May 12, 2022

Episode 1: Tenacity's Hackerman Bad Podcast featuring AJ Yawn

In our very first Hackerman Bad podcast episode, we chat with AJ Yawn over at ByteChek about CISA's cybersecurity recommendations and get a pulse on the cybersecurity industry in light recent Russian cyber threats.

When it comes to the public cloud, your security status can change overnight. All it takes is one data breach or news update for an unknown issue to become a burning-down-the-house priority — just look at the Log4j vulnerability from a few months back.

That’s why we wanted to create a forum where we could speak directly with the top cybersecurity professionals in the industry in a down-and-dirty format to break down any new security threats, news, vulnerabilities, or priorities hitting the cybersecurity world and share the conversations directly with our community.

The result? Our new Hackerman Bad podcast — sponsored by Tenacity and featuring an ongoing panel of top experts in the cloud security industry.

Our first episode kicked off the week of CISA releasing their cybersecurity recommendations in response to the threat of Russian cyberattacks. So, we jumped on a call with AJ Yawn from ByteChek to break down their recommendations and to get a pulse on the cybersecurity industry in light of the recent announcements. 

Here are some of our favorite takeaways from the conversation… plus the full episode below!

Tenacity: From a business leader standpoint, is there a greater threat in cybersecurity now, as opposed to two months or two years ago?

Jason: I don’t think so. Not from a cybersecurity standpoint. The guidance that was released by the White House following the Russian cybersecurity threats were all things you should have been doing long ago. The first bullet point on their list was multi-factor authentication or some form of secure password authentication. So, I’m not sure the threat is greater now from a cybersecurity perspective than it was six weeks ago. But it’s definitely in the news and it’s getting more press and people talking about it. And if you can get people to bolster their security as a result of what’s happening in the world, I think that’s helpful. This is a threat every day… Russia is a state enemy and their goal is to potentially undermine the United States, its citizens, and its businesses. I think it’s important to be paying attention to states that are constantly attacking us from not just a media perspective, but also a cyber perspective.

AJ: I’m with you, Jason. I don’t know if there’s a greater threat now. All these recommendations are things that people in the cybersecurity field have been saying forever. It’s like when Covid started and the recommendations were to wash your hands. I don’t want anyone to  think we’re bashing the fact that cybersecurity is important, but these threats and the things that you should have been doing to protect yourself against them were there before. Now there’s just a light shining on it, and many companies and private entities are realizing that if the government is telling you to do something, you probably should have been doing it already.

Tenacity: Sometimes it feels like the greater threat comes from internal employees who have a lack of cybersecurity training and understanding. Would you agree?

AJ: Yeah. I think a lot of times people look at breaches and think it’s some next level sophisticated attack. But most of the time, it’s the most simple thing that has been missed, or clicking a spam link, or not having multi-factor authentication enabled, or just not training the individual. Hackers have also gotten really great at phishing emails and links. Even me, as a cyber professional, I can spot when something looks off but it also looks really good, especially compared to phishing emails from five years ago. They’re impressive now, so you can’t always blame the users. Companies just need to make sure that they have tooling in place to know when that stuff happens and they should know where their risk lives. Offense is always better than defense. If you know and understand your risks, you won’t be surprised when something like that happens.

Tenacity: Where do internal controls fall into this vs. saying, “I have cyber insurance. I don’t need to worry about this.”

Jason: That’s the same as saying, “Oh, I have car insurance. Why not just run my car into a bridge? I don’t need to worry about a seatbelt.”

AJ: Internal controls are super important. I think when people usually hear about controls they think about audit compliance. But, for me, when I think of internal controls, the first thing I think about are, “Do you know what your assets are? Do you know what the boundary of your entire environment is?” and then you start from there, because good security requires context. You can't just say “I'm gonna go take these 13 things that the White House said I had to do, and just throw it at every company,” because it might not make sense for some companies whose resources are different from others. So I think when it comes to internal controls, you got to start with, where is your stuff? And then you go from there. You have to figure out how to protect your shit. Internal controls are only important if you know what you're protecting. If you're a company that operates in a certain country, or works with different types of customers, your risk may be different than someone else that only has a Chrome extension or whatever it may be. You just have to know yourself and then apply security to that.

A big thanks to AJ for joining us for our very first episode of our Hackerman Bad podcast. If you want to watch and be notified when future episodes launch, be sure to subscribe to our Hackerman Bad YouTube channel. See you next episode!

Latest articles

Browse all