SpiderBytes Podcast: SpiderBytes: the SpiderOak Podcast Ben Webb, Information Security Risk Analyst

9.10.2021

Ben Webb is an information security risk analyst in the financial sector. He’s also heavily involved in SecKC, the largest hacker meetup in the world. If you’re in the Kansas City area and would like to join the next meetup, which happens to be SecKC’s 10th anniversary, go to https://seckc.org.

Transcript

Adam Tervort (00:03):
Hello world, and welcome back to SpiderBytes, the SpiderOak podcast. I’m your host, Adam Tervort, and today I’m excited to introduce you to Ben Webb, who is a security risk analyst in the financial sector. Ben also has some interesting hobbies on the side that include being part of SecKC, which is a great hacker community local to Kansas City, and so dear to my heart because that’s my hometown, as well as Ben’s. Without further ado, after this message we’ll hear from Ben Webb.

Adam Tervort (00:45):
This podcast is sponsored by SpiderOak. At SpiderOak we believe security is important, and it’s our mission to secure the world’s data, from security to compartments for collaboration and data storage, to protecting your backups with end to end encryption, or even protecting communications in space. We want to be part of your plan to protect your most important data. Learn more at SpiderOak.com.

Adam Tervort (01:09):
Welcome back to SpiderBytes, the SpiderOak podcast. I’m Adam Tervort, and today I’m excited to be joined by Ben Webb. Ben, welcome.

Ben Webb (01:18):
Well hello, how are you doing today?

Adam Tervort (01:20):
Doing all right.

Ben Webb (01:21):
Excellent.

Adam Tervort (01:22):
So Ben, why don’t we start off, tell us a little bit about you.

Ben Webb (01:26):
Sure. My name is Ben Webb, I’ve been working in the IT industry for about 25-ish years now. Grew up in Kansas City, have always lived here, still enjoy it, except for the climate, which is terrible. In addition to doing tech type stuff, I love to be outdoors, I love doing outdoor things. I’ve got a canoe trip here at the end of the week, I’ve got a jeeping trip at the end of the month, I’ve got a backpacking trip before the end of the year, so that’s how I try to spend a lot of my time.

Adam Tervort (01:59):
Yeah. And the Midwest is great, especially for canoeing, that’s one of my favorite things to do.

Ben Webb (02:04):
Oh, absolutely.

Adam Tervort (02:05):
Down to the Ozarks and go on a float trip, it’s a great way to spend a weekend.

Ben Webb (02:09):
Yep. And we always do the after Labor Day trip to avoid frat life, so it works really well for us older folks.

Adam Tervort (02:19):
No, that’s great. Tell us a little bit about what you do professionally.

Ben Webb (02:23):
Professionally I am a risk analyst, information security risk analyst for a financial firm here in town, and then I also do a lot of work with SecKC. SecKC is a hacker meetup, it’s the world’s largest hacker meetup, that meets on a monthly basis, based here in Kansas City. We are actually having our 10th anniversary later this month, just in a couple of weeks.

Adam Tervort (02:46):
That’s awesome

Ben Webb (02:47):
Yeah, we’re super excited. We did virtual meetings there for quite a while, because of everything, but we’re back to doing, as long as you’re vaccinated, physical and in-person meetings, we’re meeting at recordBar, and we’re really looking forward to a big thing for our 10th anniversary.

Adam Tervort (03:03):
So for people who don’t know, and I’m sure all of our listeners who are in Kansas City have heard of SecKC, but tell us a little bit about some of the things that happen within the organization, and different projects and interesting people that are involved.

Ben Webb (03:19):
Absolutely. If there’s anything that you like from a technology, or a security standpoint, you’re probably going to find someone there who wants to learn things from you, and someone who wants to teach you something you don’t know yet. I’ve met some of the most brilliant people, I’ve had teenagers explaining firmware to me that I didn’t understand. I’ve had opportunities to show people, like college students, new things that they haven’t seen yet, just because it’s something they haven’t come across. There are people that like to make home-brew electronics, there’s people that like to reverse engineer things out in the world, there’s people, obviously, who do a lot of security, and that type of stuff. Any interest you have in a technical space, you’re going to find something there that probably suits you. It’s a great group of people, it’s almost like a miniature DEFCON every month.

