “Am I expecting this? Should I be getting this email? Have I done something to prompt this email from coming?” An example is I got one from PayPal this morning saying my account was frozen. I know I’m a professional in the space, but if I wasn’t, taking that approach of was I expecting something from PayPal, the answer is no, I wasn’t. I’ve been operating with PayPal day in and day out for years now. I’m always looking at the account and checking on it. So I wasn’t expecting anything.
Ron Palermo: Kind of the next step I take is I hover over the link that they want me to click on. I don’t click on it. I just put my mouse over it. And then I kind of look at what it shows me. And again, if it looks like a legitimate link and the email’s crafted to look legitimate, the next step I take is I actually don’t click on the link. I go to PayPal separately in a separate browser and I go to paypal.com and I log in and I look for the message, right? There’s all of all of these, your financial institutions, PayPal, and similar, they have an inbox and you can go to the inbox and all the messages you would get in emails they put there as well. So I do that separately and I go and check. Does it take me a little more time? Yes, it does. But better a few more seconds, 15, 20 seconds, then hours or days of my system and my peer systems being down because of a ransomware attack.
James Tehrani: Sure. And I don’t want to get into the weeds on this too much, but I find it kind of fascinating. So like you said, there’s always someone, especially in a large organization, who’s going to click on a link that they shouldn’t have. What’s this first step or the first few steps that a worker or an employee should do if they had clicked on that nefarious link that they shouldn’t have? What should they do right away?
Ron Palermo: If they recognize it and they, “Oh, crap.” There’s that, “Oh, crap,” moment and, “I shouldn’t have done that,” the first thing they should do is turn the computer off. Turn it off. Just hard shut it down.
Ron Palermo: And then the next step is to call your help desk and notify them that you may have clicked on a link. In our situation, our help desk would then involve our security team. And we begin an investigation. We get their laptop. We put it in an isolated environment. We turn it back on. And then we start looking at it.
Ron Palermo: To be honest, in our environment given the speed at which we work, we’ll spend a little bit of time looking to see if something was infected. But at the end of the day, if you told me you clicked on a link, most likely your system’s being rebuilt from scratch so we can ensure that any malicious code there or not is not going to affect our organization. But yeah, that’s it. Turn it off, disconnect it from network, turn it off is the advice I give you.
James Tehrani: Great. And so obviously it’s fear. We talk a lot about safety issues in so many different areas, but we don’t really talk a lot about cybersecurity. But I’m curious what you think or how high you think cybersecurity ranks in terms of how much an organization should be focusing on that versus other types of risk and safety areas. Because it seems like in 2020 and in the future, cybersecurity is huge.
Ron Palermo: So you look at what type of organization it is. I think you got to start there and organization types will have varying degrees of security requirements, right? So, a financial institution, healthcare, a critical infrastructure piece, power plants, water, water processing facility, they have certain requirements that they just have to maintain by regulation.
Ron Palermo: Outside of those organizations, then you need to look at what’s your risk [inaudible 00:14:06]. What’s the information that you’re holding onto? Is it your employee’s information? Is it personal customer information? And looking at all that, doing a risk assessment on all those pieces of information and then from there you build up your program and the level that you need it to be at.
Ron Palermo: Cybersecurity is one of those things, when I look back 20 years ago, it was something people did on the side. It was something that just started to be important. Nowadays, if you don’t have an information security program, you’re probably in violation of a few regulations. So, it’s important that organizations have one and that they invest time and money into cybersecurity because it is important.
Ron Palermo: When you look at the recent breaches across the space with Equifax and Target and Sony, just to name a few, the information that was taken can lead to identity theft and it’s important that organizations try to protect that data as much as possible.
Ron Palermo: The other area that a lot of people probably don’t realize is that it’s not a matter of if you’re going to get breached, it’s a matter of when. And to that point, you need to have the controls in place so you can catch it as quickly as possible and stop it. Because the bad guys are better than the good guys. They just are. They’re funded, they have more time, and it’s their career. It’s their job to break in and steal. So, we’re always behind the curve a little bit, but the sooner we can detect an issue, the better we can stop it and then protect our data.
James Tehrani: Definitely. And so what are some of the trends you’re seeing in terms of cyber attacks? Are there certain attacks that you’re seeing more of now than you had in the past?
Ron Palermo: Going back to the pandemic and the remote workforce, phishing attacks are off the charts. They’re through the roof. I would guess when this year ends, the statistics are going to show that phishing attack is at an all-time high. People being out of their offices, away from their peers, they’re more susceptible to attack.
Ron Palermo: The stealing of personal information is another area, so major data breaches, right? Going into an organization and stealing the employee list with all their social security numbers or personal identifiable numbers, and then using that to generate identity theft and fraud. That trend has been on the increase for a number of years and is continuing to go up.
Ron Palermo: Yeah, as far as other spaces, I mean, when you look at critical infrastructure and manufacturing space, anytime a bad actor can get into a power plant and cause havoc, they’ll do it, right, just to get their street creds and their name out there. And in the worst cases, they do it for ransom. They’ll shut down power. And this has happened in several cases overseas where power plants have been shut down and ransom has had to be paid for the bad guys to release the systems to start generating power again.
