Ali Allage, CEO of BlueSteel Cybersecurity, joins Charlie Venus on this episode of The Trusted Advisor Podcast. Cyber security is always a hot topic and this two part episode is no different. BlueSteel Cybersecurity delivers enterprise-level security services for Fortune 5000 companies and government agencies. If you are looking for ways to explain why a client may need this coverage or what this coverage is really fighting against you will want to tune in to both parts of this episode.
Edwin K. Morris (4s):
Welcome to the trusted adviser podcast brought to you by Iroquois Group. Iroquois is your trusted advisor in all things insurance. This week, you’re listening to the special segment of Charlie’s corner posted by our very own Charlie Venus.
Charlie Venus (22s):
Welcome to today’s podcast and a guest Ali Allage, who is the CEO of blue steel cyber security. So a little bit about Ali. He is a passionate entrepreneur, cybersecurity nerd, car enthusiast, data storyteller, and technologist. As CEO for blue steel cyber security, the mission is to deliver a new approach in intelligent cyber security protection, certification, engineering, and strategy services for small to mid-size organizations. With 20 years of experience leading technology companies from tech focused problem-solving to the creation of consumer and business applications and platforms, Ali is great at taking what a small, specialized group understands and communicating that to the mass market.
Charlie Venus (1m 11s):
So welcome to the podcast, Ali.
Ali Allage (1m 13s):
Thank you. Thanks for having me.
Charlie Venus (1m 15s):
Great for you to be here. So we have done several podcasts in the past on cyber liability. And because we are in the insurance business, we have our agent members selling cyber security products. But what we wanted to focus on today was really the, some risk management and prevention techniques businesses can use to minimize the potential for cyber – the losses and cybercrime. I got this from your website and I thought it was just an incredible piece of data. It says if cyber crime was measured as a country, it would be the third largest economy in the world behind the U S and China.
Charlie Venus (1m 56s):
That is just absolutely astounding. Yeah. So I wanted to start with people administrative controls and what you think people should be doing in terms of cyber security training.
Ali Allage (2m 8s):
That was a great statistic that you sort of introed into this. I mean, at the end of the day, it is becoming a business model and it’s growing exponentially. And so one of the things that I always start with is around culture adoption. So a lot of these organizations, if you ask sort of a random staff member, what are some of the best practices that you could follow in order to keep your organization secure and how do you practice them? And a lot of times it’s asking that one question that you will, you’ll get answers, but none of them within the same organization are the same, right? So someone will say, you know, I don’t answer suspicious emails or someone will say, I tend not to download certain attachments.
Ali Allage (2m 48s):
It’s variable. And I think the basics that I usually start with is sort of what’s the north star. What’s the common message that everyone needs to go after or be consistent with. And in cybersecurity, the, the biggest common issues are always on following the basic principles and ensuring that you’re consistently following them as an organization, not only from the top, but also to the bottom, everyone in the staff, every one in the organization knows what they have the practice on a daily basis. As I said, the way, the find out that that’s actually occurring is ask someone randomly in the organization, what do you follow as sort of, of the best approach?
Charlie Venus (3m 22s):
That, that’s a pretty simple assessment technique, too. So when you look at email, website browsing, social media policies, what do you typically see out there and what are your recommendations to improve those areas or, or, or maximize the controls in that space,
Ali Allage (3m 41s):
I’m a big fan of compliance because compliance is sort of your measure of a best practice, right? And, and depends on the complainant. Typically what organizations have and what I’ve seen is it’s based on sort of the IT department and their firewall rules. They’ll Tell you either you could go to a, a social media site or you can’t, right. A lot of times the communication policies of the organization sort of take some level of a factor. So if there is a marketing department and they’re trying to promote a lot of messaging or a subject matter expertise, we have a sort of open that up and allow the staff members to sort of participate in social, share a company’s information. From my perspective, in terms of social media is concerned, it really comes down to what sort of information you’re willing to share with the neighbors, to share with a good friend and whether or not by putting it out there, what the risk level of exposure is.
Ali Allage (4m 33s):
Some of the best practices that hackers will use is social engineering. So depending on what you put out there, a lot of times that could be used in order to figure out ways of gaining entry into an organization’s infrastructure and they’re the repository of, of data. I always firmly believe as a best practice to make sure that whatever information is shared on social media is information that you wouldn’t feel comfortable giving out to publicly available market or individuals or the audiences. I don’t necessarily believe in sharing where are you going to go as far as vacation. And I never really like it when let’s say staff members share meeting locations or a certain pieces of information like that. Typically it’s sort of the, keep it within an area that you don’t necessarily want to give out to the masses.
