Dave Hatter is Cincinnati’s top cyber security pro. If his name sounds familiar, it’s not surprising: He’s an award-winning technology professional who’s done hundreds of on-air interviews as a subject matter expert. In addition to offering expert advice on the radio, TV and the internet, Dave serves as Intrust’s cyber security consultant.
Over Dave’s decades-long career, he’s focused on software development and cyber security. He has experience as a software engineer, project manager and instructor. As a servant leader, Dave has headed teams that designed, developed and deployed roughly 200 successful custom software solutions across a wide variety of organizations and industries.
An enthusiastic tech evangelist, Dave has been quoted in national and regional print media including: The Wall Street Journal, MSNBC, Salon, The Street, Reader’s Digest, InfoWorld, ComputerWorld, CIO Update, Search CIO, Search Security, How-to Geek, The SSL Store, The Cincinnati Enquirer, The Cincinnati Business Courier and The Dayton Business Journal.
Meiran Gallis: You are an award-winning tech professional with more than 30 years of experience in this space. You are part of the Intrust It leadership team with a massive around both inside your security, but also in social development and engineering. In addition, you’re a regular speaker and your channels like CNN, Fox News. Pleasure to have you on the podcast, and that’s amazing. So many things you’ve been doing.
Dave Hatter: Yeah, happy to. First off, thanks for having me on. I always love to talk about it, and cyber security in particular. So I appreciate the opportunity to chat about this with you today. I’m pretty much a lifelong nerd, as you can see from the stuff that I sent you guys pretty much from high school on. I’ve been involved in technology, spent most of my career as a software engineer and about, I’d say, maybe five or six years ago. And honestly, to a large extent because of the fact that it felt like software engineers didn’t really take security seriously and weren’t being trained on it. And I always love to talk about this because I’ve also still am still teaching some programming courses at a local community college. There’s still just not a lot of emphasis on the security aspect of it. So when I looked out and said, okay, as our society becomes more and more digital, as we require more and more technology just to exist, especially here in the United States, everything is digital now, you really almost impossible to get off the grid. I started to get concerned, really, about the societal impact of all of this technology and the lack of cybersecurity. Things like the Internet of things, right? These so called smart devices. People are buying this stuff. A little regard to privacy of security. They’re plugging it into their networks, which are increasingly now remote, people trying to work from home as a result of the pandemic and so forth. You don’t have the benefit of highly secure perimeter firewalls. It’s nerds running around trying to secure this stuff. You get people trying to work from wherever they are, and they’re throwing all these relatively insecure IoT devices into their networks, and just stuff like that made me start to think, you know, I have a personal interest in the cyber security space. I think as an It professional with some experience there, I kind of have a duty to try to help other people realize how important this is and the increasing importance of it. So I sort of, like said about five or six years ago, I started to make the transition out of the software development, software engineering aspects of this and try to get more involved in cybersecurity, and especially just trying to raise awareness about it and things like the importance of these frameworks. There’s so many excellent frameworks out there, and so many things people can do, people businesses can do to improve their security posture that are relatively inexpensive in some cases free. But it just feels to me like many people still don’t know, they don’t understand the risk, or I still hear I’m too small, that will never happen to me. I got nothing worth stealing. And I can assure you your money is worth stealing, and they will steal it if you make it easy for. So that’s kind of how I got here today. But I’m a lifelong nerd and kind of where it is as a badge of honor, you know.
Meiran Galis: No, but that’s amazing, actually, because this is such a unique perspective coming from software engineering into the cybersecurity space. Knowing many developers myself and engineers, I know that many of them don’t really like when it comes to security controls. They move into the performance and make things work. And always security is kind of something that needs to be added on top of what they’re developing, and especially when it comes to frameworks controls and it audits, which I guess you’re very familiar with. What do you think? Does compliance equal security?
Dave Hatter: Actually, I think absolutely not. I think they’re definitely very well related to one another, and I think you can certainly be secure without being in compliance. But just because you’re in compliance doesn’t mean you’re secure. And while I am a big fan of a number of the security frameworks out there, things like NIST Cybersecurity Framework or NIST 871, yeah, just simply claiming that you have compliance with 110 controls in this 871, for example, does not necessarily mean you’re secure. So I think the answer is no. Just because you’re in compliance doesn’t mean you’re secure. But I think the likelihood of you improving your security posture and being able to do it in a timely and cost-effective way by using the various frameworks that are out there to guide you and inform your approach. Center for Internet Security a big fan of their critical controls. There’s a ton of information that is currently available from people that have enormous expertise in these spaces. Again, when you look at center for Internet Security, they’re crowdsourcing thousands of professionals around the world to develop these critical controls. There’s an enormous amount of useful information there. So, yeah, I’m huge fan of informing your approach using these different frameworks. But yeah, I definitely will say I don’t believe you’re secure just because you are in compliance with some framework.
