April 29, 2020 • RBS

The recent Vulnerability Fujiwhara effect, security teams playing vulnerability whack-a-mole, and the impact of economic downturn on cyber security.

These are just a few of the topics that Risk Based Security CEO Jake Kouns got into with Chuck Harold of Security Guy TV, in this two-part interview, as part of the Corona-Con Virtual Security Conference 2020.

Part I

The Vulnerability Fujiwhara Effect, vulnerability whack-a-mole, and the impact of recession on cyber crime.

Part II

The impact of COVID-19 on security personnel, the rise of Zoom, and the importance of prioritization.


Part I

Hi everybody, welcome back to Security Guy TV and Corona-Con 2020, the virtual security and thought leadership conference, with my next guest my buddy Mr Jake Kouns, CEO at Risk Based Security. Mr Jake, welcome.

Thanks for having me as always.

Boy, lot to talk about with COVID-19 … just so people know, or just in case people don’t know, you run VulnDB, it’s the most comprehensive, detailed and timely source of vulnerability and third party monitoring in the world. Did I get that right?

You got it spot on, it’s a bit of a mouthful, but it is true. If you need better data, which everyone does by the way, better data matters, better data for better risk decisions, that’s what we do and VulnDB is one of our intelligence platforms.

Well, no better person to go to that walks the walk and talks the talk, than Mr Jake. We’re going to talk about a lot of things today, vulnerability whack a mole, recession and cyber crime and how it’s spiking, so let’s just get started, tell us what’s going on.

Well I think the first thing is, yesterday was a tough day, and you can see I look a little tired today, but yesterday was what we are calling the Vulnerability Fujiwara. So when two hurricanes come together it is called a Fujiwara, well yesterday was the second time this year in 2020 where two major vendors, both Oracle and Microsoft, came together one Microsoft Patch Tuesday to release new updates, new patches fixing vulnerabilities. But what’s happened over the last couple years is that the Microsoft Patch Tuesday has been popular and other vendors have also released. So yesterday well over six hundred vulnerabilities released in a single day and it was brutal on our team, to do all that analysis of processing and get all that data out for our clients, but to be quite frank brutal on every company and organization that’s out there with the mass amount of vulnerabilities that have now been publicized and that need to be fixed in a timely fashion.

Is that a record? 600, over 600?

I think it’s a record. I’m not aware of that many in a particular day. So it just so happens that Oracle does these quarterly releases, and Microsoft has done their patch Tuesday for years now, but it just so happens that in 2020 that Oracle and Microsoft just happened to collide on the day, so it happens three times in 2020, so with Microsoft being I think it’s 113, Oracle was 397 vulnerabilities… those two alone are just brutal. But then you’ve got Adobe, Siemens, SAP, VMware, Intel, Lenovo, Schneider Electric, Broadcom… just so many companies releasing on that same day. It just creates a lot for people to handle and whether people want to hear it or not, a lot to handle while dealing with this whole pandemic, in a potentially new work-from-home situation for people, so it’s pretty substantial.

I read somewhere, and I might have got this number wrong, but it doesn’t really matter because we don’t let facts get in the way here on Security Guy TV as you know, the number of ransomware attacks have gone up either 400%, which is crazy, or 4,000% – either one’s not good. Doesn’t really matter. Why is that, I mean I get that people are home, more people on their computer simultaneously, but really don’t you have more time to pay attention to things and say, I probably shouldn’t click on that? I mean I’d think maybe it would go down, what’s up with that?

I think maybe you’ve been doing this show too long if you think people are going to stop clicking on links. All joking aside, it’s funny, it doesn’t matter what the number is, we’ve done a fair amount of research and we recently put out a blog about anytime there’s a recession, cyber crime increases. So there was a lot of analysis done about the 2008-2009 recession. It was said at that time that fraud on the internet increased about 33%. And we’re only in a more advanced situation now in 2020, where all the factors align. Global economic distress, widespread online digital transactions, confidential data everywhere. There’s one thing that you can say: what is recession-proof is crime and cybercrime.

Let’s talk about vulnerability whack-a-mole

I think what we’re trying to explain to people is that a lot of people are playing this whack-a-mole game, where something like yesterday happens, this Fujiwara thing, and there’s all these vulns come out, and then people run around like crazy trying to whack all these vulnerabilities. It’s a tough situation to be in and, particularly when you have so many vulnerabilities coming out, trying to invest the time to do that analysis takes so much time away from actually doing the vulnerability management and actually understanding the right things to whack.

