IT Security Leaders Share Bone-Tingling Cybersecurity Tales & Reveal the Cyberthreat Hobgoblins that Haunt their Sleep (Interview Transcript)

Earlier this month, four IT security leaders participated in BeyondTrust’s Linkedin Live event: The Scariest Things I Ever Heard from my Security Team, which is part of our Rising CISOs: Experts Unplugged series.

Our participants engaged in an open conversation about close encounters with peril and “game over” catastrophes. Their real-life tales of wee hour wake-up calls and navigating through spine-tingling disaster recovery and business continuity challenges will keep you at the edge of your seat. One poor soul even had to guide his team through a nuclear meltdown!

Our panel of cybersecurity leaders also probed through the depths of their nightmares, candidly sharing the security threats keeping them up at night, and more importantly, why. One participant confessed to actually maintaining a file titled, "What keeps me up at night"!

If you’re not too spooked, you can check out a transcript of the discussion below. You can also watch a recording of the on-demand webinar here.

Thank you to our courageous participants for digging into their crypts of terror-inducing security tales and shining a light on those threats that pass through cyber defenses like ghost ships in the night. Somehow, they achieved the elusive campfire story trifecta of terrifying us, educating us, and also intermingling doses of humor!

Discussion participants:

1. Diana Kelley, CTO at SecurityCurve

2. John Masserini, CISO at Millicom (Tigo) Telecommunications

3. Elena M. Seiple, VP Information Security at MGM Resorts International

4. Morey Haber, CTO and CISO at BeyondTrust

LinkedIn Live Webinar Transcript: The Scariest Things I Ever Heard from my Security Team

Sarah Lieber (host): Does the responsibility of leading a security team feel a lot like being the star role of a scary movie? In The Shining, Jack Nicholson famously breached a wooden door, pushes his creepy face through, and chillingly declares, "Here's Johnny."

In an alternate universe, the person cowering in the corner is a CISO and the face at the door is a merciless hacker. You get the picture? I hope I set the stage okay for you guys, but while this iconic horror film can be switched off, the threat of a malicious cyberattack, looms every single day, creating relentless nightmare fuel for security teams.

Thanks for joining us and welcome to today's rising CISOs LinkedIn Live event, The Scariest Things I Ever Heard from my Security Team. An appropriate topic for which to start off the month of October. Our esteemed special guests today include Diane Kelley, CTO at SecurityCurve and Elena Seiple, VP of information security at MGM Resorts International, and John Masserini, CISO at Millicom (Tigo) Telecommunications. Moderating the session is BeyondTrust CTO and CISO, Morey Haber.

So, without further ado, Morey, please welcome to the line to kick things off. And so, let's grab our flashlights and share some spooky tales.

Morey Haber: Sarah, thank you so much, and we will be joined late by John in a few more minutes. He's just running a little behind schedule, but as live events go, that happens. I am the CTO and CISO far BeyondTrust, and, as part of our LinkedIn Live series, we wanted to do a topic for October and Halloween. We're going to share a couple of scary stories. Things that may have happened to us, may have happened to companies we're aware of, but we're going to protect the innocent. We're not going to use names, companies, date, situations, or anything that would be incriminating. We just want to have an open conversation of some of the things that scare us as CISOs and wrap it up with some of the things that we do to cope—whether we cover our eyes, whether we have a good beer—what we do to manage the stress.

Now, to begin, let's just go ahead and do a couple of quick intros. I'll start with Diana. If you could share your name, your company, and also maybe the funniest or scariest Halloween costume you've ever worn.

Diana Kelley: Thank you, Morey. It's great to be here. I'm Diana Kelly of SecurityCurve, and I once went as Siouxsie Sue. She was the lead singer of what was known as sort of a punk band, Siouxsie and the Banshees, and I really loved the band. I still love the band, and I decided to go with Siouxsie Sue, but she's got this sort of wild hair and very impressive, strong eye makeup. And so, a lot of people thought I was some sort of odd monster or something, but I was just being Siouxsie.

Morey Haber: Fantastic. Elena?

Elena M. Seiple: My name is Elena Seipel. I am the Vice President of Information Security at MGM Resorts International. Every year I wear the same costume to work, which is a t-shirt that says, "I don't need a costume. People want to be me."

Diana Kelley: Wow. That's awesome!

