Episode 604 Security With Caleb Mattingly

ByRob
Tweet
Share
Pin
Share




Show Highlights

The source material consists of excerpts from an episode of The SDM Show, hosted by Rob Cairns, featuring guest Caleb Mattingly. This podcast conversation primarily focuses on the multifaceted field of cyber security, covering topics such as personal experiences entering the industry, the importance of user awareness and education, and challenges related to password management and keeping software up to date. Key security concepts are explored, including the necessity of disaster recovery and offsite backups, adhering to the principle of least privilege for user access, and addressing modern threats like business email compromise and increasingly sophisticated phishing scams—including those augmented by AI. The discussion also touches upon enterprise security, cloud environments (like AWS), and the risks associated with inadequate security protocols in both large and small organizations.

Show Notes

Introduction

In this episode, host Rob Cairns talks with cybersecurity expert Caleb Mattingly about the ever-evolving field of cybersecurity. They delve into Caleb’s journey into the industry, the diverse aspects of the field, and key challenges and best practices for individuals and businesses.

Caleb Mattingly’s Journey

  • From English Teacher to Cybersecurity Expert: Caleb shares his unconventional path, which began with plans to teach English as a second language in Jordan. He pivoted to IT to support his future family, starting at a university help desk.
  • Proving the Doubters Wrong: A manager’s comment that “nobody ever makes it into cyber” fueled Caleb’s ambition. He went on to earn his Security+ certification, work in defense contracting, and serve as the security lead for AllTrails, the hiking app, before starting his own business.

The Breadth of Cybersecurity

  • Diverse Disciplines: The field is vast, encompassing network security, web security (like WordPress), email security, and mobile device security. Caleb and Rob discuss how experts must specialize in one of these areas.
  • Chasing Shadows: Rob mentions Citizen Lab, a Toronto-based company specializing in enterprise hacking of smartphones by nation-states, highlighting the advanced and complex nature of the threat landscape.

The Human Element: The Weakest Link

  • Security is Everyone’s Job: Both Rob and Caleb emphasize that a company’s greatest security risk is its people. Employees often believe security isn’t their responsibility, leading to vulnerabilities.
  • The Problem with 2FA: Rob notes that while security professionals like them advocate for two-factor authentication (2FA) and other measures, many people find them frustrating and difficult to use, especially seniors.
  • The Balance of Security and Usability: A core challenge is finding the right balance between robust security measures and a user experience that doesn’t hinder productivity.

Best Practices and Common Pitfalls

  • Disaster Recovery is Crucial: Rob highlights the importance of regular disaster recovery testing, citing Fortune 500 companies that conduct quarterly drills. A backup is only as good as its restore capability. The story of Code Spaces, a company that went out of business in 24 hours after a single-point-of-failure attack, serves as a cautionary tale.
  • Multiple Backups: To protect against hacks, it’s essential to have backups in multiple, geographically separate locations. Rob uses two Synology NAS devices that sync overnight, and Caleb recommends using a separate cloud account or even a different cloud provider for backups.
  • The Principle of Least Privilege: Rob and Caleb discuss the critical practice of giving users only the access they need to do their jobs. They share a story of a WordPress site with 47 admin accounts, all of which were unnecessary.
  • Password Managers: Both advocate for using password managers like 1Password or Bitwarden for strong, unique passwords. Rob shares his personal strategy of adding a memorable string to the end of each password to protect against a hack of the password manager itself.
  • Keeping Software Updated: Outdated software, including core systems (like WordPress core and PHP versions) and plugins, is a major vulnerability. Rob shares his routine of updating client websites three times a week.
  • The Problem with Public Wi-Fi: Rob warns against using public Wi-Fi for sensitive work, as connections are often unencrypted and vulnerable to attackers. He uses a travel router with a built-in firewall, while Caleb opts for his phone’s hotspot.

The Role of Trust and Communication

  • Building Trust: The foundation of good security is trust—both in the security professionals and between different teams within a company. Rob shares a personal story of a VP who, after a firm security refusal, apologized and thanked him for following protocol.
  • AI’s Double-Edged Sword: AI is making security both harder and easier. It’s being used to create sophisticated phishing scams with perfect grammar and corporate logos. However, it’s also a powerful tool for analyzing vast amounts of data to detect anomalies and threats.

Top Business Risks

According to Caleb, the biggest business risks are:

  1. Insider Threat: Malicious or careless employees.
  2. Business Email Compromise: A classic scam where an attacker gains access to a business email account to perpetrate fraud.
  3. Phishing/Social Engineering: Tricking people into revealing sensitive information through urgent or deceptive requests.

User Awareness: A lack of education among employees about common threats.

Subscribe to Our Substack To Get Podcasts and Marketing/Business Tips to Your Inbox

Get On The Substack Now!

Subscribe to The SDM Show Podcast

Tweet
Share
Pin
Share

Similar Posts