And eventually, to be quite frank, what are the vendors and products that are driving this whole whack-a-mole thing? Security people, while we think we’re liked, you know we’re not really liked very well; we that we tend to run around and just tell people you can’t do that, or more things to fix, or you can’t use Zoom any more, you love it and it’s helping you be independent but it’s horrible. So it’s really trying to evolve past this is game where you’re just running around crazy, and take a much more strategic approach to understanding what’s driving all these issues, and focus and prioritize on fixing the right vulnerabilities on those right assets of an organization 

Without getting into conspiracy theories and things, are we finding that these attacks are more state actor driven, or opportunist cybercriminals? Where’s the increase coming from?

It’s a great question and we don’t have a particular answer right at this second. I will tell you what’s interesting is while we’re seeing evidence that certain attacks and cyber crime is increasing, in some ways right now the news cycles are so dominated by everything with COVID-19, that you’re not seen as many breaches getting publicity as you should, when in fact it’s still all happening. So everything’s happening, but I think what ends up happening in a situation like this, especially when news cycles are focused on something that’s not security related, is there’s a little bit of a lag in reporting, and a lag of understanding who is doing this and how are these things happening. I’ll tell you one of our researchers just found a couple days ago close to 4 million credentials that were stolen and being shared on hacking forums. And this kind of stuff doesn’t just stop because people are dealing with the pandemic. And as you and I have joked before in the past, sometimes when people have a lot of time on their hands and they’re on their computer, it tends to lead to you know some not-so-good experimenting going on as well. So there’s just so many things happening right now, I think we’re going to need a little time to do some more analysis and then we’ll have a much better understanding of who specifically may be behind driving some of these issues that are going on.

So in the physical world, traditional home burglaries are down, because everybody’s sitting at home, but commercial burglaries are up, because there’s nobody out in the city, watching things. In fact there was a giant art theft, in Germany not too long ago. During COVID. Because people aren’t paying attention to the things they used to pay attention to.

Mr Jake, always a pleasure to talk to you. My mind always races with all kinds of things that make me feel really scared and worried, and also very positive – you give me both sides of the equation, and I think that’s fantastic. Jake Kouns, CEO of Risk Based Security, thanks for coming on Corona-Con 2020.

Part II

Hi everybody, welcome back to Security Guy TV and Corona-Con 2020, the virtual security and thought leadership conference, with my next guest Mr Jake Kouns, CEO Risk Based Security. Mr Jake, welcome.

Thanks for having me as always.

Talk to us about the security personnel side of it. We already have a cyber security personnel shortage. How do you think this is impacting that? I mean the good thing about cybersecurity is you can come to the office to do cyber-security, you can work at home probably, do cyber-security fairly well. But are we going to find that the cyber security people, maybe they’re laid off or saying I’m going to go be a barista, I mean what’s what’s going on with all this stuff? This could have a serious impact maybe.

Yeah, well, you know, what tends to happen anytime there’s a recession, and budgets have to get cut, something like security can be impacted. In some ways there’s this weird cycle where, well we haven’t had a data breach, we haven’t had any security problem, so we’re good, what are we worried about, let’s reduce some staff, right? It is unbelievable following the news of some ridiculously heavily-funded security startups as well as large companies that you think would be relatively immune and/or would be able to weather the storm for a couple of months here, that are already laying off folks. Let’s put aside for a second not just security folks, but when you’re laying off potentially IT staff that have to fix these issues, it becomes really problematic.

And as much as maybe everyone wants to talk about remote working is amazing and all the benefits of it, when you have some organizations that have been forced into this work from home due to COVID, and haven’t had a chance to do that on their own naturally, collaboration and efficiency can be a little tough.

I think at the end of the day, when you have all these vulnerabilities coming at you, all these decisions, that you have to take that risk based approach to what you’re doing, it can be a lot more challenging to get organized and prioritize and work on those right things.

For the most part, patches have gotten pretty reliable; it’s not as much as back in the old days where a patch would go out and then you have all kinds of problems with it, I think organizations are doing a pretty good job of testing and all those sorts of things, but now if a patch goes out, and something goes wrong, and now you’ve got this whole work from work from home force, and trying to solve that, there’s a lot going on and when you have a vulnerability fujiwara like that with so many vendors, I’m not sure what organizations don’t have a massive situation where almost every one of their servers and infrastructure needs to be patched. That is just a ton of work, and if security people are being downsized, and can’t properly figure out how to do that analysis to prioritize what needs to happen, and then the IT staff that needs to install these patches … it’s going to lead to problems, there’s just no way around it.