Morey Haber: That is fantastic! Well, you know what? I'll share on mine real quick. It goes all the way back to high school. My senior year, they did allow us to wear costumes to high school, and I dressed as a terrorist, including with an old-school cork gun. That landed me in the principal's office, sent home during one of the first periods for wearing something inappropriate that could, honestly, nowadays, would not be even close to acceptable. Probably one of the only times I got sent to the principal, but back then as a teenager, I really didn't understand how bad that was.

So, to get started, we want to first talk about a real scary story. Something that you've experienced, not necessarily with your own company. Just to remind you, please protect the names of the innocent and let's just get started. Elena, we'll put you up first.

Elena M. Seiple: Okay. I'd heard a story in our circles about a company that had an outbreak of WannaCry, and as it was going across the organization, they were freaking out obviously, as they were watching it spread and so on and so forth. And it was hitting one of their critical systems that if it had downloaded the payload, they would have to shut everything down. And it just turned out that the version of WannaCry that they had actually had a corrupt payload request that it was unable to do that. So, they call it their "We flew so close to the sun." And they use that as a story about how dangerous it can be, how you never know how lucky you can be, but they only had one system that was actually effected in a negative manner, and it recovered. They still didn't do all the other cleanup, but they didn't have the major catastrophe.

Morey Haber: You know what? That is rather scary in itself because the fact that it was a corrupt version and not as polished as the threat actors would have liked. Otherwise, that could have been a very, very long and painful and expensive exercise. Diana, up to you.

Diana Kelley: So, this may or may not have been in assessments. I was involved in a very large financial services firm, a household name, and it was an assessment going around trying to understand what the inventory was, what critical systems were talking to other critical systems. And in this assessment, there was a server that was a really important part of a very important workflow. And nobody knew where it was. We kept finding it. We knew we could trace it, that data was going through it. It was functioning properly, but nobody could figure out where it physically resided, and people may have been looking in closets and things, trying to figure out where this system was, and nobody seemed to know, and eventually it was traced physically to a server that was running under somebody's desk. And so, the person sitting at the desk was asked, "Hey. Do you know who put this server here? And why is that? What's your job?" And the person said, "I had absolutely no idea what that server is for or what it does. It was there when I was assigned this desk, when I got hired at the company."

And, so looking under the desk at the server, it had a post-it note that said, "Do not turn off." And we said, "Well, have you ever unplugged it? Have you ever turned it off?" "No. There was a post-it note that said, do not turn off. So, I moved into this cube that kept running and I've never turned it off." And if it had been turned off, it would have been a problem.

Morey Haber: That is a huge asset management issue. Gosh. Wow! Thank you so much for sharing.

John, welcome to the conversation for the scariest stories. I'd like you to introduce yourself company and your favorite or best scariest or funniest Halloween costume.

John Masserini: Oh, Halloween costume? That's left field. So, first of all, John Masserini. I'm the Global Chief Information Security Officer for Millicom. We provide mobile phone services and cable services to all of Latin America and part of South America. So, one of the biggest infrastructure providers in the area.

You need to give me a few minutes to think about the, all of the horrific Halloween costumes that my wife has made me don.

Unfortunately, there are way too many to share in only a half hour, but probably one of the scariest calls I've ever gotten, and it was very, very early in the morning going back a few years when I got an email that said, "Hey, we need to enact our business continuity plan." I was like, "Okay, let's get on a call and figure out why." So, hop on a call. I got everybody in a room. Pulled the team in, and it seems that there was an earthquake and we had to protect some folks, and put the plan in place to get them into a safe area and get them working again and all that.

Everything was going fine. A couple of hours later, we got another call with one of the updates and said, "Hey, by the way, there's a tsunami warning and it's really close." So, we're all baling and we're going to figure it out from there.

So, sure enough, the tsunami hits and a few hours later, we got a call, "Oh, by the way, there's a nuclear meltdown. We have to leave Japan right now."

So, there have been very, very few calls that I've been on in all the years in doing this that has literally chilled me to the bone like that one. So, figuring out and praying that your BCP plan was actually functional enough to get all your coworkers in a safe zone and get them working again and all of that, was probably one of the scariest times of my entire profession.

Morey Haber: Wow, John, that is scary and very personal considering what we're all dealing with in terms of wildfires and changes throughout the world. I'll share a real quick one. About 10 years ago, I was doing a conference and spoke to an executive, a peer of mine, and he really opened my eyes in terms of what a privileged account really was. He was telling me that he met with a competitor from overseas, and that CEO basically threatened to put him out of business in no uncertain terms, but he didn't take the threat seriously. What ended up happening was an email account was compromised due to someone being on vacation or not properly being managed. And, unfortunately, illicit material, pornographic material was sent to everybody. So the all distribution list was included. And the problem is, is when you have material that is that sensitive and that illegal, you have no choice but to call the FBI. They had to come in, find it, scrub it, remove it from every mail server, because they were still on premise and everybody's cell phone.