Adam Tervort (04:09):
Yeah, yeah. So for people that are in the area and are interested in becoming part of SecKC, where would they go to do that?

Ben Webb (04:18):
Head over to SecKC.org, all the information will be there. We actually, we do an Eventbrite for each meeting, that way we can figure it out, because there’s always food provided and we have to figure out how much for that, and everything. And yeah, absolutely come out. Meetings right now are on Patch Tuesdays, we’ve been going to recordBar, And that seems to be the plan for the foreseeable future. But just stay involved, we’ve got our own discord server you can join, it’s a great community to hang out with.

Adam Tervort (04:48):
And meeting on Patch Tuesday is so appropriate.

Ben Webb (04:51):
Yes, because nobody in InfoSec is busy on that day at all.

Adam Tervort (04:56):
At all, yeah.

Ben Webb (04:56):
I think it’s more that we all just need to drink.

Adam Tervort (05:00):
After Patch Tuesday.

Ben Webb (05:01):
Yeah, exactly.

Adam Tervort (05:05):
Well, I know you’re heavily involved in security, both in your professional life and your personal life, so let’s talk a little bit about, what are the things that you’re concerned about? What are the security problems that keep you up at night, and what are some of the actions or tools, actions you take or tools that you use, that you try and address those problems with?

Ben Webb (05:28):
Sure. So the hackers getting my data doesn’t keep me up at night. Honestly, there’s a much higher chance that my bank, or my hardware store, or my grocery store, or somebody else is going to lose my data on my behalf, so I don’t put a whole lot of thought into, oh goodness, the hackers, or the Russians, whoever, are going to steal my data. What I do think about is just the insidious, and insidious might be too strong of a word, but just layering on and layering on of observation, of surveillance, that seems to go on more and more and more as time goes on.

Ben Webb (06:10):
So to fight that, one of the biggest, and I don’t say fight it, it’s not really the right word, but to control at least how much data I myself am leaking, step one is always, I always looking at new settings. When I get a new device, I know you said you got a new laptop, very first thing I do when I fire up the browsers, okay, let’s go in and change all my settings, turn off things like telemetry, and stuff like that.

Adam Tervort (06:33):
Yeah.

Ben Webb (06:35):
So that’s usually step one. I like the privacy oriented services, I always have, like Privacy Badger from Electronic Frontier Foundation on my browser, or DuckDuckGo does privacy tools which are nice, they work pretty well as well. I use the DuckDuckGo extension on my phone, or they actually make a browser for the phone, which is-

Adam Tervort (06:59):
Yeah, that’s my favorite mobile browser, it’s great.

Ben Webb (07:02):
Yeah, it works great, the cookie and clear and everything is real simple, and yeah, it’s fantastic in the way that it works, it’s well thought out. Other things I do, I do like online and cloud services just for the convenience, but I look for ones that are security controlled by me and not necessarily by the company.

Adam Tervort (07:24):
Right.

Ben Webb (07:24):
I’ve actually been a SpiderOak customer for a long time now, just because of the zero knowledge backup. I remember I started to a one gigabyte plan that you do some time period, but it’s always been good in my mind, like Microsoft just had a huge breach where they were leaking data out of one of their database services, and they fixed it right away, as soon as they became aware, they did the right thing, they shut off the offending services and everything, but that data was just there for download.

Ben Webb (07:55):
And I love the idea of zero knowledge encryption, where I keep the key and I do the encryption and decryption on my end, because I know no matter what happens with that data, whether it physically walks off because of something, or virtually walks off because somebody finds a way in, I know that it was encrypted by me with strong keys and I don’t have to fuss over it, I don’t have to be concerned. If somebody wants to spend the amount of time and effort it takes to decrypt that to get my data, which is probably worthless anyways, more power to them.

Adam Tervort (08:29):
Yeah, and I think that’s, on the network level zero trust is really becoming something that a lot of network level tools are going to, and of course I’m biased because I work at SpiderOak, and I chose to come here, because I was originally a customer too, for the same reasons you mentioned, but it just feels like that’s going to be an important thing in the future for services to move to that zero trust, zero knowledge approach, for the reasons that you mentioned. It is really hard to avoid a wrong setting, or some breach that exposes data, but if it’s encrypted, especially encrypted at rest, then it makes the cost of the attack to decrypt that data so high that most reasonable attackers aren’t even going to try it. And if they do want to spend that much money in that amount of time to decrypt it, well, then they’re obviously highly motivated and you’re going to have a hard time stopping them anyways.

Ben Webb (09:39):
Highly motivated, highly financed, resourced attacker, yeah, will be extremely difficult. But again, if they want to work that hard to get all my Dungeons and Dragons notes, that’s fine.

Adam Tervort (09:54):
Yeah. So in your professional capacity, especially since you’re in the financial industry, what are some of the things that you see that, if you could tell all the people who work in finance one or two things that you wish financial institutions would do better in terms of security, what would they be?

Ben Webb (10:18):
That’s an interesting question. I will say that for the most part financial companies do a pretty decent job, not all of them, but for the most part they do. Most of what they’re constrained by is just their size. It’s extremely hard to sit down and have good discipline, and discipline is the most important thing when it comes to information security, it’s extremely hard to have good discipline on an environment of hundreds of thousands of servers. There’s so much going on, and it’s really hard to have that level of control. So if they suffer from something, that’s really what they suffer from.

Ben Webb (10:56):
Most financial firms have a good set of controls, but non-technical controls are one of the most important things that they can do. And by non-technical controls I mean things like, have a verification process for something that’s requested by email, have a verification process or something that’s requested by phone, actually have good due diligence around ensuring that the customer asking is the customer asking. All of those things happen, I think, on a more regular basis than people realize.

Ben Webb (11:27):
It’s not actually, unlike what I tell people when they ask me on their personal lives, have non-technical controls around all of these things. Everything you do to technology, if you’re not watching it, because like you said earlier, it’s easy to miss a setting, it’s easy to do, just to miss a small thing, and they lot of times are small things. And if you’re working with cloud services, and everybody is, there’s a reasonable chance your service is going to mess something up for you as well. So have non-technical controls that are watching that at the financial firms, and a lot of them are good about it, but there’s always room for improvement, have things where humans are checking and verifying on the backside. It slows things down and it’s not as efficient as everybody would like, but it’s where your real security is going to come from. Go ahead.

Adam Tervort (12:21):
No, that’s an interesting idea, and part of the reason I think that’s a great idea is because it doesn’t scale well, and so it means that situations need to be evaluated by a real person on a one by one case basis.

Ben Webb (12:38):
Sometimes that is true. I mean, you have to have some things, if someone sends an email and says, “I need to do a wire transfer based on this email,” there needs to be a process, there needs to be a procedure to call that person and make sure that that’s really that person. There have been all sorts of fraud cases where they didn’t have that kind of diligence, or somebody didn’t perform that kind of diligence, and people have lost millions of dollars. So doing things like that is every bit, and probably more important, as the protection that you’re doing for your firewall, and whatnot. Most of those things are there and work well.

Adam Tervort (13:15):
Well, let’s go back a little bit to what you said about discipline. Can you expand on that a little bit, why discipline is a key part of security?

Ben Webb (13:26):
Discipline is, to me, the most key part. From a vulnerability management standpoint, which is a big part of what I do, having the discipline to do good patching, and to follow up on things, and to make sure that you’re on top of that every month as those patches come out, is extremely important and extremely hard to do. People like to talk about the security budget, but most of having good security is not about the security budget, it’s about the operational cost of doing things well.

Ben Webb (13:56):
When you have good patching that’s aggressive, is tested and applied immediately, that is the single most important thing that you can do to keep your vulnerability profile down, but it’s also the single hardest thing to do because it requires a lot of people, well not necessary people, but it requires a lot of automation, it requires a lot of effort, and it requires organizational willpower to actually take the time to do that, there’s always element of risk because you’re changing things, to take the risk to do that, and to push through and get that done within the first few days to a week after those patches are released.

Ben Webb (14:32):
It’s a hard thing, and it’s not the security budget, it’s your operational process, and that’s usually a harder sell. Because people don’t equate that. Executives right now, they’re terrified of ransomware, they’re 100% ready to spend money on every security product, they can find, what they’re ready to do, it seems, is to put the priority and the people in place to actually push through organizational discipline to make sure that your fundamentals are good, your network segmentation is there, all the things that are supposed to be done to improve security, but don’t necessarily fall under the security budget and team.

Adam Tervort (15:12):
Yeah. And I think it’s sometimes a hard change in frame of reference. It’s easy to throw dollars at a problem, but that doesn’t necessarily mean that you get a solution that fixes the problem.

Ben Webb (15:33):
Most of the time it seems not to, unfortunately. Well, people want the panacea, and I understand that, they want to be able to write a check and make the problem go away. But if it was an easy problem, everybody would have solved it already. It’s hard to do, and it takes a lot of organizational will to do it, and it takes it over an extended period of time. You can’t just have a project and say, okay, we’re going to patch everything, all right, we’re done, isn’t that great, we’re secure. That project comes up two weeks later, and two weeks after that we’re doing it again, and that’s just the world you live in, and it’s hard to accept that as an organization.

Adam Tervort (16:07):
Here our CEO jokingly says that whenever one of us comes up with the magic fairy dust that solves all of security, we’ll get a big bonus.

Ben Webb (16:16):
Yeah.

Adam Tervort (16:17):
Because of course that thing doesn’t exist.

Ben Webb (16:20):
No, it does not. And everybody wants it to, and of course every time a new product comes out, that’s how it’s advertised. AI is the new fairy dust now. I think if we can figure out a way to get AI and zero trust into the same marketing pitch, it’s probably going to be even better.

Adam Tervort (16:37):
And blockchain.

Ben Webb (16:39):
Yes, absolutely, AI [crosstalk 00:16:41] blockchain, yeah, perfect.

Adam Tervort (16:44):
Yep, you got to hit all the high points of the marketing all at once.

Ben Webb (16:48):
Yep, yep.

Adam Tervort (16:49):
Well, tell me a little bit about, on a personal level, what are some of the things that you do that a normal person who would like to improve their security posture could learn from, or could implement to help them be more secure?

Ben Webb (17:04):
Sure. And this is a fun question because 90% of the time when you ask a cyber security professional, probably higher than that, they will tell you, don’t reuse passwords, use a password manager, and enabled 2FA. You understood what I said. I watched a guy named John Strand, now John is famous as a cyber security person, he’s done training for people for decades now, he’s an extremely good presenter, understands his audience well. He was interviewed, because he was doing a conference in South Dakota, and in South Dakota, hey, let’s go look at the nerds, somebody comes out to interview him, and he answers, gives that soundbite answer. The problem with that soundbite answer is that nobody knows what it means. He said that to the guy interviewing him, and I don’t think he said it in front of him, it was probably the desk leaders, and he says, “And I understood what one of those things was.”

Ben Webb (18:00):
So when someone asks me I say, “Don’t reuse passwords,” and I just drop it there, and I explained why, because if they don’t have any context, they’re not going to understand. Look, one of the most popular things for hackers to do is take the Smash Mouth fan forums from 2017, somebody’s selling those passwords today, somebody’s selling the password and from everything, and say, let’s try those on Venmo, which try those on 1500 different banks that we know the web address of. Don’t reuse just because anytime it’s compromised it’s going to get tried on literally everything.

Ben Webb (18:38):
And if there’s time, so we can have that conversation, and then if this time let’s talk about a password manager, and how that can make your life easier in not reusing passwords. And hey, if you can use something that’s cloud-based, even better because you’ll have your passwords on your phone, and on your computer, and on your other computer, and et cetera. I don’t get into 2FA until we’ve had a chance to absorb those, because those are the most important of that discussion, then we can talk about, let’s look at two factor in what that means, and how do you do that. And oh my gosh, that’s inconvenient. Well, yes it is, but it helps, and here’s why.

Ben Webb (19:10):
But I think too many people just jump to, let me rattle these things off and give me the top five or 10 things that you have to do, and it’s so important, it’s like slow down, work with somebody where they’re at, and give them the one or two things that they can absorb and actually put into action, otherwise they get that lean back and the deer in the headlights and they go, “Ah, okay, sure,” and then they try to get out of the conversation.