Any silver linings here? Now many of my security friends and colleagues didn’t become busier, like everyone anticipated, they became less busy. Some were actually laid off, some are twiddling their thumbs, saying “well, I had my phone conference today, and the virus is still here, so thanks a lot”. And they have nothing to do, in one way. But what they are doing is catching up on education, catching up on that backlog of emails. Are we getting caught up on the cyber side? Maybe we are doing some more patches because I’m not worried about the meeting my stupid boss has every Thursday that takes five hours and wastes my time.

I think that’s a great point, I think it’s probably both sides. I know for us, and everyone at Risk Based Security, we’re busier than ever. This has not harmed us, we’re still hiring, we’re still growing because when you think about it, when people aren’t going to brick-and-mortar for transactions and everything’s going online, cybersecurity and vulnerability intelligence and vendor management becomes more critical, so from my standpoint things have not slowed down whatsoever. From other people’s standpoint, it’s clear that there’s an impact. There’s an impact with some industries that you would expect, and some that you wouldn’t. And that has a downstream impact, so if you have clients that are in some distressed industries, retail and hospitality, things like that, they’re not doing anything right now. Budgets are completely crushed and gone for good, or they’re being pushed out.
I think depending on what’s going on, you’re probably busier than ever and have no time to further educate and catch up, or you probably do have some time right now and you should use it wisely. If life was ever going to slow down to give you an opportunity to get caught up on something, and you have that opportunity now, then take advantage of it. Try to be emotionally strong here, I know this is tough on everyone having to deal with this and the uncertainty of what’s happening, but don’t be lazy, be mentally strong, the best that you can, and try to learn that new skill or to your point, if things are slow in the patching world, and after yesterday I don’t know how they could be, but if hypothetically you have a moment then use this to try to catch up and get yourself ahead.

What do you think are going to be some positive effects coming out of this in the end? What do you see as maybe some new innovation, a different way we might be doing things? I know there are some positive things coming out of this in the cyber world. What do you think they are?

You know how I think the first thing is to your point: you’ve got to stay tough in this and not let yourself fall into this sort of trap of “woe is me and things are horrible”. There are definitely some tough things going on without a doubt, and certain industries are way worse than maybe the cyber security industry. But what is the horrible saying? Don’t let a good crisis go to waste, or opportunities? I think for everyone, to your point, this has to be looked at as a way to pivot, whatever your business is, or look at new opportunities to enhance yourself so that you come out of this stronger. That’s what we’re doing personally at RBS, I mean we were strong going into this and we’re doing everything we can to become even stronger out of it. I think at the end of the day, companies are going to be faced most likely with even less staff, you know, we’ve already seen unemployment numbers continue to sky-rocket, not that people weren’t already doing this, because it did feel like everyone is being asked to do more with less, but I think that’s really where hopefully prioritization can help here.

You know there’s been a lot of debate about Zoom, you know most people didn’t even hear of Zoom until the pandemic, and all of a sudden that’s how you’re staying in touch with friends, and schools and classes are using it to stay in touch. But there’s also very quickly, just like it always happens, researchers go after things that are going to pay them money, maybe bounty-wise, or they’re going to go after the new hot trends. And so we’re seeing researchers focus a lot on any sort of video conferencing, or tooling, VPNs, that can help folks work from home. This is sort of normal, right? And zoom obviously had quite a bit of success, and then quite a bit of hiccups with security settings issues and trolls attacking Zoom meetings, and then and of course vulnerabilities coming out.

Now from my standpoint, most of the vulnerabilities that I have seen have been what we’ll call local privilege escalation, meaning that you need to be on the machine to take advantage of it. So Zoom has gotten a ton of attention, and banned by so many different companies that they can’t use, and from what I’ve seen so far and what we’ve seen, Zoom has a really, really low code maturity standpoint. So the code that makes up Zoom is not great.

But I think what this is going to force us to do, to answer your question, is we really need to look at threat modeling and attack vectors, because I think people have focussed so much attention on Zoom being a problem that is so horrible, and missing and not paying attention to a lot more critical vulnerabilities that are out there, that have a much more obvious attack vector.

So I’m hoping that people are going to realize that you got to prioritize. You’ve got to know about everything that’s out there, you got to have full intelligence of all look the things that your organization is dealing with, whether it be vulnerabilities or any other risks that are going on out there, but then focus your resources, it’s not just security it’s the right security, focus those resources on the most important things to your organization.

Our products
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
Risk Management
Learn more
Request Demo