Host Jeremy Cherny interviews Steve Moscarelli, Regional Sales Manager at Thales Cloud Security
“I knew that the internet was going to be the future when I was in college. I had roommates working at the New Media Lab at MIT and they were involved in building a precursor to the internet for DARPA. I also saw very clearly that the internet was built with no security at all – which really propelled me into my career.”
What are some of the things you read to stay on top of what’s happening in the world of security?
So I’d recommend that everybody pay close attention to Dark Reading. In many people’s opinion, it is often considered the number one site for keeping up with the constantly changing threat landscape. There’s the Phil Venables website, the Bruce Schneier website, Security Current, Security Weekly, Security Week, SANS, Brian Krebs’ website, the MIT Cybersecurity Review. If I was to rank these, I’d have to say, probably Dark Reading, krebsonsecurity, SANS, Security Current. And then there’s a lot of specialties, there’s Healthcare Information Security, there’s Data Breach Today, Payment Security. There’s a myriad of places that nobody has enough time to check – Threat Post, Cyber Scoop and HelpNet. However, I think most people look at Dark Reading as often as possible.
You work with a lot of Fortune 500 companies. What do they do for security awareness training?
They do try to trick their own employees sometimes. Having them open attachments or click on URLs from emails for them to learn from a safe source. They’re also certainly emphasizing multi-factor authentication and two factor authentication. At the end of the day, if you’re doing anything financial, you want a phone call. I see people doing more things on Slack and on Teams, which is not going through the traditional mail filters and SMTP gateways. People are also shying away from email. People are getting more into channels that are not monitored as much with everybody working from home, which makes things now the Wild West.
What do you see as the future of information security?
We have to get away from passwords, and that’s going to be very difficult to do. If you talk to some of the leaders out there, Bruce Schneier, and Winn Schwartau and people at SANS like Lance Spitzner, or perhaps Anton Chuvakin, I think that they all would like to find a way to get away from passwords. But that’s a very, very difficult proposition. To do that, third-party risk management is going to keep being a bigger and bigger thing. Every Tom, Dick and Harry is talking about the hack at SolarWinds right now. And SolarWinds is going to wake up a lot of companies to be very, very careful of their third party connections. It’s obviously the way that a lot of companies are adversely impacted because they might not be paying attention as much as they should to who they’re connected to. Like with the Target breach, that was their HVAC contractor. Starwood Marriott – they had the keys for their Oracle on their Oracle, they had the keys for VMware on their VMware. So the key for your VMware and the key for your Oracle are all on the same machine. So there were two people named in China that not only took the key for their VMware and the key for their Oracle, but they encrypted that data. So in the merger of Starwood and Marriott, there were situations where things fell through the cracks during a merger, and nobody was paying attention to the keys for their VMware and their Oracle. And, you know, obviously, with people going in an often haphazard manner to clouds, things happen, like at Capital One, I think most people know their s3 buckets were very leaky.