Adam Tervort (19:37):
I think that’s so true, and I’ll tell you one of my big cybersecurity accomplishments was teaching my dad how to use a password manager a few years ago. He had been hit with a ransomware attack on his work computer and lost a bunch of photos, that was the thing he was most broken up about was the photos that he lost.

Ben Webb (19:59):
Sure.

Adam Tervort (20:00):
And so he wanted to improve security, and that was the one thing that we did that he still uses to this day, and it makes him feel so much better about almost everything he does, online and for work, the fact that he uses a password manager, and because of that he has unique passwords for all the things that he uses. And my dad’s a smart guy, but he’s not a technology person. I think there’s so many people out there like that, smart people who, if they’re taught the why will be able to wrap their head around it and then be willing to take the time to set those systems up.

Ben Webb (20:45):
Absolutely. My mom uses the notebook and writes them down, which I’m completely comfortable with, as long as she’s not reusing, the fact that they’re written down in a notebook. I’m not worried about thieves breaking into her house to steal her passwords, that’s not really in the threat model. So yeah, it’s always a win when you can get somebody to listen and just do those things, because again, it comes back to fundamentals, just like we talked about with patching or segmentation, or whatever, it’s all about the fundamentals, executing fundamentals well is way more important than the fancy tool that you could add.

Adam Tervort (21:21):
That is a great, great point, and I think sometimes within the security community, and people who think about this all day long, it’s easy for us to say, oh, you really need to use this kind of 2FA, because SMS is a terrible way to get your 2FA tokens. Is that true? Sure, yes, it’s true, but how many people actually use 2FA?

Ben Webb (21:45):
Right, yeah it’s probably not the biggest problem that you have.

Adam Tervort (21:48):
It’s probably not the biggest problem we have, yep.

Ben Webb (21:50):
Yep.

Adam Tervort (21:52):
Well, thank you, Ben, for all of the great insights, and I love that concept of discipline being important to security, that’s something I’d never thought of and I learned from you today. We love to end these interviews with a quote, do you have a favorite quote that you’d like to share with us?

Ben Webb (22:11):
Sure. I’m a pirate nerd, and one of my favorites is actually the pirate Captain Black Sam Bellamy, and he says, and it’s part of a whole lecture he’s giving a captain, but he says, “The rich rob the poor under the cover of law, and we plunder the rich under the protection of our own courage.” And he was basically just talking about how they’re really the same people, and it’s just who they’re robbing and how.

Adam Tervort (22:41):
That’s interesting. Yeah, there’s seems like there’s a lot of parallels between the hacker community and the pirate communities.

Ben Webb (22:52):
In some ways there are. Pirates were a much different group, I think, than they’re normally portrayed.

Adam Tervort (23:01):
That’s so interesting. Well, Ben Webb, thanks again for your time, and for all the things that you’ve shared.

Ben Webb (23:07):
Adam, thank you, it was a privilege, I’ve really enjoyed it.

Adam Tervort (23:10):
All right, well that’s it for today’s episode of SpiderBytes, but please stay tuned, we’ll have another episode out in a few days.

Adam Tervort (23:18):
Some things are best kept secret. You wouldn’t send your company’s financial data through snail mail on a postcard, so why would you use the insecure digital collaboration tools? Introducing CrossClave, a file sharing and collaboration solution built with security in mind from the first bite. It’s like Signal for business. CrossClave uses distributed ledger technology and end to end encryption to deliver a true zero trust system, designed to protect you and your business’s most valuable data. When you need to share or collaborate on your most sensitive information, SpiderOak’s CrossClave is your only choice. Go to SpiderOak.com/podcast to get started with a free account, no credit card required.

Adam Tervort (24:02):
Thanks again for listening. For all of us at SpiderOak, I’m Adam Tervort. We hope you enjoyed this episode. Subscribe to hear more episodes wherever you procure your podcasts from. If you’re interested in joining us as a guest on SpiderBytes, send me an email at podcast@spideroak-inc.com. We’d like to thank Nell Graves for our theme music, Ear Shot, and special thanks also go to the SpiderOak law firm of Dewey, Cheatem & Howe, our air quality monitor, Carmen Dioxide, the SpiderOak ice rink manager Sam Boni, and to our staffing agency, Click and Clack. Thanks everyone.

Talk to an expert now.




X