209: Prioritize networking - with Christopher Gerg
Meet Christopher Gerg
Christopher Gerg is the CISO and VP of Cyber Risk Management at Gillware. He is a technical lead with 20+ years of information security experience tackling the challenges of cloud-based hosting, DevOps, managed security services, e-commerce, healthcare, financial, and payment card industries. He has worked in mature information security teams as well as building secure technical environments – all while working with the boardroom to promote executive understanding and support.
Your company does a lot of work with incident response, what is the most common kind of attack that you're seeing right now?
I think probably over 95% of what we're seeing is has to do with ransomware and wire transfer fraud. Wire transfer fraud is more of a human problem than is it is a technical problem and it's really just someone tricking someone else into transferring money where they they shouldn't. A lot of people have in their mind what ransomware is, and I think what a lot of people have in their mind is is wrong, frankly, you don't just get something in your email, double click it and then you have ransomware. Ransomware is the last step and kind of a conventional attack and a conventional hack, where they've been in your environment for four to eight months or longer. And they find where I jokingly say the soft chewy center of your company is and and encrypt that so that you're you're almost forced to pay the ransom or face a huge amount of downtime.
So what advice do you offer to help organizations protect themselves from these types of incidents?
Use multi factor authentication, the little code generator app on your smartphone is a good start. Locking down services that are available to the public internet. Windows remote desktop protocol RDP it's a way to get a remote desktop on a computer and people use that for remote access to their computers from from like trying to work from home. I think the two other things would maybe be make sure everything's up to date with patches. And I think finally, just kind of awareness. I didn't come up with it, but I'm using it a lot more is the human firewall. The people sitting at the desk are a big and important component to your information security program. And so the people sitting at the desk and checking their email and doing your company's business really need to be aware of what to click on what not to click on.
How would you recommend a smaller organization such as my myself, help to educate the other team members and to make sure that they're not clicking on things they shouldn't?
There's one that's actually local to me called the InfoSec Institute. They do online information security awareness training, and also phishing testing. They charge by the seat, and so it almost doesn't matter if you're a four person shop or a 3000 person shop. You're paying just a fixed amount, it may be, 10s of dollars a month. But that training is kind of a big deal. And the nice thing too is it's not just information security awareness training there's also kind of the certification training too.
Do you see smaller companies or are these larger corporate entities kind of getting the majority of these attacks?
I think it's pretty democratic and how it goes after things. Everyone has a chance of getting it. They really do just scan for vulnerable services and if they find one they get in. The other aspect of this that kind of blew my mind when I started doing this kind of work is, these are organized, essentially companies, that are doing these criminal activities. They've got help desks, they've got websites, they have email addresses. And so they have different teams in that there's some teams that just scan in an automated way the entire internet looking for vulnerable services, if they find one, they try to exploit it usually again, in an automated way. And if they get one it shows up on a list and then they they pass that list to the next phase, the other team and they try to exploit it and if they can exploit it, they get in. Once they're in, either through email or through a vulnerable service. They then download software so that they have more of a foothold in your environment and then just start exploring.
Are there pros and cons from having all of your company documentation on the cloud versus keeping it in an internal server?
Well, I think the only risk is one of people take the assumption that someone else is taking care of it. Where they just kind of throw the responsibility for security over the wall to the cloud provider. The reality is that it's someone else's computer in someone else's data center. It's still a computer, whether it's virtual or not, it's still sitting in a rack somewhere. It's still plugged into a network somewhere. And it's still sitting in a building somewhere. And so if you have that in your mind, and you just treat it like you're leasing the machine from a hardware vendor and storing it in a co-location facility your your responsibilities are the same.
Can you help our listeners kind of remove networking fear by sharing one of your favorite networking stories or experiences that you've had?
If you've got a chance to go out and have coffee with someone, whether they're in your your field or not, go have coffee with them, or if they invite you out to lunch or whatever. You're going to learn something. You're going to make a connection. In fact, the the job I'm in right now came from an acquaintance of mine that I haven't worked with in 20 years. But we've stayed connected and he heard about an opportunity and gave me a call and said they're looking for someone. So it doesn't have to be hard.
How do you stay in front of or best nurture your relationships?
I think it takes some effort. You know, it's kind of the curse of the organized person, if I didn't organize get togethers with my friends, they probably just wouldn't happen. I usually seem to be the one to organize it and it's a little bit of a burden, but I get to see my friends and so it's absolutely worth it. I've had a lot of really good times going to some Madison Chamber of Commerce, Greater Madison Chamber of Commerce events. They're well organized and well attended and I meet a lot of really interesting people. And it takes some effort and you need to step away from your desk to do it. But I think I think the benefits outweigh the inconvenience for sure.
What advice would you offer the business professional who's looking to grow their network?
I think the best advice to growing the community is find organizations that do what you do. Find groups of like minded people. Connections you make that are or aren't related to your your specific job will have benefits. You just need to get to know people face to face. But if you can, if you can find a balance there, where it's also related to stuff you do that's gonna help you professionally as well.
Between digital networking and traditional networking, which one do you find more value in?
You need the digital side to keep in touch because that's just how people keep in touch. I don't answer my phone, it has to go to voicemail. So even to that degree, people just don't talk on the phone anymore. So you need to go to these in person things, whether it's a conference or a symposium, or it's a meetup group or a community event. I think it's more important to meet people face to face.
If you could go back to your 20 year old self, what would you tell yourself to do more of less of, or differently with regards to your professional career?
But I think I would have better work life balance. I'm getting my private pilot's license right now. It's something I've wanted to since I was a little kid. I would have told myself 20 years ago to take the time and do it then.
So we've all heard of six degrees of separation, who would be the one person that you'd love to connect with? And do you think you could do it within the sixth degree?
I would love to sit down and chat with Bill Gates. He's got a lot of incredible insights. And he's doing what I would hope people with his affluence and influence would do. One of the most incredible charity stories there is. And his ability to influence public opinion is is incredible. I'd love to pick his brain.
Any final word or advice for our listeners with regards to growing and supporting your network?
Don't be afraid to go out there and prioritize it. It is important. Being able to look someone in the eye and talk about what you do and be excited and passionate about it speaks volumes and let's people know how competent you are.
How to with Christopher: