Getting to Know the CISO: Greg Crabb

Listen Now.

Chris Blum: Hello, and welcome to the Security Sisters Network podcast. My name is Chris Blum. I am your host today, joined by the Founder and CMO of Security Sisters Network, Suzanne Higgs. Good morning, Suzanne.

Suzanne Higgs: Good morning.

Chris Blum: We also have Greg Crabb, Founder, and Principal Cybersecurity Consultant at 10-8 and a former CISO at the USPS. Welcome, Greg.

Greg Crabb: Great to be here, Chris. Thank you.

Chris Blum: So, tell us a little bit about your background. You’ve been in cybersecurity. You’ve done some really interesting things. Give us some background on you.

Greg Crabb: Yeah. So I started in cybersecurity in 1996. It’s been a long haul, and seen a lot of things over the years. So my journey began as a law enforcement officer. And in my career, I had the opportunity to work on some really interesting cases.

So in 1999, this little company in San Jose, California, had many fraud problems. And as a United States Postal Inspector, I investigated mail fraud. And there were a lot of people that weren’t getting merchandise that they were ordering from this website or through this website, and they weren’t getting paid for the stuff that they were selling on this website. And so I had the pick of the litter of fraud cases and fraud referrals from victimized consumers worldwide and launched a large set of investigations. And that little startup was a company called eBay.

Chris Blum: Wow.

Greg Crabb: They gave me a cubicle in their trust and safety unit. And that was just an amazing set of years of experience to see from the front line’s perspective what cybercriminals were up to. And we’ll talk more about that, I’m sure, during today’s discussion.

And then fast-forward several years, they called me into Washington, and I spent a number of years there. And then, in 2014, the Postal Service was the victim of a nation-state attack, and I was leading the investigative charge. And the day we figured out that we’d lost our employee data, that converted me from a law enforcement officer into the chief information security officer for the Postal Service. And for about six years, I served in that role, had the good occasion of being able to draw my pension two years ago, and rebranded.

And now, I get to help a lot of different companies. And I love going in and helping startups and large multinationals and everything in between, defense sector, financial services, space, improve their cybersecurity posture. And so that’s been a super amount of fun. I love advising product companies on what they need to do to target the clients I support and meet the needs of the cybersecurity industry and the professionals they seek to serve.

That’s a little bit of background about me.

Chris Blum: That’s awesome. That’s so many interesting stories we could dig into there. One that we want to talk about is, when we were chatting before the call, you were on the investigation of one of the early cybersecurity credit card investigations. And why don’t you tell us a little bit about that? I thought that was just so interesting. I’m sure our audience would love to hear it as well.

Greg Crabb: Yeah. Thanks, Chris. So, yeah. And this is why I’m so passionate about advisory boards. They are critically important to help guide your organization in making significant security and risk management decisions and thinking about these issues in product design instead of being responsive.

And this story starts in the depths of Ukraine. And I had been asked by the US Attorney’s Office in San Jose, California, to work in an Eastern European organized cybercrime ring. And I was three years into the investigation and had already recovered tens of thousands of communications from this group. It wasn’t a simple investigation, let me just tell you. And being in California, I had the good occasion of having Visa International Visa US in my neighborhood based in Foster City, California.

And one of the investigators that worked for Visa approached me and asked me, “Greg, do you know who this screen identity he uses? It’s called BOA.” And I didn’t know if the moniker was to represent a snake or if the moniker was to represent Bank of America. And I’d had intercepted many communications he had been having with another Ukrainian criminal.

And long story short, Visa wanted to know because he was selling card data from a compromise. The compromise that occurred in February of 2003 was a merchant aggregator. So in the credit card industry, you purchase your processing terminal from a merchant processor to transact business. So this merchant processor processed the transactions for all kinds of mail orders and telephone order companies on a credit card processing side. And so they had been the victim of an attack from what ultimately we figured out to be from BOA. And he stole 8.7 million credit card numbers from this merchant processor.

It was the second big mass data compromise that had been revealed of credit card information. The first was the compromise of a company called Egghead Software. They no longer exist, but-

Chris Blum: I remember that.

Greg Crabb: And so the second was Data Processing Incorporated. And fortunately, through networking and such, we could identify that law enforcement had arrested a subject in Cypress. And I got an opportunity to work closely with those Cypriot law enforcement officers and uncover the details of the compromise and the computer systems used in the attack.

And it read like a… well, literally a novel of how these suspects went about using the card information to be able to support organized crime. And the subject that was arrested for real identity was Roman Stepanenko, but he used the moniker BOA. And ultimately, I could arrest and extradite Roman Stepanenko to the United States.

And so it was a big deal.

Chris Blum: That’s amazing.

Greg Crabb: Credit card companies were victimized left and right by these mass data compromises. At the time, card data wasn’t being held encrypted in databases. And so all this clear text, mag stripe data that was available was getting basically easily targeted by Eastern European organized crime.

And in November of 2003, after I had shared important information with Visa about how this particular attack occurred… And we knew everything about him. The computer that we recovered, his computer that we recovered, just sang everything about the organization, how he did it, all that sort of stuff, how he monetized all of the data he had stolen. And so I was invited to participate in an advisory committee as a guest. I was just the speaker. And Visa organized, I think it was about 20 executive vice presidents of risk for the largest financial institutions in the world. Representation from Asia, Europe, obviously the United States, and South America all came to… It was in Arizona, Scottsdale, Arizona, at a really nice hotel.

And they had me go in and basically brief the advisory committee on what I was learning relative to the method and the tactics, techniques, and procedures of this particular group and really gave them an eye-opening look on, “Oh my, we are very exposed,” right?

And it’s so relevant to discussions today as we look at the national strategy from a cybersecurity perspective. And in that national strategy, the White House calls out the need to take a risk-based approach to your cybersecurity practice, design security into your products and services, and shift the liability currently latent in this particular process that we currently have from a technology infrastructure perspective.

And so these were the same exact issues that this risk committee, this advisory board for Visa had to contend with in 2003. They had an infrastructure that was completely exposed to their adversary. They needed to understand how to manage this risk. And it was interesting to see what developed.

In Europe, they had already started to use chip and pin on credit cards. Obviously, it was 10 years later or more before we even started to think about rolling chip and pin out in the United States. But the advisory board, really, I think one of the key things that they came around with was the need to standardize on a set of information security practices for the merchant processing community.

And we know that today as PCI. And as I reflect back and now have literally almost 20 years from those decisions that that advisory board was involved in making, I think we saw the fallacy of some of the approaches that they were taking. And I think that as we look at where we’re going into the future, we really need to build security into the architecture of our products.

And I think advisory boards are extremely important in being able to make that. And that’s why I’m so passionate about supporting what the Security Sisters are doing because that’s what it’s all about and really getting that practitioner’s view on how to solve the problems. Obviously, in the United States, PCI became a big buzzword and compliance requirement, the contractual requirement for the last 17 years or so.

Chris Blum: I think the first one that got put into place, wasn’t it?

Greg Crabb: Exactly.

Greg Crabb: And I think that there were a lot of lessons learned from that. Obviously, those compliance requirements did not stop computer hacking. It was technical controls that really helped prevent that from a design perspective.

And so those are the types of things that I think are so interesting as it relates to being able to have a group of advisors that really know what they’re doing, understanding from a practice perspective the threat, the vulnerabilities from an architecture perspective that your product has, and how to address the needs of the practitioner. And I think those are so critical in being able to really form what a leadership team needs to do, whether they’re putting a cybersecurity product out into the market or whether they are protecting their own infrastructure or the infrastructure of their industry to be able to go forward.

And so I know that the Security Sisters are really focused on putting together advisory boards for cybersecurity companies. But when you look at what’s going on in financial services and telcos and healthcare and all of these industry verticals, I think cybersecurity advisory boards are extremely important in order to be able to support those communities, because I think without the collective intelligence of security professionals to help really drive thinking in these areas of risk and secure design and implementation, I think you’re really hurting your business. And I think that’s where the future needs to go.

So again, so excited about what Suzanne and Brooke are doing to bring this type of approach to the market.

Chris Blum: Interestingly, you say all companies should have it. I’ve been reading more and more articles that are… They’re saying you need to have a cybersecurity person in your board, and you need to have those advisors around because everybody’s getting attacked by cybercriminals nation-state.

Greg Crabb: Absolutely. I think that being able to go in and talk to a board and express to them what the current state of the control infrastructure that the company has and what the threat is that they’re up against and bringing the business objectives into the equation, I think are all… That’s where we as a society need to go. We have so much critical infrastructure across the United States that is so vulnerable to nation state attackers, organized crime. Sometimes, there’s little difference between the two. And really where we need to bring the industry up in order to help them understand the threat, and implement countermeasures into the design of their products and services so that healthcare organizations can function without the fear of ransomware and all down the line.

Chris Blum: I agree. It’s crazy. This cybercriminals nation-state happened 20 years ago, and we’re still fighting it. Okay. So let’s have some fun. What is the one thing you refuse to share?

Greg Crabb: My username and password.

Chris Blum: So why do you think so few companies have advisory boards in place? It just seems like most companies don’t have… They aren’t taking advantage of this knowledge and putting together a board that can really help them with their cybersecurity stance.

Greg Crabb: So much focus is on the internal problems that the organizations face or are trying to work through that they don’t look outside. I think it’s that simple. I think that an organization gets so caught up in their day-to-day operations, whether it’s their financial performance or whether it’s their outreach to customers and to building their products, that it’s all about them and not enough about really looking out and exploring and getting those external perspectives that can really take your products and services to a completely new level.

Chris Blum: I agree. Okay. Would you rather have no cell phone access or no car access?

Greg Crabb: I love running and biking, so I can totally do without the car. That’s easy.

Chris Blum: So, what suggestions would you give vendors on building relationships with CISOs, to get started with building an advisory board? What are some of the most important things you think they should do when they’re getting started?

Greg Crabb: I think being open from a vision perspective and bringing the CISOs in and talking about the problems. So often, a company says, “Oh, I’ve got this solution.” They don’t even understand the problem. And I see a lot of vendors that pile on to the theme of the day. And I think that’s one of the things that is really bad, right?

Within the last three weeks, I’ve probably talked to 30 companies that are in the supply chain space, right? And then I can’t even talk to you about the number of people that are piling on with zero trust. And most of those companies have zero ideas what zero trust even means, but they’re using it from a salesmanship perspective in their products, right?

Greg Crabb: And so I think the most important thing is bringing in a set of advisors that are dealing with the day-to-day problems and, “Let’s talk about it. Let’s figure it made-for-TVout. Let’s get on a whiteboard. Let’s figure out what you’re doing. And I’ve got a great set of technical resources that can solve any problem. But first, we need to know what we’re solving.”

And I think that’s where a really strong relationship with an advisory board can really help with getting started from a vendor perspective.

Suzanne Higgs: Greg, I have a really important question for you next. If you were in a made for TV movie, who would you want to play you?

Greg Crabb: Suzanne, you know that’s not fair. So actually, I need you to help me source that.

Greg Crabb: I think I need a good advisory board on that one. But the most important is who’s going to play my wife?

Suzanne Higgs: Ooh, that’s good.

Greg Crabb: And actually, I know who’s going to play my wife. Jennifer Lopez, I think, would be the best to play my wife.

Suzanne Higgs: I love it. That’s perfect.

Chris Blum: That’s awesome. Okay, last question. With CISOs, under new regulations and constant cybersecurity legislation changes, do you feel the value of the CISO role has changed? And if so, how?

Greg Crabb: That is a really interesting question, Chris, because I get the great opportunity to be in a variety of different companies. And that’s one of the things that I’ve loved about the cybersecurity advisory work that I’ve been doing, whether it’s financial services or defense or space or what have you.

And some companies are running. Some companies don’t want anything to do with it, and they’re attempting to outsource as much as they can because they don’t understand it. They don’t want to accept the risk, they just want to avoid it.

And I think it’s a trend. When I talk to some of my colleagues out there, I’m very concerned about that disturbing trend. Obviously, the regulations are coming, and it’s a necessity. When you look at the top issues that boards were dealing with five years ago, cyber was at the top of the list.

 When you look at what the top issue boards deal with today, cyber is at the top of the list. How have we not made progress in the last five years as a society, and as a set of corporate leaders across the country on those issues?

It’s because they’ve been avoiding them. They’ve been avoiding them from a responsibility perspective. They’ve been avoiding them because they don’t understand them. And I think the regulations are necessary. But in the same regard, I’m concerned that companies will attempt to find their ways around… Certain companies will find, mass data compromises victimized credit card companies left and right.

Chris Blum: Suzanne, you have the last question.

Suzanne Higgs: Who is your favorite Security Sister?

Greg Crabb: You’re putting me in an awkward position.

Suzanne Higgs: No. It’s really not a question that… I just meant to get a giggle out of you, but you’re really thinking about it.

Greg Crabb: Oh my God. Brooke is amazing.

Suzanne Higgs: Thanks, Greg.

Greg Crabb: I’m only joking. Suzanne.

Chris Blum: The dynamic duo is what I like to call them.

Suzanne Higgs: Oh, I love it.

Greg Crabb: Indeed.

Chris Blum: Well, thank you so much, Greg. We learned a lot today from you. I’m sure we could go on for hours, but we’re trying to keep this to 30 minutes. So thank you so much for your time today.