And you know what? That CEO's threat from overseas, unfortunately, was correct. He was able to send one email via a compromised account to the entire company and literally took this business off for weeks in terms of proper communication. That scared me to the bone—that privileged groups and some simple malicious threat actor can create that much of a disruption.

We have to all be very mindful of what we do send and what can't be sent through our communication channels. Not only email now, but MS Teams, Slack, et cetera.

We're going to go into a little bit of a different type of discussion right now. We're going to go a little bit into what, as CISOs makes us scared today. That's the crux of this—what scares you? Or, what is the thing that you would potentially keep you up at night? Let's go ahead and start with Elena.

Elena M. Seiple: I actually have a file that's called "What keeps me up at night" because I do think about these things. And right now, when you're looking at how quickly we are moving to cloud and more data analytics—data is the key to everything.

What keeps me up is just, are we staying in front of that movement of data? Are we understanding the inventory of where that data is? Are we able to control it as it's moving from this cloud, to that cloud, to an on-prem from here and there? And it's very challenging to track all that. Yet there's technology capabilities you could put in front of it, but a lot of it is dependent on understanding what your business is doing. If the business does something without including security or pulling you into that, sometimes you're a little bit late to the game and you might have that risk or that exposure for a period of time.

So, that's one of the big things that keeps me up at night. And the other thing that keeps me up at night, and I know a lot of people just deal with this, is vulnerability management, in general, across the board. Staying ahead of them, making sure you're addressing the most critical ones in the most timely manner, and sometimes, that's just not as easy as it seems due to a lot of legacy systems. Still these days, vulnerabilities are very cumbersome, unable, difficult to patch so on and so forth.

So, those are the main things that keep me up at night.

Morey Haber: I fully get that. Vulnerability management is this chronic one that every CISO deals with because every day there are new things, and, from my perspective, phishing, as we're a sales organization. Sales people answer emails all the time. I'm scared to death of the next phishing attack vector period.

John, what scares you? What keeps you up at night?

John Masserini: Yeah. Well, you kind of stole my thunder a little bit there, because that's exactly it. It's definitely anything that I need to rely on a human being for. So, clicking on the link, visiting the website, whatever it is, where phishing and the malware is really kind of, if it's not number one, it's number one and number two. It's super high on the list.

We have stores, we sell retail, we sell our phones retail, and on the flipside, we have customer support. So when we're relying on people to recognize someone's social engineering them, because they're trying to do SIM jacking accounts and are trying to steal other people's phone numbers to get the SMS code that just went to the bank.

So, both sides of whether it's inbound email, or the customer-facing side, I feel that we're always just one click away. And no matter what kind of technology or controls that are in place, I always feel we're one click away. Most of the time, I can bury that some place deep in the subconscious. But a lot of times, it really does drive a lot of the decision that happens day to day.

Elena also hit, honestly, on the other one. It's the vulnerability management, especially now. If you just stop and think about how many organizations—even if they were really good--were prepared to do patch management and patch deployment when nobody's on their infrastructure anymore. How do we do that remotely? How many people mandate always-on VPN so you can do those kinds of things?

So, when we kind of take a step back and look at the bigger picture, even if we'd had the risks fairly mitigated in January, they're not really that now. No matter how good you are, there's always going to be a bigger delay in getting the patches applied and all the other stuff that goes along with being out of the network that really kind of drives the day-to-day concerns.

Morey Haber: It makes perfect sense, and being remote, a lot of these scary situations are not something happening right here, right in the office. We're in our home office. Diana, what do you think? What scares you?

Diana Kelley: Two things. One that's very close to home is I'm on the Board of Directors for two different nonprofits. One is WICS, the Women in Cybersecurity organization, and the other one is Sightline Security, which is a nonprofit to help nonprofits. So, I think a lot about the membership info and the partnership info that both those organizations have, and all the work that goes into protecting that information and making sure that it stays private as it should. It’s always at the back of my head that this membership info really needs to be protected and not get let out, especially for nonprofits that are working in the cybersecurity space, or supporting cybersecurity. And then I have the sort of greater one that I worry about the entire profession in the world—and this one really does keep me up at night quite a bit—which is around AI and ML. These are technologies that are very misunderstood, even by a lot of security people.

