🎙️Welcome, listeners! Today, I am thrilled to introduce a distinguished expert in cybersecurity and digital transformation. With over 20 years of experience in the field, Debra Baker has been recognized as one of the Top 100 Women in Cybersecurity by Cybercrime Magazine and one of the Top 10 Eminent Women in Security by CIO Look in 2021.
As a co-founder of the League of Women in Cybersecurity and the founder of the Johns Hopkins University Cryptographic Knowledge Base (CryptoDoneRight.org), Debra is a prominent advocate for women in the cybersecurity field. She is also featured in the book Women Know Cyber: 100 Fascinating Females Fighting Cybercrime.
As a co-founder of the League of Women in Cybersecurity and the founder of the Johns Hopkins University Cryptographic Knowledge Base (CryptoDoneRight.org), Debra is a prominent advocate for women in the cybersecurity field. She is also featured in the book Women Know Cyber: 100 Fascinating Females Fighting Cybercrime.
| Q: VPNRanks — Debra, with a career spanning over two decades in cybersecurity and holding pivotal roles such as CEO and vCISO at TrustedCiso, as well as significant positions at companies like RedSeal, Entrust, and Cisco, you’ve built and managed comprehensive security programs and successfully guided organizations through rigorous compliance processes. Can you start by sharing what initially drew you to the field of cybersecurity? Was it a dramatic encounter with a hacker, or perhaps an unquenchable curiosity about the digital world? How has your journey evolved to your current leadership roles? | A: Debra Baker — I found myself in cybersecurity somewhat unexpectedly, a situation that is not uncommon. During my high school years in the 1980s, I was aware of the growing significance of computers and took two years of basic programming. Unfortunately, I didn’t enjoy it and thought a career in computers required being a programmer, which discouraged me. Instead, I pursued a business degree in finance, but the sales-oriented work I ended up doing wasn’t fulfilling. This led me to enlist in the Air Force, where a placement exam suggested I might excel in computers. I took a chance and started with networking and basic networking administration. My first exposure to cybersecurity came through an excellent training program in the Air Force, where I performed my initial penetration tests. Back then, cybersecurity was quite rudimentary—essentially, it was about having a firewall and an internal network, and we felt secure. After leaving the Air Force, I worked at IBM as a DNS administrator, gaining broader experience in networking and exposure to different teams, including a firewall group. A turning point came when a friend invited me to a job fair where I found an opportunity at Interest Technologies, a PKI software development firm. They offered me a job on the spot with nearly double the pay, right before the tech boom. This role involved training in cryptography and encryption, which was a significant shift toward the cybersecurity field. |
| Q: VPNRanks — In your recent YouTube video, you discussed the Ticket Master hack in detail. Could you walk us through the sequence of events from the initial breach to the hackers attempting to sell the data on the dark web? How did Ticket Master respond, and if you were in their shoes, what would you have done differently to avoid becoming the headline news? | A: Debra Baker — The Ticketmaster breach became public when the company had to report it to the SEC, as required for publicly traded companies within four days of a significant incident. Ticketmaster disclosed that unauthorized activity was detected in their database on May 20th, and by May 27th, hackers had offered to sell the compromised data for $500,000 on the dark web, affecting around 560 million customers. As I investigated further, I came across a statement from Snowflake, which clarified that they were not breached. This initially seemed confusing, but it turned out that Ticketmaster used Snowflake as their data repository. Despite Snowflake’s role, the breach was related to Ticketmaster’s own security practices. The lack of multi-factor authentication (MFA) configuration on Ticketmaster’s part allowed hackers to target Snowflake customers who had not implemented MFA. These hackers exploited the vulnerability to access and extort data from multiple clients, not just Ticketmaster. This incident underscores the importance of basic cybersecurity practices. In response, I recently published a book titled CESO Guide to Cyber Resilience, which includes a roadmap for enhancing security. The book starts with a fictional ransomware attack scenario, detailing how a Chief Information Security Officer (CISO) should respond and recover. Each chapter then addresses specific cybersecurity areas necessary for building a robust security program. A key focus in my roadmap is multi-factor authentication, which is crucial for defending against account attacks. Implementing MFA can prevent approximately 99.9% of such attacks, highlighting its importance in cybersecurity hygiene. |
| Q: VPNRanks — In your video course on cyber resilience, you emphasized the importance of building a culture of security awareness within organizations. Considering the rapid advancements in technology and the evolving nature of cyber threats, what innovative methods or emerging technologies do you believe will play a crucial role in enhancing cybersecurity education and resilience in the next decade? And, if you had a magic wand, what one change would you make to the current state of cybersecurity education? | A: Debra Baker — When considering advancements in technology, artificial intelligence (AI) immediately comes to mind. AI’s integration into various fields suggests its potential role in enhancing security awareness training. Unlike traditional methods that involve static videos for all employees, AI could tailor training to individual roles by understanding each user’s specific responsibilities and risks. This customization could be achieved by maintaining user profiles and adapting the training based on quizzes or assessments, allowing for a more personalized and effective approach. In terms of staying ahead in cybersecurity, the priority is to keep up with the latest hacks and threats. This is where creating informative content, such as YouTube videos, can be valuable. For example, analyzing and discussing the root causes of breaches, as referenced in a book I mention in my own publication, can help in understanding common vulnerabilities. The book identifies that most breaches stem from just six primary root causes. My approach involves explaining these causes in my book and providing actionable security measures to protect against them. This knowledge, combined with ongoing education and vigilance, is crucial for safeguarding data both in organizations and in personal online activities. |
