MKG Marketing MKG Marketing Logo Quotation Marks
Podcasts > What's the Problem

A SOC Analysts Point of View on CISA’s Shields Up Directive

Mike Krass • Thursday, September 1, 2022 • 18 minutes to listen

Subscribe to the Podcast or listen on...

Spotify Anchor

Join our weekly newsletter

We care about the protection of your data. Read our Privacy Policy.



Hello, everybody, and welcome to What's the Problem, the show that explores problems, scenarios, issues, considerations, and anything going on in the lives of our guest experts in cybersecurity.

Today, we are fortunate to have Elez joining us.


Mike Krass: Elez, say hello to our listeners.

Elez Tupuzovic: Hello, everyone. Thank you, Mike, for having me.

Mike Krass: Absolutely. Elez, as you've listened to a few of our episodes, we get right into it. Why are you qualified to talk about security? Tell the listeners a little bit about your professional experience.

Elez Tupuzovic: I've been interested in computers and general security since I was a kid. I always like to mess around with technology, figure out how it works, try to bypass the find workarounds, and how it's supposed to work to do what I want. I've been in the cybersecurity industry for a few years already. Currently, I'm working for a managed security service provider. I'm a senior security operations center analyst. I've been handling a lot of incidents daily, and I'm more on the defender side for now.

Working for a managed security service provider exposed me to many attacks, and I could respond to many of those. I've just seen so many things that I think should be addressed if you prevented those things, you would save yourself so much trouble, and you would potentially be able to save way more than you would expect. All right.

Mike Krass: You're on the front lines, that senior SOC analyst. As a senior security operations center analyst, what is a problem that you want to explore with our listeners today? What's something that you think doesn't get the attention it should?

Elez Tupuzovic: Ever since I started this career, I feel it hasn't changed much regarding that topic. Whenever I was studying all this, I thought that these small things such as weak passwords, legacy software, products, or our abilities had been taken care of immediately. I've seen so many cases with the most recent cyber attacks. I will say that I would like to talk about cybersecurity in-depth and try to bring it closer to the audience.

One major problem causing these are giving the threat actor access to all these networks and doing whatever they want. Let's take one example. If you look at the Colonial Pipeline, I'm pretty sure that most of the audience is familiar with that incident. It happened with exposed credentials, and they used a legacy VPN that didn't have multi-factor authentication. I don't think that should be a big problem to fix or that it should be postponed or at the bottom of the list. Those are some of the things that are the easiest to fix. I understand the day-to-day operations and everything as if you're working as an engineer. You're probably overwhelmed with everything you have to deal with to make everything work. Investing enough time and fixing those minor problems is necessary because they can cause so much trouble. You will lose more money, service disruptions, and a bad reputation, and it's tough to recover. It's not always that the attackers are using sophisticated methods or exploits.

Cybersecurity criminals are the third, and they're on the third scale. They think the third place on the scale, right behind the APS, and they are just looking for an easy target. There are so many of them out there. It's weak credentials, zero days, or unpatched vulnerabilities, and some days are the most sophisticated. I've seen cases where there are some unpatched vulnerabilities, and they're two years old, and that's an incident happening from there. The attacker abused that one ability and was able to get domain admin instantaneously. You cannot do anything unless you have somebody monitoring you proactively and somebody who knows what's normal or abnormal in your environment.

Some people even invest more into technology and securing all these critical assets and then forget or skip the ones that are not that important but they're equally important. Everything is equally important. I understand that people have to prioritize based on risk, but at the end of the day, you need to take care of everything because you never know it's going to happen, and it can happen. It will happen; it’s just a matter of time because they're attacking out there like constant tenuously. There are botnets out there, and they're just scanning everything open. Wherever you have an open face, it's going to be slammed by botnets instantaneously. Sometimes even just the geofencing. If it's a targeted attack, it's super easy for someone just to change to proxy them and have their IP coming from the US. And what I’m trying to say is to secure everything from the start to the beginning, following those basic guidelines from CIS, and secure all those 20 points you have to do. Go more in-depth and try to improve on it.

