I am Theresa Payton, cybersecurity expert, former White House CIO and Head of Intelligence on CBS’ “Hunted.” Ask Me Anything!
Hello everyone -- What an honor to spend my Friday with you today. This was truly a Happy Hour for me! Thank you for taking the time to speak with me today. I had a great time answering your questions, and I love your interest in the cybersecurity industry. I have to get back to work because as you know, cybercrime never sleeps, but I look forward to speaking with you again soon! Have a safe, secure, and awesome weekend!
(my intro: I’m Theresa Payton. I served as the first female Chief Information Officer at the White House, overseeing IT operations for President George W. Bush and the 3,000 members of the Executive Office of the President. I’m also the CEO of Fortalice Solutions, an industry-leading security consulting company, and co-founder of cybersecurity product, Dark Cubed (we have a super cool team). Most recently, I served as the Head of Intelligence on CBS’ new hit show, "Hunted." Ask Me Anything!)
- Link: www.fortalicesolutions.com
- Facebook: www.facebook.com/FortaliceSolutions
- Twitter: www.twitter.com/FortaliceLLC
- LinkedIn: www.linkedin.com/company/fortalice-llc-
- Instagram: www.instagram.com/fortalicesolutions
Additional proof: https://twitter.com/TrackerPayton/status/840220796664582145
YES! I have a campatch card on every webcam. It doesn't stop the spying on the audio side but it stops the visual spying
what other things can a person with little to no tech knowledge do to protect their privacy and information?
(1) digital devices should stay out of private spaces; (2) keep the operating systems, browsers, and other software as up to date as you can b/c updates often include new security/privacy patches
can you elaborate on #1 or point me in the right direction for a more detailed explanation?
sure. smart phones and devices with webcams should either have their cameras covered or be placed device / camera side down when in your bedroom or closet. I know a lot of people use them for alarm clocks or charge these devices at night in their rooms. You get 2 bonuses here: (1) they can't spy on you via the camera and (2) you avoid suffering from "junk sleep" which is the slight interruption of sleep that happens when device screens / chargers/ etc. glow or blink in the dark while you sleep
Is there a percentage of the time that people may be spying on you through your webcam? Is it completely random if they're likely to spy on you versus someone else?
It depends. If you are interesting they would probably spy on you a lot. If you have a cover on your camera they may go away. It's hard to understand the digital creeps that do this stuff. We worked a case where a male college student left his devices around in girls' dorm rooms and then would spy on them while they slept, studied, got dressed. When pressed by the college, he didn't have a good reason for it...but then again there's not one.
so it doesn't give any real security if your mic volume is muted or down to the lowest setting? i did not realise this....
sadly no, you just muffled them. You can elect to turn off your mic and camera in your privacy settings.
Any tips for an "average" person who might not know much about cybersecurity?
this is a great question! and you are not "average" - you are great for asking a question! yes, (1) have more than 1 email address and separate your social media accounts on 1 email address vs. your online banking / confidential transactions (2) consider using 2 factor auth for ALL accounts (that's usually a code texted to your smart phone (3) get a google voice # and use that online vs. your real cell phone number (4) consider using encrypted apps such as threema or signal (5) and NEVER click on links even from people you know without checking them out first on a tool like virus total (free)
Any advise on how we should be responding to the released documents by WikiLeaks pertaining to Vault7? I expect vendors will continue to release updates to their products in response to the leak, what can we do in the meantime?
Wikileaks announced they plan to share the code with the vendors. I highly recommend you be on high alert for scams and emails that act like they have the solution. Only download updates from the legit company sites for your Smart TV, Smart Phones, IoT devices, etc.
How did Hunted work without law enforcement or government help? Did you hack into stoplight cameras?
Tks for that question. I wasn't involved in the production side but I know they created a notional environment that was had the powers of the state. In Command we ran it as an investigation and submitted subpoena requests, requests for investigation, etc. as if it were a real world case. And just because we requested it, doesn't mean it was approved. We had lawyers and judges that approved or denied our requests just as in the real world! Cool and smooth move on production's part!
If a packet hits a pocket on a socket on a port,
and the bus is interrupted as a very last resort,
and the address of the memory makes your floppy disk abort,
does the socket packet pocket have an error to report?
On a more serious note, recently James Comey has said "There is no such thing as absolute privacy in America". With that in mind, are there any software suites that you could recommend to help better preserve our privacy online? Maybe MIT's upcoming Riffle network?
Great poetry. I had to talk to my kids the other day about floppy disks and what they were. Oy! I did read what James Comey said and I respect his service and opinion very much but respectfully disagree. Democracy dies when the citizens believe they cannot say a cross word or voice an opinion of disagreement. Privacy can be preserved, we just have to be more diligent about it. Starting with a few simple things like browsing online and using tools such as the EFF's Privacy Badger and Ghostery can be quite helpful. Using comms tools such as Signal, Threema or email platform of Proton mail can also be useful.
and "Listen. Strange women lying in ponds distributing swords is no basis for a system of government. Supreme executive power derives from a mandate from the masses, not from some farcical aquatic ceremony."
What are your thoughts on Trump's claim that Obama wiretapped Trump?
I candidly don't know what to think on that one. Maybe he was trying to find out who was getting the job of running the show the Apprentice?
How secure are products like Amazon Echo and Google Home? Do you use them in your own home?
Great question. Just know that all new tech is completely hackable. Sorry to be a downer on that. I love Google home. Advice: (1) create a separate wifi access point for your smart devices so it's separate from the wifi that you use for confidential trans; (2) choose wisely how much you integrate the echo or home devices into your home.
This is part of the reason I've been so hesitant to get a Google Home. But then again, I know I have a phone, computer and everything else that's hackable too..
It's okay to start slow when you integrate these devices. Maybe start off with a Google Home and give it, it's own Wifi segment on your home network. Consider just linking your calendar to it and using it to help you manage your day, the traffic, the weather, etc until you get comfortable with the next place in your house you would like more integration and automation. Although everything is hackable the security teams at Amazon and Google are really smart and work very hard to keep things secure.
On a personal level, what are a few of your favorite films?
Thanks for asking! The Princess Bride is an all time favorite of mine but it's hard to compete with Monty Python's Holy Grail.
Who can resist: Your Mother was a Hamster, and your Father smelt of Elderberries!
Hi, thanks for doing this AMA!
What are the best certifications to have in infosec? In coding you can prove your skills with the quality of your code without the need for certifications.
Is there something similar to this in infosec?. Like finding vulnerabilities and relevant bugs.
OSCP is a favorite. Try online classes at coursera too to find your favs.
Do you feel like the Hunted show suffered because of the endgame for the final two pairs? Watching it, we felt as though the last two pairs were dealt a crappy hand. They manage to last 28 days, and then the "endgame" was 1) tell the hunters where they are, twice. 2) Make them move on foot to an extraction when the hunters knew their locations, exit methods, and had vehicles.
My wife and I were a little disappointed. Either pair could have been caught simply by happenstance of a hunter team being close to an extraction location. All the other tracking methodologies were cool, but saying: They are at this bank, and they are leaving by air really makes it easy to find them. Like, ridiculously easy.
Thank you for watching Hunted! I love our Hunted fans and appreciate you so much. The fast paced editing of the finale was awesome wasn't it? What I think was hard to relay is we had reduced the number of ground hunters we had in the field and we still had 100,000 square miles to cover. Yes, they did have go to a bank to get their $ but we had no idea what town they would be in, we had to make calculated guesses. AFTER they made the transaction & left the bank is when we got an alert with an address and had to track that down. Soooo....if our cars were not close by, they were in the wind before we could get to the branch.
What are your thoughts on traditional/legacy antivirus solutions, and the new trend of 'next-gen' endpoint solutions?
Great question on anti virus solutions. Since every 90 seconds a new deviant of malware is released in the wild, these solutions have a hard time keeping up. It's like Lucy and Ethel in the chocolate factory when the conveyor belt sped up. They are important tools but they sometimes give users a false sense of security.
Was that helpful?
What is the craziest IT situation you have experienced?
Complete server failure when trying to do a demo for the executives of my company to convince them to spend money on it. Talk about sweating bullets...I began to do drawings on note pads and telling stories about what the system could do . Oy. Horrible.
So... what's the conclusion of the demo? Were they empathetic?
they gave me the money to do the full system...the next time I did a demo it worked. Phew!
Are there any signs that can help discovering someone that hacked your computer/phone? If there are have you noticed some of them sometime in your life?
Couple of telltale signs: (1) device reboots for no apparent reason; (2) slowness of device (3) files on the device seem out of order (4) check your sent files to make sure you really sent them all (5) when in doubt, I'm a fan of backing up data and doing a factory reset (6) microsoft, apple, and sophos all have free malware removal tools on their websites as well that may be of help
You asked if I had noticed a hacking sometime in my life, yes I have seen it. I also aways assume someone or some message could be hacking me. But it's only paranoia if you're wrong, right?
How on earth did the English family evade y'all for 28 days? They did nothing and got like 5 minutes of airtime on Hunted.
Well, for starters the English family didn't go to taco bell!