| Q: VPNRanks — Imagine you could only pick one security measure (antivirus, EDR, application firewall, encryption, or VPN) to take with you on a desert island where cyber threats exist. Which one would you choose and why? Bonus points if you can make your choice sound like the ultimate survival tool! | A: Debra Baker — If I had to choose just one security measure to bring with me to a desert island where cyber threats lurk around every corner, it would unquestionably be multi-factor authentication (MFA). Imagine yourself stranded on an island, not only dealing with harsh elements but also fending off relentless cyber threats that strike when you least expect them. In this high-stakes scenario, you need a robust defense mechanism—something that provides the ultimate protection against any attack. MFA is that survival tool. It functions as the digital equivalent of a fortified bunker, complete with a biometric lock and a secure code, ensuring that your defenses remain impenetrable. It’s like having a high-tech security system in the midst of an otherwise hostile environment—a truly cinematic level of protection! |
| Q: VPNRanks — In one of your videos, you mentioned that 99.9% of attacks on user accounts can be prevented with multi-factor authentication. Can you provide a detailed explanation of the most effective multi-factor authentication methods and share some amusing anecdotes or insights on why these methods are so successful in thwarting cyber attacks? | A: Debra Baker — When it comes to choosing the best multi-factor authentication (MFA) method, there are several effective options to consider. One of the most secure is using a separate USB device, often used by government agencies. This device contains a certificate and must be plugged into your computer to authenticate access. However, the downside is the need to always carry this device with you, which can be inconvenient. Another promising development in MFA is the adoption of passkeys, which provide an additional layer of security. To use passkeys effectively, it’s best to store them in a reputable password manager like Bitwarden, 1Password, or LastPass. This way, even if your phone is compromised, your passkeys remain secure. Storing passkeys solely in a phone’s native keychain could be risky if someone gains access to your phone, potentially leading to unauthorized access to your accounts. Recent news highlights the risk of hacker gangs targeting college students and others. These attackers often employ tactics like shoulder surfing to steal PIN codes or physical devices, which can lead to significant financial loss if default passwords are used for sensitive accounts. To mitigate such risks, using a password manager ensures that even if your phone is stolen, your passwords and passkeys remain protected. Additionally, utilizing authentication apps like Google Authenticator or Microsoft Authenticator adds another layer of security. Though it requires entering a code from your phone, this small extra step significantly enhances account protection. |
| Q: VPNRanks — Debra, the recent controversy around the SolarWinds hack exposed vulnerabilities in software supply chains, causing widespread concern in the cybersecurity community. What are your thoughts on this incident, and what measures do you believe companies should implement to better secure their supply chains against such sophisticated attacks? | A: Debra Baker — The SolarWinds attack highlights a critical lesson in cybersecurity: the importance of adhering to basic security practices. The breach occurred due to lapses in fundamental measures such as patching, managing open ports, and implementing multi-factor authentication (MFA). These basic security steps could have thwarted the attackers from infiltrating the network in the first place. Once the attackers gained access to the network, they moved cautiously to avoid detection by security systems. They quietly mapped out the network, searching for valuable data like source codes, which they could exploit for financial gain. They inserted a backdoor into SolarWinds’ software, which later spread to all customers through routine updates. This situation underscores the need for continuous diligence in maintaining cybersecurity measures. Additionally, it points to the importance of communication between cybersecurity leaders (CISOs) and executive management. The CISO’s role is to protect the organization by lowering risk, but they rely on executives to provide the necessary resources. In this case, the SEC criticized the CISO for not adequately informing executives about the risks, highlighting the need for clear communication about security threats. Ultimately, the responsibility for security lies with executive management, who must decide whether to allocate resources to address risks or accept them. The SEC’s stance suggests that CISOs should not shy away from presenting the full scope of potential dangers to ensure informed decision-making at the top level. |
| Q: VPNRanks — Given your extensive experience in leading digital transformation and cybersecurity initiatives, what advice would you give to startups looking to integrate cutting-edge technologies like AI and quantum computing into their cybersecurity frameworks? And if you could give a single, tweet-length piece of advice to new entrepreneurs in this field, what would it be? | A: Debra Baker — Incorporating AI into business operations is becoming increasingly common, but it’s crucial to approach it with caution, especially regarding data privacy. If you’re using AI tools like ChatGPT, make sure to configure privacy settings to restrict data sharing. Ideally, using a private large language model (LLM) or a version of GPT that you can set to private offers better control over your data. Organizations using or developing AI should establish a clear AI policy to govern how these tools are used, ensuring that data is handled securely and ethically. On the topic of quantum computing, the National Institute of Standards and Technology (NIST) is working on quantum-resistant algorithms. As these algorithms are finalized, they will be integrated into cryptographic modules. To stay secure, it’s essential to keep your operating systems and software up to date, ensuring they can support these new quantum-resistant algorithms when they become available. This proactive approach will help protect your systems against potential future threats posed by quantum computing advancements. |