Meiran Galis: Yeah, and I guess it also has something to do with your approach, right? If you come in for a framework with just checking the box and it because management decided. So that’s going to look different if you’re really going to deep dive and understand the countermeasure that you implement and coming from your background. Also making very technical controls around the secure software development, lifecycle and change management. I guess that there might be some contribution when it’s time for balancing the security, and actual security for the company so people can feel safe with what they’re doing in the software. Just makes me think in an event that data is the new oil and actually your data goes not only to your vendors, but also to your vendors vendors. And you’re not holding only your customers data, but also in your customer customers data. And when it comes to privacy regulations, CCPA, CPRA, does it make any difference when it comes for personal data?
Dave Hatter: I think it does. First off, I would hope, although I’ll be the first person to tell you, I’m not a fan of a lot of the surveillance capitalism model so many of these tech titans are built on because I don’t think the average person really understands how much data they’re giving up and how it’s being used by these companies. In fact, again, without getting too far down the conspiracy rabbit hole here, there are companies out there who are building machine learning algorithms that can supposedly predict whether you would be a good renter or a good insurer or a good employee or whatever and they’re buying all this data. Companies who are in a hiring mode might use one of these tools and decide you wouldn’t be a good employee based off information that may or may not be accurate, you may or may not have given up if you realize could be used about you in this way. So again, I’m not a huge fan of the whole surveillance capitalism model. I would like, while I’m generally more of a less regulation as good kind of guy, I think we’re in a position, at least in the United States, where we probably need more regulation around this stuff because I think it’s difficult for the average person to really understand. Again, everything is software, everything is a sensor, everything is collecting data. I tell people all the time or ask people, why in the world do you need a smart coffee maker? Yeah, it’s really convenient that it can send you a text to tell you your coffee’s ready, but it’s a lot less convenient when it’s plugged into the same network you’re trying to work on. And it’s full of all kinds of security problems that are probably never going to get patched. Not to mention the potential privacy violations that are being directed against you through all these so called smart devices. I’m sure you’ve seen the stories about like the ring doorbell, it comes out recently. That the thing. Can hear your casual conversations from up to 25ft away. Where’s that data going? Who has access to it? How long does it last? I don’t know. But I guess my long winded point is I don’t think the average person really fully understands these things and I’m happy to see that in the United States, many states now have privacy legislation moving forward. I know at a federal level, nothing really seems to be able to get done on that front. Obviously in Europe they got GDPR and there’s other privacy legislation around the world. I’m hopeful that people are slowly waking up to this idea that, yeah, all these tools, these platforms that are free, this low cost hardware or free hardware they’re willing to give me, is because they want my data, right? That’s how they’re making money. I’m not the consumer, I’m the product and that people will wake up to this, but also that there will be more privacy legislation and that will help protect folks and not just you as an individual, but as a business doing business with other businesses that have your data, right? That they’ll be held to account when they’re not willing to spend money, when they’re not willing to do things they need to do to protect that data, which ultimately affects you. When they’re breached, whether it’s some type of third party breach or a direct hack or whatever. I’m the one, as a consumer, that usually pays the price of having this stuff breached. It’s not the big companies who have it breached because they get a black eye. There’s some bad will, but for the most part, at least in the US. You rarely see even companies like Experian, right, these big clearing houses of data, you rarely see any long term consequences from these major breaches. So I would like to see more of that and I wish people would take this stuff more seriously.
Meiran Galis: It’s totally right. It just reminded me the movie called I Am Legend with Will Smith, there is a scene with the car, he has a smart car, the car is driving itself, he’s resting, a show that he’s going to get to his destination safely and suddenly something hacked into the system and tries to kill him. So eventually the combination of both identification of privacy information with all the fact that today, in the 2022, more and more devices based on software can actually cause it’s council life, people can lose their life. And by doing that, all companies can steal your personal data, analyze it and learn more about everything. Your health care, your political view and sexuality and everything. So that’s becoming a great deal, a very big deal. And speaking about privacy and what’s going on with the US. What do you think about Israel when it comes for the cybersecurity space?
Dave Hatter: I see you guys as a leader in all of this stuff, right? It seems like a lot of the innovation in this space comes from Israel. And I always think of Israel as a leader in anything when it comes to technology. So that’s sort of my perspective on it.
Meiran Galis: And maybe you can give some tips for people or maybe companies at the beginning of the journey when it comes to security compliance.