People have given up allot of privacy in the digital world. We like things to be convenient, so we voluntarily give up allot of private info. Do you see this trend continuing? or do you think people are becoming more savvy about privacy?
What I love about the privacy discussion is we are FINALLY having one. I don't believe people really understand up until recently that every finger swipe, mouse click, ATM visit, etc. was being memorialized, correlated, and categorized for future use. On the surface, this is data is collected to be "helpful" but that data in the wrong hands is actually not helpful at all. It was my hope with a show like Hunted that people would be entertained, engaged and a little enraged about their privacy. I do think privacy is a personal decision though. A famous chef may need to be wide open on social media to further their brand/career while a young teen needs more privacy and protection. So hopefully I can share info that will help you make good decisions that are right for you!
Is Charles Debarber as savvy in person?
Charles is an American Hero, loyal, hard working, and yes, very savvy!
I think this is Charles' hat closet https://c1.staticflickr.com/6/5485/11559628135_002ffd2f76_b.jpg
I believe that. But, what's the budget for his hats look like? Inquiring minds want to know.
Charles told me his hat budget is classified (I'm assuming he doesn't want the missus to know)
Hmmm...I will ask him, he supplies his own but I have talked about buying him a team hat!
What does your company Fortalice do? Do Charles, Landon, and Myke really work there?
Yes, Charles and Landon work for Fortalice. Myke is a great friend and sci fi author and works in cyber/intel for a large police unit (have to keep him covered) but we'd love to have him on team Fortalice one day. We protect Nations, Business, and People. We're hiring! Want to join us? :-)
With a high interest in this type of security and no professional experience, are you willing to train eager individuals?
We highly recommend classes and internships. We have an amazing intern, Steven, he rocks
How did the team feel when the #lostwolves flew Beth into the Hunted game zone?
As someone who was at the absolute pinnacle of the IT industry, does your family ever stop asking you to fix their routers?
I get asked for tech and security support all the time. Even at cocktail parties. It makes me wonder if Doctors get asked for free medical advice like this too?
Would you rather fight one horse-sized duck, or 100 duck-sized horses?
Both and I would win.
“... a mind needs books as a sword needs a whetstone, if it is to keep its edge.”
What do you recommend for all of the parents out there that are considering getting their middle schoolers or high schoolers a smart phone? How can parents protect their kids?
I would also talk to your kids about "stranger danger". When I asked middle schoolers if they would accept a friend invite from a stranger, they said no. Good answer! Not so fast... My 2nd question was, "Would you accept a friend request of someone connected to your best friend even if you don't know that person?" and 90% of the kids said THEY DO THAT ALL THE TIME. Yikes parents!
Additional advice, only you know if your child is READY for social media. Most platforms ask them to be a minimum age of 14. Be where your kids are on those platforms, including games. Just like you teach them to drive responsibly, teach them to be a digital citizen.
Landon from Hunted and who works for Fortalice recommends a flip phone instead of smart phone.
If you could choose between the power of realistic flight (You have wings and they get tired/speed is limited by strength) or the power to become a cat (for 12-hour long durations at a time), which would you choose any why?
May I choose both?
You have to choose between them!
I would go for flight. There is something about having a broader perspective on problems and issues that I would love to have so I could protect more people. Plus, I am a thrill seeker so that'd satisfy my need for speed / aerial acrobatics.
How you doing?
I'm great and have a great time chatting on Reddit. How are you? How's your Friday going so far?
What's your security at home like? Do you have a router with built in VPN and a Faraday cage for your smartphones when you go to sleep? Just wondering how intensely an expert practices what they preach.
i'm off the grid at home...mostly.
With your so called fame, are you afraid you may be Hunted and doxxed . . also are you part of the Cicada 3301 team?
I cannot confirm or deny who actually belongs to the Cicada 3301 team. Being Hunted and doxxed should be a concern to everyone. Hopefully some of the tips I shared today will help ally fears and concerns and keep everyone a little safer.
What are your thoughts on the fight against Cyber criminals? How do you think the world will look in that regard in 10-15 years?
I had a person say to me once, "if you and people that do security like you were doing your job, you should have worked yourself out of a job by now"...which is interesting and I asked him if he says that to fire depts and police units (with a smile of course) but candidly, I'm glad he said that to me because it got me thinking. First off, i cannot name 1 security problem that I or my colleagues in security have 100% eliminated for you. That's horrible! Here's why we haven't worked ourselves out of a job, the technology evolves and changes and with that so do consumer behaviors and with that so do the cybercriminal behaviors. My job in cybersecurity this year is very different than just a year ago. We build a wall to stop cybercriminals and then they find a way around it. The security profession, and I hold myself accountable here, has to change how we protect and defend you. It starts with me. So what does next 10-15 years look like? (1) we stop holding YOU as the consumer accountable for security and we do it for you (2) we think differently about the cybercriminals motives and tactics and shut them down (3) we develop international accords so when cybercriminals attack and we figure out who they are, we can put them through a legal process and perhaps jail
Do you still do any coding? What do you like most about your current work?