Ali Allage (5m 18s):
If it’s information that’s sensitive that you would wanna only give to you that let’s say a, a relative or sort of close acquaintances, how I usually say it, that’s probably information you, you don’t want to give out on to the social media.
Charlie Venus (5m 30s):
When you look at email because historically so many of the, the cyber crimes have emanated from phishing attempts or, you know, some type of a zip file that you get, or some other type of attachment or links, what kind of controls should companies have over this email system.
Ali Allage (5m 50s):
From my perspective, from a technical perspective, there’s a lot of tool sets to manage what gets to the inbox and what doesn’t right. We, even as an organization participate in what we call like phishing games. We’ll assess the company’s culture, do a little bit of social engineering ourselves. And then if we know, let’s say everyone’s into concerts and music and that – after the pandemic, probably not as much, but now that things are opening up, maybe so – and sending out emails and taking a statistical count as far as how many people open it. I would say if it’s out of the blue, especially if it’s in a, a work environment, work email, you know, the best practice really is to not open it. Not open the attachment, keep it quarantined and have it reviewed by let’s say IT staff, right?
Ali Allage (6m 33s):
Typically there’s a lot of tools out there. It, depending on whether or not the organization has a policy on phishing emails or how they scan emails that do come into the inbox, it’s something they can flag and send off to IT to sort of cleanse before you do anything with it. I’ll tell you when it comes to the sort of the malware approach, it’s to the point where there is a sophisticated business model attached to it, and it’s no different than anyone of these spam email messages that we get all the time. You know, typically what they have is the framework. They get an e-mail list and then they just hit up the email list. Profitability of what they’re looking at is they send it up to a thousand people on the hope that they have one to 2% open the email. It’s no different than your typical marketing campaigns.
Ali Allage (7m 14s):
And so if you think about it in that case, how many of these emails are you getting on a frequent basis that could be potential phishing emails and you don’t even need to go as far as opening up an attachment. That’s how sophisticated these things are getting so anything suspicious, anything out of the ordinary, my suggestion is quarantine it and then send it to the appropriate internal staff to do a review or cleanse, or if you have something on your device to do so I would do so.
Charlie Venus (7m 41s):
You read about application security, information security, and network security. Can you explain the differences between each of those?
Ali Allage (7m 48s):
Yeah. So information security typically is where the organizations house data, right? So this is your data infrastructure. You, you know, it’s different than saying a farm of databases has its own ecosystem, but these days we have business intelligence tools that access this information. So, you know, a dashboard, statistics, all sorts of things that direct from there, you had your network systems where essentially, this is your flow of information. So these are your network’s with your Wi-Fi devices and users. Your typical operation is conducted using technology. And then you have your application security, which really falls on if your organization provides a product, a software product, or if you’re using software products from different levels of vendors, there’s vulnerability aspects to that as well.
Ali Allage (8m 37s):
An example would be is if you use cloud solution, like say Salesforce, not to say Salesforce is not highly locked down, but let’s say you use Salesforce. You’re putting in a lot of your customer or your information there into that database. You know, whether or not it has the ability to be a penetrated to acquire your customer’s information. Those are the sort of the three areas. So one is sort of the products you use, one is more on your operational flow and one is your organization’s internal storage or information repository
Charlie Venus (9m 8s):
When you are working with a company, are you recommending that they had their own servers or that they use cloud storage? Or do you recommend both just different types of controls?
Ali Allage (9m 19s):
The most secure thing that you possibly have is the machine on-premise, it has access to nothing. That literally is like the, is, is probably one of the most secure ways. I mean, even that has it’s issues because what if the hardware doesn’t work, right. So you can go down to the different levels of rabbit holes, right? Ultimately it really depends on the type of business, right? It’s not a one size fits all. If you’re in a area where you’re prone to natural disasters, then on-prem, you know, on premise devices may not be the best solution there. You could have them, but if you have a great disaster recovery systems, which is we’re hearing about it a lot with some of these ransomware attacks or, you know, it’s essentially you wipe everything clean and bring the last backup online.
Ali Allage (10m 3s):
You know, I’ve seen organizations are solely on premise, but then they have sort of a redundant on-cloud version operating in its own enclave. So it’s an enclosed environmental area. So if something happens to the stuff that’s on premise, they can immediately switch to a cloud. With the organizations I’ve worked with, so it’s a long story that I’m kind of giving you the long answer or response, but it really comes down to: it depends. Factoring in your environmental variables, your operational variables, it could be a hybrid, it could be one or the other. It really depends on the risk levels the organization is facing,
Charlie Venus (10m 37s):
Okay. So both scenarios, it, you need to have that backup either need to have a mirror image of your onsite server or a cloud backup of that. And if you’re using the cloud, you need to have it stored in multiple sites.