We know that there's been a big problem in cybersecurity for a long time about creating really strong security software, resilient software, that it's for security or not for security. But the software development life cycle—some companies are really struggling to get that right and we depend on that software. We're going to depend on AI and ML even more, and a lot of people don't understand how it works or how to create resilient, strong, and robust AI and ML. Or, even about issues with things like data poisoning and bias within these systems. So, that worries me a lot is that we're depending a lot on AI and ML going forward. But we also need to think very strongly about how to threat model and secure right now, today.

Morey Haber: Yeah. And there's been plenty of examples of the turtle that became the gun in terms of AI and ML imaging. We're all working from home right now. We're plugged in 24/7. We've basically changed our lifestyles to be able to respond and take calls in the middle of the night to handle regions all over the world. But that's not always been the case and, hopefully, that won't be the case moving forward.

Scary situations happen all the time. While you're on vacation, in the middle of the night—what do you do? Do you get up in a panic and start triaging in the middle of the night? Do you delegate it out to different owners? Do you implement your plans right away and pass it off and then wait for it to bubble up? Diana let's just start with you. How do you cope with this 24/7 always-on work-from-home, but scary situation being on vacation?

Diana Kelley: Yeah. You kind of touched on some of it. I mean, this is why incident response and incident response planning and incident response, either tabletops or actual walkthroughs, are so important, because the attack isn't going to come when you're all ready for it. It's not like back in the day, when we would pen test and the company would say, "Well, we want you to do it at exactly 4:00 AM on a Saturday because that's when no one's interacting with us." The attacker's going to go during your busiest time, during a mission critical time, or during a downtime, like vacation, as you point out, or middle of the night. So, having your incident response plan in place, but also having practiced it because if you haven't walked through it before, you haven't done some kind of practice, trust me, there's always, in any response, there's something you couldn't prepare for. So, if you've got the easy stuff down, you've got that muscle memory, that's going to help a lot as you're going to need to, in any response, pivot to the new or unusual or unique activity that's occurring.

Morey Haber: So, I use Do Not Disturb on my iPhone. Do you guys let your phone ring in the middle of the night?

Elena M. Seiple: Absolutely.

Morey Haber: You do? Okay. But I always say if it's the same person twice, then they can get through. So, I let people know that. Elena, how do you handle it? Or has it ever happened to you on vacation?

Elena M. Seiple: Actually, I wasn't on vacation, but some of you are familiar with what happened here in Las Vegas on 1, October. I was here in my house in the middle of the night and had to leave early in the morning to go to Chicago. I had to be away from the office while we were working. There was a lot of different components of that, that we were involved in, and because the teams know our IRR plans, because we practice, because we know what we're supposed to do, it was very easy to manage it from a distance. And it was very easy to get the people we needed engaged. Everybody was very willing to be engaged and knew their roles, responsibilities, and what they were supposed to do. And when you're in those situations, regardless of how scary, I always take that old commercials, I forget which deodorant it was for, which is “never let them see you sweat”, and keeping that level head in front of your teams and in front of leadership that whole time. Because, if you're panicking, it obviously just rolls downhill.

So, it's just a matter of showing confidence that we're doing the right things, make sure we're following the plan, documenting everything along the way so that you can always come back around and do your lessons learned. But that was a very, very stressful time. I was on the phone the minute I got on the plane. As soon as I got on the plane, I was connected, working. Got off the plane, you're back on the phone. And it was just, I'm thankful for technology because it allows us to be anywhere and to still deal with these situations. We don't have to all be in a war room.

Morey Haber: Yeah. I fully agree. John, have you ever been on vacation or out-of-pocket where… You're smiling? I'm not sure where you're going with this.

John Masserini: Almost] every vacation in some way, shape or form. Yeah. So, I would agree with the comments already made. I do drop what I'm doing. I will get involved, and it's not that I don't trust the team or the team isn't practiced, because nine times out of ten, they run it far better than I would. But there's a certain level of calmness that has to go to the executives and to the Board that maybe the team can't communicate that way when they're in the heat of things.

And I would also say that there's an overt concern of mine about the superheroes. So, you will have the folks who try to work the 14, 16, 18, 20 hour days, because they want to resolve the problem and never take their break, never get the sleep, and end up very prone to making mistakes and making wrong decisions. So, just being there and guiding the process more than anything. It's just a personal preference of mine to take those few hours and get it done, and make sure everybody is okay.