James Tehrani: Is that sort of the intersect? I mean, it’s sort of interesting to think about like an IoT or IIoT device. They make things so great for gathering data, but they also have to be really secure because there is that possibility. Is that kind of part of the equation?
Ron Palermo: It definitely is. Industrial control systems, SCADA devices, 10 years ago, 12 years ago, they weren’t connected devices. And then all of a sudden, almost overnight, they’re connected, right? And they’re available on networks and susceptible to hacking. In fact, most industrial control systems when they first came out, they were using outdated operating systems. They didn’t even have the ability to be patched. And they were being breached all the time. They were being hacked and taken over. And there’s numerous instances that have been publicly available that SCADA devices and industrial control systems have been breached and caused havoc, caused harm, caused plants to fail, explode, serious damage, personal damage. So yeah. That industry luckily has evolved.
Ron Palermo: When you look at not only manufacturing, when you look at hospital systems, right? In your hospital room, if you’re ever in there, you know that there’s a lot of systems. A lot of those systems now are connected, right, so the nurses station can see what’s going on on your blood pressure and your heart rate, right, and the medications you’re taking. You don’t want those hacked.
James Tehrani: No.
Ron Palermo: You don’t want some bad guys giving you a whole push of morphine or something. So, those systems, they have evolved. Are they hack proof? No, nothing is hack proof.
James Tehrani: Yeah.
Ron Palermo: But the industry has definitely gone the right direction and done a fairly good job of protecting that critical infrastructure.
James Tehrani: Definitely. And that kind of ties into a little bit about what you were saying earlier about how these hackers are getting more personalized with using information that might actually apply to the person just to maybe get more information out of somebody else.
Ron Palermo: Mm-hmm (affirmative).
James Tehrani: So it’s all very interesting. I want to turn to another topic that I think has changed over the years, but I kind of wanted to get your take on this. There used to be this feeling, or at least that I saw that the cloud wasn’t as secure as sort of an on-premise situation, because you had the information out there and you could, I don’t know, maybe hack into it somehow.
Ron Palermo: Mm-hmm (affirmative).
James Tehrani: But how has cloud security evolved over the last few years?
Ron Palermo: Well, you’re right. The cloud security or cloud infrastructure, when it first was born was weak. It was not secure. And many companies, even today we see companies that are afraid to adopt cloud technologies. Organizations like ours have had to do a lot of work to ensure our customers that we’re meeting common cybersecurity standards.
Ron Palermo: There’s several certifications, ISO 27001. There’s a NIST 800. There’s a SOC 2, several others, especially in the healthcare space that companies can get to prove to their customers that they have a sound program. When we look at the space overall, there’s so many different regulations that need to be adhered to. And in order to do that, based on the industry you’re in, you need people who are dedicated to this.
Ron Palermo: Today when you look at cloud environments, it’s not much different than an on-premise. The same security risks exist. The technology works a little bit differently, and there’s some little different things that you can do there with things called microservices but overall, you have to have a strong security foundation. You have to control access, right? You have to monitor what’s going on in the systems.
James Tehrani: Sure.
Ron Palermo: You have to perform assessments, right? Risk vulnerability. Those have to be done on a regular basis. You have to understand where you’re at from a threat perspective. You have to understand your industry and what your threat vectors are. So that hasn’t changed from on-prem to cloud. I think the idea of losing control, that that initial idea of going from on-prem to cloud is a loss of control. I can’t walk up to that server and turn it off. That mentality is starting to think. I think there’s enough programs in place, enough certifications in place, that we can assure our customers that we’re doing the right thing.
Ron Palermo: And it doesn’t go just for Sphera. It goes for a lot of the other cloud companies, as well. And if you look at, just in your personal life, how many cloud services you use.
James Tehrani: Sure.
Ron Palermo: You want to make sure when you go to your bank that that information’s secure, that your finances are going to be secured. They have to go through several sets of testing and assessments to make sure that they’re protecting their customer’s money.
James Tehrani: Yeah, definitely. And similarly, I’m curious to get your thoughts on companies that allow their employees to bring their own devices, especially when you’re talking about mobile phones and things like that. How difficult is that for a company to be able to monitor or to ensure the cybersecurity of those devices when they’re not necessarily the company’s devices?
Ron Palermo: It’s difficult. It’s difficult. There are some controls you can put in place. Most companies start with policy, right? You have a policy that states you should not have customer information on your mobile device, but we know there are times when that happens. So then as a security organization, you have to go a little further. You have to make sure, even though it’s a personal device, there’s some control over it, right? There’s some control over what can be done to the device. You don’t want the devices jailbroken, right? You don’t want them to have rogue operating systems. You want to make sure that they’re encrypted, right? All current iOS devices are encrypted by default when you put a password on it. Android I’m not as familiar with but I believe it’s very similar.
