STEPHEN ROSE: I am so excited today to have a very good friend of mine join us to talk about security and all that is important in security. Paula, calling in from Warsaw, no less. Thank you so much for joining us today. How are you? PAULA JANUSZKIEWICZ: Well, thank you so much for the invitation. Everything is good. And how are you doing? STEPHEN ROSE: I'm doing great. So, I've known you for about 12 years, but even then, you were doing security. So, tell us a little bit about yourself and the work that you do and how you have gotten to this point in being one of the top security experts . . . you know, speakers in the world. PAULA JANUSZKIEWICZ: Well, thank you for this. Yeah we know each other for so many years, right? But well, I've been in the industry for the past 15 years actually, and the company that I have established called CQURE is right now 12 years old. And also to show how cybersecurity has grown for so many years, at the very beginning, I was the only one, and right now we've got 42 team members. STEPHEN ROSE: That's crazy. That really shows how important it has become back since the Windows 7 days and NT. Well, you were doing like Windows 2000 security, and then sort of moved up from that as I continued to know you and work with you over the years. So, our show today is on security, and I thought it would be great to ask you, what are the three or four questions that you consistently get that you say, "I wish I didn't have to answer these four because either so many other great things to dig into." So what are three or four things that every person who's looking at security should really think about or should really know? PAULA JANUSZKIEWICZ: Oh, well. Some of them are quite generic that I'm getting. STEPHEN ROSE: Which is fine, yeah. PAULA JANUSZKIEWICZ: OK. So, this is the first funny one I'm getting if, for example, during the pen test, as well, or after the speech at the conferences and so on, and that question is simple and it sounds, How to hack Windows? [Both laughing] STEPHEN ROSE: OK. PAULA JANUSZKIEWICZ: That really makes me laugh because there are so many things, right? that are dependent on like while you were getting into the infrastructure things can be misconfigured, and there's a platform security in Windows, which is great, so there's plenty of things that that the answer isn't very short, yeah? But on the other hand I don't want to fall into the typical consultant and answer it, which will be, "Well, it depends." [Paula laughing] STEPHEN ROSE: Yeah, but it is. I mean, there it's not that Windows is not a secure platform on its own, it's how people configure it or misconfigure it or don't finish things is where those areas lie. So absolutely, I think it depends on the person, how they're looking at things. So what advice, if somebody is saying, "I want to secure Windows," what are one or two things you say are the absolute must-dos? Where does somebody kind of start? PAULA JANUSCZKIEWICZ: So when we, for example, look from the enterprise perspective, one of the top things to consider right now would be the whole platform that is related with preventing running the software, in general, the code that we don't know. So simply speaking, whitelisting implemented through AppLocker, Device Guard, application control, and also the attack surface reduction rules, which are related to Exploit Guard that are, for example, preventing us from running micros from the documents while also taking into consideration phishing right now. That is a really nice thing to have because phishing has grown within the pandemic time in a massive way. STEPHEN ROSE: Yeah. It's crazy how much it has gone up and how many "your Netflix account didn't go through" and things like that that are hitting. How about MFA? How important is it for folks to put in MFA or some sort of two-factor authentication? PAULA JANUSCZKIEWICZ: Yeah, it's good that you mentioned it because not a really long time ago, I was actually doing a pen test for an oil and gas company and there were approximately 6,000 accounts that I was supposed to test, and that was one of the first stages of the penetration test. And I started with the simplest possible thing that is out there, which is a password spraying [and these guys did not have MFA], and 29 accounts out of that 6,000, approximately, they actually had the user name, of course, as the name within the company but the password was "companyname2020." So, like it's just statistics, right? STEPHEN ROSE: Right. That's exactly it. Yeah, what is another thing that people tend to overlook? One of the interesting things is during the pandemic, so many people rush to move things that were on prem to the cloud to be able to support people externally. One of the things that we've continually said is, It's really important to go back now and take a look at your security because you changed a lot of things to allow people to work from any device anywhere and to be able to do it securely. Templates are really important to go back and to go take a look at and to put those in. To run Secure Score and things like that. What is one of the big things that you've seen as people have rushed to roll out things in weeks that they had planned to do in months that you found as a gap? PAULA JANUSCZKIEWICZ: Well, first of all, I think allowing private, like, personal devices to connect to the infrastructure without clearly defined strategy where they can connect is one of the biggest mistakes that they make. And the reason why I think so is because, well, I understand that, in a sense, because they have to provide the access, but they rushed as you mentioned for it. So, there was no clear action on the security side taken, for example, that is filtering the traffic that is happening from the personal device. And what I mean by this is that that device gets infected. You've got attacks, for example, like VPN pivoting that are allowing to use the personal workstation to hop through the infrastructure's items. And then you've got the concept of somethings that we call "shadow IT." And in general, these are all solutions items that are within the organizational infrastructure that are put out of the compliance. So that could significantly increase the risk of getting access somewhere and especially because the hacker is not really directly connecting to network. It's connecting through the workstation that is under attack. So, the hacker could be also sitting on that workstation, yes? So, there are plenty of options here. And I think that this is currently the biggest risk because we are allowing devices that we have no control on to connect to the infrastructure. STEPHEN ROSE: Yeah. So probably one of the best things that accompany can do is maybe bring in a security expert to go ahead to take a look at their networks, to see what they've done. It's certainly money well spent considering the billions and billions of dollars that companies have lost in data being lost, in names getting out as personally identifiable information. So, how do they get a a hold of someone like you and set up to get a security consultation? PAULA JANUSCZKIEWICZ: Someone needs to find a security consulting company and discuss the scope. Basically, the first question would be how to secure remote work. And one of the things would be to analyze our external cybersecurity posture to verify what kind of services are in general published. So, something similar pretty much to the external pen test but also defining how these devices are configured; what are the images, like you mentioned; and how people are actually connecting. So, is it also VPN with multifactor authentication because that is also a really nice concept here. So, that will be pretty much the first step to take. STEPHEN ROSE: Yeah, and we're seeing a lot of split tunneling because of Teams and things like that, so it's super important. Great. Where do people go to learn more about you and your company and can reach out to you if they have questions? PAULA JANUSCZKIEWICZ: Well, thank you. So, within in our team, we've got first thing simply a website, which is CQUREAcademy.com, which is our educational part of the team. We spend 70 percent of our time on the projects and approximately 30 percent of our time performing some research, delivering trainings, presentations. And in this website, there is a huge amount of videos that we recorded and articles about cybersecurity. And that is also a really nice step to reach us because that could be through getting knowledge simply. And we are sitting behind it, yes? So, there is . . . well, my email is very simple: It's Paula@Cqure.pl, and I'm also on Twitter @PaulaCqure--also very easy. Also easy to find me on Facebook or LinkedIn. So, in the current time, especially when we have to work remotely, you have to stay connected. So, it is actually very easy to find us. [Paula laughing] STEPHEN ROSE: Awesome. It is so great to see you. I'm sorry we weren't able to connect this year at ignite because I'm missing you and Gregors and everybody else, but it is wonderful. I really appreciate you joining us. I know how busy you are. I know that you, because you can be virtual, can do two or even three conferences at the same time, and you are. So, thanks again for joining us. Stay well. And everybody, check out Paula's information. It's absolutely tremendous. And thank you again for being on the show today. PAULA JANUSCZKIEWICZ: Thank you so much.