Welcome to the Debut Issue of Get CyBUr Smart: Behind the Screens.
Get a little CyBUr Smart, be a whole lot Cyber Safer
Get CyBUr Smart: Behind the Screens - Issue #1
Hello Friends
If you made it this far, THANK YOU for taking the time out of your busy Friday to read my musings. I wanted to take a quick moment at the top to give you my plan for this newsletter.
I know what you might be thinking (or rather, in my mind, it is what I hope you are thinking), “Darren, why are you creating one MORE thing to do?” Well, in all honesty, as a former teacher, I know (or I think I remember) that some people are visual learners, some are audio learners, and some are kinesthetic. I can do the first two (podcasts, book, this here thing), but I got nothing for you kinestheticers. Sorry about that. So this is really just one more platform to try and help keep, or make, folks cyber smarter, either in their personal lives or for their business.
Will this be the only newsletter you’ll need to answer all your cyber questions? OH HECK NO! But hopefully, I can find a way to make the whole cybersecurity topic a bit more interesting, easy to grasp, and maybe make you smile or laugh while you read it. I was voted “Funniest" Teacher” at Edgewater High School in Orlando in 1998 after all….
Each section is called a SCREEN (like a computer screen -get it?!) My ideal computer setup is a 3-screen layout so each newsletter will have “3 screens” (i.e. sections/topics.) That should keep me from droning on and on and you looking for the “unsubscribe” button, not that it will be an option. But here is a SUBSCRIBE BUTTON!
So let’s get at it…..WELCOME TO ISSUE #1
SCREEN #1 - Here a hack, there a hack, everywhere a hack hack
In doing a 3x per week news-focused podcast (The Get CyBUr Smart Morning News Update - available wherever you get your podcasts) I continue to be struck not only by the sheer number of computer intrusions (what we called them in the FBI) but by the QUALITY of the victims. I mean, come on, is anyone even paying attention? In July alone, we saw CDK, HealthEquity, and Microsoft, just to name a few. Plus, there was news of a Fortune 50 company paying a Ransom of $75 million after an “incident.”
I fear we are all becoming numb to it all as you really have to dig and scour cyber-focused news sites to even find these stories. The CNNs, ABC News, New York Times, and their ilk are worried more about a politician’s take on cat ladies (that is as deep as this newsletter will EVER get with politics). And this is why the bad guys win. And getting numb to all these “incidents” (my goodness, I hate that term) is the worst possible thing we could do.
Since I retired from the FBI in 2019 my goal in all I have done is to try and build, create, and increase cyber AWARENESS. This means several things, understanding the variety of cyber threats out there (criminal, nation-state, hacktivist, terrorism-related, etc..), understanding how they do it (more on this in Screen #2), and putting in place simple methodologies to keep the bad guys at bay. But if we just accept all this as the course of normal business, then there will continue to be news report after new report of the next big “cyber incident!” (Seriously, can we just call them what they are when they happen (data breach, ransomware, whatever….)
Before I get to Screen #2 a quick advertisement break for my book: Get CyBUr Smart: A User-Friendly Guide to Keeping Your Family, Your Business, and Yourself Online.
The book is available HERE if you have friends or family members who need some simple solutions to make them Cyber Smarter because if you get a little cyber smarter, you get a whole lot cyber safer. Pass it along…. (or don’t - no pressure).
Now back to our regular programming.
Screen #2 - Post-Mortems, Can we just mandate them???
Ok, so this first issue is kind of my greatest hits as I am repeating a lot of what I have said on other platforms, but for my new friends at least it is new to you…
So let me discuss a bit here my obsession with cyber post-mortems. I think we can all agree that the majority of major cyber incidents have a full-blown incident response that is likely to determine the method of entry, what vulnerabilities (if any) were compromised, and what data was acquired, lost, or altered. This is VALUABLE information for those who have not become victims yet, but it is rarely shared.
For example, the February Change Healthcare “incident” was a massive mess (and continues to be). Does anyone NOT think knowing the tools, tactics, or procedures used by the bad guys would be of value to other entities within this business sector (and other quite frankly).
There is likely a fear of brand damage, bad publicity, and so on. But let us be honest (referring back to screen one), we have become numb to the impact of cyber “incidents” (seriously, I need a better word). Thus a lot of these fears can be alleviated because every company is either a past victim, current victim, or future victim. BUT the past and current victims can HELP the future victims by letting them know what the heck is going on. The best example I remember is when Mandiant came out with a post-mortem on the Solarwinds “incident” (honestly, I will say this better in Issue #2.) There have been a few others, but unfortunately, they are few and far between.
For as long as I can remember, the mantra has been, “We need to coordinate intelligence sharing between the public and private sectors.” Heck, I spouted it myself. There have certainly been efforts at this, but none have really met what I am talking about here. And don’t get me started on the “Cyber Safety Review Board”, my thoughts on that are well documented in print and audio (I know many of you just voiced, “Thank goodness he is not talking about this AGAIN!)
There is a huge cybersecurity business gap here that someone who is good at business could fill (I’m happy to help, but I am no business expert - sadly.) Until then I am going to keep banging on this drum because it has to be done, and there needs to be a willingness to give support to victim organizations whose post-mortem would provide intelligence value to the greater community. (I can’t promise this won’t be a recurring theme here.)
If you are enjoying the content thus far, feel free to follow me on LinkedIn. You can get more quality cyber takes like this here newsletter.
Screen #3 - Putting my money where my mouth is
This screen is going to be slightly different than Screen #3s in future issues, as this is more of a call to action (but it will cost you, dear reader, nothing.)
Since I retired from the FBI, I have been efforting to create (in my free time) a cyber consulting service because, as a former educator and FBI Supervisory Special Agent, I want to help people and companies NOT become cyber victims. I focus this on those entities that probably haven’t given much thought to their own cyber needs, Churches, Non-Profits, small Law Firms, and other SMBs. I have had the opportunity to speak to many conferences and webinars to help these groups, and I have offered a free hour of time to talk through where they stand currently from a cybersecurity perspective. Yet no one rarely takes me up on that.
So I am going to lay this out here. This consulting includes a review of an organization’s current cybersecurity and cyber leadership capabilities (usually, there are none.) We discuss simple things they can do to at least get started from nothing to something. And then discuss how they can proceed after that (and yes, I have something for that - but that isn’t free). Usually, in this hour, I can give the organization a good idea of their cybersecurity gaps and provide some solutions on how to get started. And this is the main point. START SOMEWHERE!!!
I really don’t want to spend a ton of space on this, just put it out there for awareness (yeah that is big part of all this also - employee training and awareness - but again, you can certainly find my thoughts on this in many places.)
SOMEONE - TAKE ME UP ON THIS! ANYONE, ANYONE…
That is it for Issue #1. Thank you so much for supporting this effort.
I would love to hear your thoughts on it; the good, the bad, or otherwise. But don’t bother letting me know about any typos (I am sure I had a few) as I don't claim to be a grammatical savant (I doubt that is a thing, but it sounds like it should be.)
If you want more of my content, please check out my podcasts:
The CyBUr Guy Podcast
The CyBUr Smart Morning News Update
The Tactical Cyber Podcast
All are available on your favorite podcast platform. Give a listen, tell a friend.
As you go throughout your week, know that #knowledgeisprotection. If we can understand the threats targeting us, we can assess our risk and proceed wisely online. Have a cyber-safe week.
Your buddy, Darren (The CyBUr Guy)
P.S. I know this newsletter is pretty basic and visually weak, but I am no artist. Hopefully, the content makes up for it. Have a great weekend.