Ron Palermo: So you want to try to get your hands around that problem as much as you can. Most organizations don’t get their hands all the way around it because it’s so difficult. The ones that do get their arms around it, they end up putting a lot of control into that personal device.
Ron Palermo: For instance, the email communications would be what we call containerized. So that application that’s used to read the email or to collect the email is completely managed by the organization. And in the event that there’s something malicious or that person leaves the company, they can click on a button and essentially wipe all that [inaudible 00:25:40] company data off that device.
Ron Palermo: So there’s several things that can be done. Viruses can affect mobile devices. So there is now some virus software that’s coming out.
Ron Palermo: The other point of attack for mobile devices, honestly, is the applications that you install. You want to make sure you’re getting them from a reputable source. Again, on the Apple side, you have the Apple Store and all their applications are reviewed and have to go through a screening process. On the Android side, you have the Google Store which does very similar to what Apple does. However, on the Android side, there are far more areas or places to download applications. They don’t have the same level of security or oversight as say, the Google Store or the Apple Store would have.
Ron Palermo: So that is a concern. And how do you manage that? There’s certain applications out there that we can use to manage personal devices. It’s probably one of the messiest areas of information security when the device starts to not be in our control fully. That’s where the real challenges start coming in. If we’re handing out company assigned phones which we do on occasion, those are fully managed. So it’s easier for us to kind of protect that data. But when it comes to personal devices, the challenges get higher.
Ron Palermo: There’s another trend that’s coming and some organizations are already doing this. But when we say, “Bring your own device,” we traditionally think of mobile. The trend is now going to bring your own device means your own laptop-
James Tehrani: Interesting.
Ron Palermo: … or other computing device. Because now we know that the tablets of today are as powerful as some laptops.
James Tehrani: Correct. Mm-hmm (affirmative).
Ron Palermo: And being able to bring those to work and organizations are looking at this from it’s cost-effective, right? If I don’t have to spend $2,000 on massive laptops, or I can give a little stipend to my employees to offset the cost of the laptop they’re going to buy. Now there’s some challenges, right? Because how do you ensure that they’re running antivirus? How do you ensure they’re not doing something malicious? How do you ensure they don’t get ransomware, right? All those things now start to come up and yeah. I mean, luckily we don’t do that part because I would really not sleep at night.
James Tehrani: That would definitely keep you up at night.
Ron Palermo: It would definitely keep me up at night. Yes, it would.
James Tehrani: So I just wanted to ask you about one more thing. And this, I would have said maybe even a few years ago would be kind of futuristic threats, but you’re seeing more and more of what they call deep fake content out there where you can manipulate video, where people are saying things that they didn’t say or doing things that they didn’t necessarily do. And I’m just curious to get your thoughts as I don’t know how many companies have been targeted by this type of thing, but I’m guessing it has happened. How risky is this going to be for companies in the future? And are there any things that companies can do to help prevent those?
Ron Palermo: It’s very risky. I mean, if you’ve seen any of the deep fake videos and there have been several around the election this year, that are almost indistinguishable to an untrained eye. There are some tools out there that can detect deep fake things, but they’re not a hundred percent foolproof. As the deep fake technology has grown, the detection technology is a step or two behind. So, there’s always that little gap there where the deep fakes are going to be better than the automated detection.
Ron Palermo: With that said, as somebody who’s taking in that information, you really need to evaluate that information. Is that something this person would say or ask for? We’re looking from a corporate perspective, right?
James Tehrani: Sure. Mm-hmm (affirmative).
Ron Palermo: Let’s talk about maybe a message from our CEO.
James Tehrani: Right.
Ron Palermo: The CEO comes on, we’re looking at a big publicly traded company and the CEO, there’s a deep fake the CEO that says our company is not doing well financially. And think about what that would do to their stock price, how that would potentially affect their stock prices in the short term if that got out publicly. Somebody can make a lot of money on that.
James Tehrani: Mm-hmm (affirmative).
Ron Palermo: So, controlling that is important. If you look at the social media venues, Twitter, Facebook, Instagram, they’re all starting to crack down on this and tag pieces of news or pieces of information as potentially fake or potentially inaccurate. I think that’s going to go a long way to help a lot of things.
Ron Palermo: But again, if you’re targeted inside your company, that gets a little harder, right?
James Tehrani: Yeah.
Ron Palermo: I think you have to go back to your security awareness training. I think you really have to train your people to kind of look out for these things. Deep fakes is an evolving tech and it’s evolving really fast.
James Tehrani: Yeah.
Ron Palermo: I would suspect there’s not a lot of organizations that it’s on their radar, but I would think that from a risk management perspective, this is something that’s being incorporated into their programs and being evaluated. It may not be something that they weigh too much on today, they have too much risk on today.
James Tehrani: Sure.
Ron Palermo: But as that technology evolves and get better, that risk is going to increase. So it’s definitely something that’s got to be on your radar. Let’s put it that way.
James Tehrani: For sure. Well, Ron, I really appreciate your time today. It was a great conversation, Ron. I really appreciate the time. It was really interesting.
Ron Palermo: Thanks. Thanks for asking. I appreciate it.