The incidents being resolved, but actually everyone's also okay, then to ignore it and just hang out with a Mai Tai on a beach.

Morey Haber: Fair enough. I can speak that on a President's Club for the current company, someone tried to phish me and, whether it was a targeted attack, coincidence or not, I will never know, but my phone bricked at the same time. So, a little bit of a panic attack, just trying to figure out if the phishing was real, or not,. And candidly, the phishing attack looked like it came from my CEO, but it was phishing.

We're going to wrap it up with just one more set of questions. And this is just a straightforward, "what advice?" We have a lot of security professionals, other CISOs listening to us live today, what advice would you give them to avoid the scary situations? John, you touched on it—by remaining calm, having that strong voice, or that posture that we know what to do. We practice it. You are dealing with it like a drill. What would be your best advice to someone to avoid the scary situation?

John Masserini: Well, and the truth is, that's it. You're never going to be calm or collected when you're in the middle of something that is completely foreign to you. So, making the time throughout the year to really step through that IR plan and more broadly, the BCP and crisis management plan. Because whether it's a cyber incident, whether it's a nuclear meltdown or a volcano erupting, whatever it is, if it's the first time you're experiencing it, you're not going to be calm, you're not going to be able to rationalize things. So, the more you practice, the more your team practices, the more comfortable they'll be, the more confidence you'll have in them. So, it's really around, make sure you make the time quarterly, biannually, whatever it is. Make the time, get the team trained, make sure they step through the process and are comfortable with it.

Morey Haber: And that's a great way of looking at it. I wrote an article years ago on something called ORTR. It was above real-time training and it was patented by a gentleman in the defense industry. Basically, what they would do is take flight simulators and equipment like that, and instead of playing it in real time, they would speed it up two, three, four times. So, trainers were basically fighting at a super-advanced rate and when the real scenario came around, it was so much slower, so much calmer and so relaxing that they were able to hit all the controls in the proper order and do the right things because the stress levels were trained at something so accelerated. And to John's point, I can only emphasize training and review the documentation. That's the best recommendation I think we could ever give anybody.

But with that, Elena, how would you recommend it? Is it the same? Something more?

Elena M. Seiple: I would just add to that. There's no way you can sit there and say, "How can we avoid scary situations?"` You don't want to give yourself a false sense of security of thinking that you've avoided things. And the things that you prepare for, you're usually prepared for. It's the things you're not prepared for, or something that hits us as brand new, something you weren't waiting for and knowing, to what John was saying, knowing how to react to that, how to recognize it, how to stay calm. And I really liked your comment about practicing things, doing it over and over again. So it becomes almost like muscle memory so that when you are in that panic situation, you know how to calm down, focus on the task—meltdown later, get the task done at the moment. We say, assume you're already been breached instead of "Hey, we're good. And you know, there's nothing to have to worry about."

You're constantly trying to make your environment better, constantly going after the latest threats, and just fine tuning. But it's always going to be that something you didn't expect. So, be prepared for the unexpected or expect the unexpected. Follow your plans and take a deep breath and handle it with calmness.

Morey Haber: Well, as Sarahwas saying, look, whoever has seen The Shining never expected him to come through the door and say, "Here's Johnny." Right? We all expected the axe, once we saw it, but hey, we didn't know we were going to get a little bit of humor in there. Diana, wrap it up with you.

Diana Kelley: Yeah. So, I think we're all in violent agreement about muscle memory and practice and even breathing. So, those are going to be the top things that I would say, but I think one thing that we might not have touched on that can really help make all those real is ensuring that you have a secure communication channel. Remember, if there's an attack, that means they may have attacked your regular communication channels. So, they may be in your email, they may be watching you. So, having a separate communication channel or war room, and that's going to do two things. One is, it gives you a place outside of where the attacks occurred for secure communication. And the other thing is that knowledge is power even in a really fast moving kind of attack. So, being able to keep people apprised in that virtual war room with the communication can really help quite a lot to keep people a little bit calmer if they know what's going on.

Morey Haber: That is excellent advice. And I would hope many people would consider that including the lists of people that they may have, and the contact list, phone numbers, and potentially securing home phone numbers or private cell phone numbers as a part of that effort.

I want to thank Elena, Diana, and John for this LinkedIn live session in covering scary topics. I hope it was educational for everyone to realize we're all in this fight together. I want to wish everyone a happy October, a Happy Halloween, but more importantly, just stay safe. That's really all we need to do from a security standpoint, and for our health.