Dave Hatter: So I think there’s so many things that even a small business without a lot of resources can do. Again, these frameworks are a great place to start. And some of this stuff is just basic things like make sure you have a strong unique password for every account. Make sure you turn on multi factor authentication wherever possible. Google, Microsoft, here in the United States, FBI, DHS, NSA, CISA, just about anyone that knows anything about security has said multi factor authentication is one of the simplest, most powerful things you can do to protect your accounts from account takeovers. And I mean, we still see this every day. I mean, just recently talked to a company that said $900,000 stolen through business, email compromise, attacks and account takeovers where they were able to crack in and it’s happening every day. So I go back to what I said earlier when you tell me, well, I’m small. I don’t have anything. We’re stealing your money’s worth stealing. And if I can get into your accounts, lurk around in there, figure out who you’re doing business with, I can steal your money. We see it all the time. And frankly, in all kinds of crazy, devious ways, I have first hand knowledge of a company that had $500,000 stolen out of their 401 accounts. How do you like that? You think you’re going to retire. You’ve been saving up money. You wake up one day, you check your account and all your money’s been wiped out. These are real things. And while strong, unique passwords multifactor authentication are bulletproof, it’s going to make you a much harder target. Use a password manager. Get a strong secure password manager. Makes it easy to create those strong, unique passwords. Make sure you have some kind of credible antivirus. There’s all kinds of really powerful advanced endpoint protection software out there. Now make sure you got some kind of antivirus, right? Endpoint protection. MDR, XDR. Unfortunately, one of the things that I think is very frustrating for people who aren’t in tech is all the different acronyms. The names change. People will say endpoint Protection versus Antivirus versus XDR or whatever. And it’s like, well, I’m just dumping all this jargon and acronyms on you, but making sure that you have some kind of firewall. There’s so many of these simple things. Even as a startup, you can do that will make you a much more difficult target. Use a solid cloud based platform. We’re big fans of Microsoft 365 and the Azure platform. They’ve got some very advanced security capabilities. And I would remind folks to remember the shared responsibility model of the cloud. As much as I’m a fan of leveraging these cloud based platforms, whether it’s Microsoft, Google, AWS, or whomever, they have all these tools available. Many of them are not enabled by default. It’s on you to choose to use them. It’s on you to make sure they’re configured correctly so you may still get breached even if you have all of this capability because you haven’t taken advantage of it. I haven’t configured it correctly. But for a relatively small amount of money with something like Microsoft 365, you turn on MFA, you turn on Advanced Threat Protection. You check your microsoft Secure Score, which is direct feedback from Microsoft about the security posture of your tenant and recommendations for how to improve it. That’ll go a long way, even if you’re a small company or a startup, to creating a secure environment where you can protect your business against these common threats. Now, if an advanced threat, if China decides to make you a target, all bets are off if you have some trade secrets they want to steal, if you’re a target for some reason, then you’re probably going to need to get to the next level. But for a lot of small businesses, a lot of startups, there’s so many simple things like that you can do. As far as tips for how to get into the business, I think it’s never been easier to have access to just phenomenal amount of resources online that are free or very low cost. Whether it’s Udemy, CorsairA, Infosec, there are tons and tons of tons of resources, hack the box, all kinds of capture the flag type things. And I also want to point out, not everyone has to be a Pen tester or a red teamer. There’s enormous demand for people on the blue team, right? The folks like me that are out there trying to help businesses be secure, vulnerability testing, compliance you don’t have to be a programmer to do this job. You don’t have to be a network engineer to do this kind of work. It certainly helps. I think it’s important to have a fundamental understanding of how networks work because it gives you insight into how they can be exploited. There’s all kinds of opportunity and enormous demand in this field. Even if you’re not a super technical person, somebody has to be able to explain this stuff, right? Somebody has to be able to sell this stuff. There’s always new tools, there’s always new attacks. Unfortunately, the bad guys are super creative, super devious, and in many cases will stop at nothing to steal your money or your secrets or whatever it is thereafter. But yeah, there’s just an enormous amount of free resources.
Meiran Galis: Thank you so much, David. It was a pleasure having you on our podcast and looking forward to following you on your YouTube channels. Thank you very much.
Dave Hatter: I really appreciate the opportunity. It’s always good to get the word out there and hopefully help folks realize this is the thing they should care about and that there are, as you pointed out, so many simple things you can do. Install the patches right there are a lot of simple things you can do. Doesn’t cost a lot of money in many cases, doesn’t take a lot of time or expertise, and just an enormous amount of opportunities from a career perspective in this place. I appreciate the opportunity to chat about it with you today.
Meiran Galis: We appreciate it so much. Thank you so much, David, and see you soon.
Dave Hatter: Have a great day. My pleasure. Thanks.