Ali Allage (10m 50s):
Correct. Yeah. I’m a fan of redundancy, a having redundancy, you know, you have to make that, I mean its more to manage. You have to be careful with where you store the information as well. Some of the things that I’ve seen work really well, like I said is it is the back-up solution that sorta operates on its own. A sort of island or a series of islands. I also liked the idea of hybrid solutions personally, because if one area should fail, you have the ability for immediate fail safe. And then if that should fail, then you go to the, the recovery mode because it does, there is a time gap or a time-lapse that occurs when you have to go to your recovery process. But like you said, having backups at a minimum is a really great way to operate securely.
Charlie Venus (11m 36s):
From a network standpoint, you hear about firewalls, intrusion testing, take us through with all of that means and how you go about that and what customers should be thinking about with that network security.
Ali Allage (11m 48s):
You know, there’s a difference between the intrusion detection and detection or the, all of it comes down to the central aspect of what you have as far as a firewall. And now the firewall is sort of loosely used in the sense of saying, well, if you have a singular network, you have a firewall to protect your devices. These days, the whole point of a firewall as to make sure that you keep outsiders out. I mean you keep the insiders from operating safely when they’d go outside and, and you just want to make sure that you have ways or channels to prevent unauthorized access into the central network. Sophisticated networks have actually layers of firewall control systems, right, where there’s a combination of hardware, right?
Ali Allage (12m 28s):
So these are the things that sit in your local on premise network area. You have cloud solutions that have firewall devices as well. And you have software or levels of firewall, which are meant for different purposes and aspects. And so depending on coming from compliance, you have a standard of how you configure all of these variables. And then once you have a base line configuration that this is how we are going to operate, we’re gonna allow this sort of traffic coming in these or the VPN. So if you have remote users that have to log on to the VPN, so virtual private networks, they are tunneled right into and sort of give them access to the internal network. Then you have what’s allowed and what isn’t allowed as users of the network and the firewall sort of dictates based on this configuration, what, what is allowed and what isn’t.
Ali Allage (13m 15s):
Once you have that configuration set, and it’s a matter of, of depending on the services that you use, you can run different levels of penetration testing. So with pen testing and you have different forms of it, but what that does is it basically allows the services organization or the bender to run threat models, write threat scenarios, to try and gain access to the bypass firewall. A lot of times, depending on the hardware or software you use, it’ll carry a log and tell you how many attempts were made to gain access to the network through the firewall, what the firewall protects against, what it allows through or cautioned with. So it’s a great set up to have if you are trying to keep a site of the network lockdown, but it all is dependent on a policy that dictates what configuration should be set up on the firewall in order to monitor what sort of unusual behavior is being conducted and versus what’s standard.
Charlie Venus (14m 9s):
Now is it customary fee that, you know, a business that is utilizing a IT consultant for support, that they do all this testing of their system?
Ali Allage (14m 20s):
So there’s different types of vendors out there, there’s what’s considered the MSP’s or managed services provider, this is your IT support. They take care of the daily operations of, you know, if someone has an issue with their device or a software that they can submit a trouble ticket. Then you have managed security services provider, your MSSP, so that these are the ones who monitors. There’s so many tool sets and technology out there that can monitor, capture all sorts of different types of activity and different ranges. Companies can enlist outside services. You can also invest in building your own internal infrastructure. There’s a cost value proposition associated with that. The benefits of a third party is that you have what would be independent, technical, unbiased, the evaluation of the security posture of the organization.
Ali Allage (15m 7s):
A lot of certification compliance measures require that because they don’t want any sort of a leeway in this sense of what, what, what is allowed and what isn’t. As far as operational is concerned, you know, I’ve seen it work on both sides. Like they said that it comes down to cost-value. Internally, you have to have the resources and the licensing tool sets to manage all of this stuff. Whereas hiring a third-party alleviates a lot of that cost, but it comes with you have to evaluate and make sure that the third party is doing what they’re saying they’re doing. And then it’s sort of, you’re relying on them to be your fail safe when it comes to your IT operations. So again, it comes down to risk and what, what the organization is comfortable with. I’ve also seen hybrid, internal mixing with external resources, which I think is probably the better approach.
Edwin K. Morris (15m 53s):
Thanks for listening to this edition of Charlie’s corner brought to you by Iroquois Group. I am Edwin K. Morris, and I invite you to join us for the next edition of the Trusted Advisor Podcast.