Great question. I'll be a student of my profession for life. I took an online python class last year via coursera. It was very helpful. I don't get the chance to do as much coding as I used too but I attempt to stay current. What I like most about my current work is working with really smart & passionate people to help our clients. When we help a company stop a breach or recover from one - the good guys win a little that day. When we help a person that's a victim of revenge porn and feels they have no hope of getting their privacy and their life back get those images offline...the good guys won a little that day. We're the Avengers righting the wrongs that happen via the internet...trying to make the internet a little safer so everyone can work, play, have fun on the internet.
That is very admirable. It definitely feels like a hopeless fight at times.
I don't want you to feel hopeless! Just know there are security professionals out there determined to watch your back!
What makes/models of devices do you use personally?
Ah! Before I talk about what I use, just a comment that the big companies leap frog each other from time to time on privacy and security so some of this comes down to personal preferences. We run the company & my house mostly on Apples. We do have other operating systems in use at work and home but our day to day go to devices are mostly Mac, iPhone, iPad...
What would be your number one advice to give to someone wanting to get into cybersecurity?
Take online classes and intern! Best way to get rollling. Our intern Steven says he's happy to hire some unpaid interns and coach and mentor them.
If you weren't certain that the news you were seeing was the news that other people were seeing, where, in a city, could you go to see what "generic" news was on tap for the day?
I subscribe to various global newspapers which helps me get news on the USA from the outside point of view. It's eye opening to see what the overseas news reports on the USA vs. what our home news reports.
I am currently studying cyber engineering, and am really interested in the law enforcement aspect of cybersecurity. What course of action would you recommend I take to get there?
Join your local FBI Iinfragard. Great way to hear the legal side of the cybersecurity issues. It's free but you do have to pass a background check so if there's something shady in your past...well, you know.
What's your advice to enterprise executives wrt security. What should they be thinking about that they don't already know?
What do you think about the intersection between security and AI / Machine Learning?
Router security for executives vs. the geeks that configure and monitor them...executives should know that (1) going cheap on the devices not always a good move b/c there are counterfeit devices and the bonus you get is a backdoor phoning home to the real owner; (2) think about the data that you are trying to protect at the enterprise and name the most critical data elements you must protect and consider designing the WRT around those data elements perhaps even segmenting traffic so those elements are accessed/routed alone; (3) big fan of segmentation because it makes it easier to watch for anomalies; (4) have a governance board that develops the "gold standards" and approves few if any deviations from the gold standard .
Big fan of looking for design opportunities for AI/ Machine learning to guide security analysts in their day job. In some cases I believe the more mundane elements of cybersecurity can be handled by AI/Machine learning but we will always need smart people to tweak that tech as well as to be thinking one step ahead of the adversary and how to hide / squirrel away the data when the eventual data breach occurs.
for a sample of squirreling away something important -- https://www.youtube.com/watch?v=4yikpWtIFU8
What top certs do you feel garner the most respect in your field?
I am a fan of hard work in the field but if you want to add some certs, I like the OSCP ($$ and not for the faint of heart).
Do you think you are a better manager or a better technical expert?
More of a problem solver and whatever is required to solve the problem.
How much time does your job involve. Do you get a lot of free time? Also is the pay decent (sorry if that sounds a bit weird but i am thinking of getting a job in cybersecurity and i just wondered how good the money is)
Cybercrime never sleeps so neither do we. We tend to be on call a lot. It's an incredibly rewarding field - it's noble work protecting people from behind a keyboard. The pay is good and we're not running out of things to do. I don't have a lot of free time but when I do, I like to go running or hiking.
Is there any way we can get President Obama back in the White House?
Sorry, I don't have a good answer for you, but Doc Brown is doing an AMA in a couple weeks, you should ask him! Seriously though, I believe the current POTUS would be wise to seek the advice and counsel of President Obama, President Clinton, President Bush 41 & 43, and President Carter. They are all in the same club after all.
I believe President Obama seems to be enjoying his time out of office - he even got some new jeans!
And a new leather jacket
Oh I missed the new leather jacket...send a link!
Do you cover the webcam on your laptop PC?
View HistoryShare Link