It seems many organizations don't have enough time, and they're in a rush to get everything working, which I understand. Technology is complicated, and it's hard to get everything working and set up everything perfectly. Sometimes, you need to bypass things, and that's one of the big issues we all face now, fueling cybercriminals. They're being paid more and more with those extorts and the extortions. Many people are paying them because they're afraid of going public and being exposed, fueling them. Sometimes it's easy to buy somebody's exposed credentials on the dark web, and you have access immediately. It's becoming easier and easier for them. Let's say they disabled Microsoft macro executions for more documents. They found a bypass right away, and there was a bypass even before they announced it. As long as hard as we are trying to defend and protect, we also need help from those not in security who just understand those basics. How can I contribute to the overall security? Because at the end of the day, even if the cyber war comes out, it's easy to do anything and remotely impair the whole country from another. You don't even need to go there.

Mike Krass: Let me jump in here because you said something that caught my attention earlier. There's an intrusion; an attacker gets into company systems, and there's this feeling of embarrassment, or there are no good feelings from the corporation that's been compromised. I'm looking for your professional opinion on this one. In the United States, CISA has brought its shields up with an initiative that says, "If you're a company of a certain size, you have to disclose a breach. It's no longer up to you to decide. You are now obligated by law to do so. Do you think the shields up mandate will take some of the stigmas away from sharing a breach, and no one's going on the podium at a press conference saying they've been breached and explaining how and why? You've touched on something there. There's just this stigma of, we're one of those companies that have been breached. And we don't want to share that if we don't have to, but you do now. That's not a choice. I am looking for your professional opinion here. Do you believe the shielding mandate will help remove some stigmas and say, "It's okay to come forward?" And in fact, we now expected

Elez Tupuzovic: I think it definitely will. I'm sure that they'll still be people who will not. Organizations will not report, but I'm sure a certain percentage will go up. And at the end of the day, that's the only opportunity to help that organization recover from that and have them find their mistakes properly. They can learn from their mistakes. Whenever something happens, you need to figure out why did it happen. Originally, what happened? How can I prevent this from happening in the future? Because if you just put a bandaid or temporary, you will get hacked again. I've seen many cases where organizations get hacked by the same threat actor just because they didn't invest enough time into disclosing the breach, making a proper incident response, and not having a proper response plan. If this closing of the breach is going to help the organization get more mature and realize what happened and be able to fix that mistake versus trying hard to hide it under the rug and just move on. And it happens again tomorrow, next day or next week, next month or year. It's an approach that will benefit at least a little, but there are still going to be organizations out there that will take the other route.

Mike Krass: Okay, so last question here. And I know that the listeners and I appreciate you sharing some of your experience and expertise. But now, we're not here to talk about your experience and expertise in security. We're here to talk about something a little more personal. Tell our listeners and me about a terrible haircut you've had.

Elez Tupuzovic: I've had really bad haircuts almost my whole life. But the one that stands out is when I was about 18. It was summertime, and I decided to give myself a haircut and shave off everything. I didn't mind it. I didn't have any hair. I was able to get ready fast. It was practical. It was summer, and I lived on a beach. The next day right after that, whenever it was still fresh, I went to the beach, and I didn't bother putting aside the sunscreen or bringing a hat or anything. I was just having a good day, enjoying and having fun, playing soccer and volleyball. I even fell asleep at some point, waking up after that. I went home, which was a funny, painful experience where I tried taking a shower, and I just felt like my head. Somebody's slamming me with a hammer. I looked in the mirror, and I had blisters on my head. I was laughing and crying at the same time. Never again.

Mike Krass: Elez, I appreciate you sharing some of your background, experience, expertise, and that experience of the hammer-on head experience with a sunburn. Many folks listen to this show and would like to speak to the featured guests. If someone wanted to get in touch with you, what's the best way for them to reach out to you and say, Hi,

Elez Tupuzovic: You can find me on LinkedIn. The first name, last name, just send me a message. I'm happy to connect and answer any questions. Even if somebody wants to get started in cybersecurity that they would want to do, feel free to reach out. I'll help out with all my resources and stuff that I have. And always looking forward to connecting and meeting new people, talking about cybersecurity matters, and just improving the cybersecurity world.

Mike Krass: Well, folks, and all the listeners out there, you heard it here. We'll put Elez his LinkedIn profile in the show notes. So there's no excuse if you want to talk to this guy for any reason about cybersecurity. Very easy to get a hold of. And as we conclude this episode, I wanted to thank you for listening to What's the Problem, the show that explores problems, scenarios, issues, and things to consider in cybersecurity. Until next time.

Elez Tupuzovic

Join our weekly newsletter

Get industry news, articles, and tips-and-tricks straight from our experts.

We care about the protection of your data. Read our Privacy Policy.