Cybersecurity expert Jason Dion weighs in on latest cyberattacks

AKYLADE Founder and Chief Product Officer Jason Dion, a cybersecurity and AI specialist and educator with more than 2.5 million students worldwide, shares his insights on the latest cyberattacks that hit Aflac and other organizations in the past month.

Dion, an officer in the U.S. Navy from 2007-22, has served as Global Lead for Cyber Defense at U.S. Cyber Command (2018-20), Theater Network Operations and Security Center Director (2020-22) for the U.S. Navy, and as Director of Information Assurance Operations at the National Security Agency from 2013-16. The face of Dion Training, a global leader in cybersecurity certification training, he founded AKYLADE Inc. (https://www.akylade.com/) in 2024 to provide affordable, practical certifications designed by fellow cybersecurity experts that showcase the skills that hiring managers actually want.

To view the interview on YouTube, click here. The following is a transcript of that interview.

Aflac is the latest company to experience a cyberattack that potentially compromised sensitive customer and employee data. Was this truly a cyberattack, or just someone being “let in” to the system?

So when you look at the different articles out there, especially like the one we had this week with Aflac getting hacked, the hack wasn't really a technical hack, necessarily. They didn't go in through some kind of zero day vulnerability or break in through the firewall or anything crazy like that. Instead, they used social engineering and, essentially, a phishing campaign. They tricked a user who was an authorized user in the company to click on a link in an email when they were pretending to be tech support. And when you open up a link inside of an email, you are basically opening a hole in the firewall, saying you can come in because we assume that that is traffic that you are authorizing.

Just like if you're going to go to Facebook or Gmail, when you go to www.facebook.com, it's going to open a port in the firewall, let you go out, get the information you want and bring it back to you. So, to keep bad guys out, we use things like firewalls and web application firewalls and unified threat management systems and all these different high tech tools.

But at the end of the day, if your users who are authorizing your network click a link, they're essentially unlocking the door and letting the bad person in. So you have to know what you're clicking on and who is sending it to you. 

The interesting thing is when you look at things like social engineering and phishing campaigns, they are super highly effective.I worked as a penetration tester for a couple of decades and I will tell you that nine out of 10 times the way we're going to get in is through social engineering. Could we get in through a technical hack? Yeah, but honestly, it's a lot more time consuming, it's a lot more difficult, it's a lot more expensive. Because if I'm going to get a zero day vulnerability for an iOS iPhone device, that can be a million dollars on the black market, but a phishing attempt is me just sending you an email and hoping you're going to click the link because I pretended to be from PayPal or LinkedIn or Bank of America or something else that I assume you're using, because those are big services that most people use and I can trick you to click on that link. 

Talk about the term “phishing,” and what the best way is to describe it.

When we talk about things like phishing or social engineering campaigns, there's several different ones we can have. Phishing is a general, all-encompassing term. And then we have different types of phishing underneath it. So when we talk about phishing, this is not F I S H, it's P H I S H, And really what this is, is it's a way for us to trick a user.

And the reason why they call it phishing is because we're basically trying to bait them with something and get them to bite on the hook just like you would with a fish. And so when we do phishing, generally that's going to be through email. 

We talk about a generic phishing campaign, that's where I'm going to send out an email to hundreds of thousands or millions of users.So I might get a bunch of email addresses I found on the dark web or just scraping the Internet and finding these email addresses, and then I'm going to send out a message to them saying, oh, hey, your PayPal account, the password needs to get reset, or your LinkedIn account, you need to log in and accept this invite, or something like that. Where the chances are that you probably have a PayPal account, the chances are you probably have a LinkedIn account.

I'm not going to say Jason Savings and Loan Bank, because how many people actually have an account there? Like, oh, I don't have an account there, I'm not going to open this email. But if I do Bank of America, it's one of the four largest banks in America. You know, about 25, 30 percent of the population has a Bank of America account. I personally don't, so if you send me that, it's not going to work on me.

But a lot of people listening to this probably have a Bank of America account. Same thing with Chase or Citibank or any of the others, because we have such a consolidation that's happened. And so generally when we see these phishing campaigns, they're around a big, well-known brand, something like LinkedIn, Facebook, Amazon, all those are very common. Walmart even. And they're trying to get people to believe the email came from those companies, but they didn't. They just look like they came from that company. 

And so when you click that link, it's gonna do whatever it is that they're trying to do, whether it's access your computer, install some software, steal some information, get you to go to their website to enter your password as if you're logging in even though it's their site, not Amazon's site, and then take over your account that way.

There are many ways to go “phishing.” Can you elaborate on those?

When we talk about phishing, there are many different types of phishing. There's the generic phishing where you're casting a really broad big net, and that's when you're doing something like LinkedIn or Amazon or Walmart or something like that. But there's also another type which is called spearfishing, which is actually even more effective. We call it spearfishing because if you think about the way you spearfish, you're basically taking a pole with a spear on it and you're trying to establish a fish there. It's a one-to-one type of an attack, or maybe a one to a couple, as opposed to when you have a net and you're fishing, you're trying to gather hundreds of fish at once. So with spear phishing, we may have something where there may have been a breach of a small credit union, for example.

Well, if there was a data breach of that credit union and we were able to steal as a hacker those email addresses and names of the people who are at that credit union, well, now I can set up emails that sound very targeted because I'm only sending it to those customers who had an account with that bank. And so it's even more effective because now if I'm getting an email from Jason Savings and Loan and I'm a customer of Jason Savings and Loan, well, in that case I'm going to fall for it more often than if you sent me something from Bank of America where I'm not a customer.

The third type we have is what's known as whaling. And the reason we call it whaling is just like the casinos in Vegas, they always go after the whales, the big players. That's what we're doing with whaling. It's a phishing campaign targeting usually executives, high net worth individuals or leaders of companies. And so in this case, we're not going for millions of people, we're not going for hundreds of people. We're going down to like one or two people. We know exactly who we're trying to go after.

You have mentioned before that chief technology officers or IT teams should not necessarily be blamed when cyberattacks occur. Please elaborate on why it’s not the responsibility of a cybersecurity team to stop things like this.

When we look at an event like this, it really isn't the fault of the technology team, the CSO or the CTO, or even the IT and cybersecurity folks. They've done what they're supposed to do. They've patched the systems, they've configured the systems, they've set up the firewalls. In this case, though, because it's social engineering, the fault of this attack is whoever ended up falling for this attack. And so the best way to solve this is not a technical solution. It's training and education of your employees. 

The way we always look at cybersecurity is it's not just the cybersecurity team's job, it's the entire organization's job. Because I can do the best I can in doing all the technical security. But if you still go ahead and click on that link, it's still going to let the bad guy in. And so, you know, if I think about my office building, at the end of the day, I'm going to go and lock all the doors and turn on the alarm system so nobody can break in, and I can do all of that. But if one of the people comes in later to take out the trash and they forgot to lock the front door, well, all that technology doesn't do us any good because the door is still unlocked. And that's essentially what's happening with these phishing and spear phishing, whaling attacks and other social engineering methods. We're hacking the person, we're not hacking the system.

And then we happen to get in, and now we've got access to actually hack the system at that point, too. And that's why it's such an effective way of doing things, by doing these types of social engineering campaigns. So it's one of those things that you can't just blame the technology staff when these things happen, you have to look at what is the root cause. 

Sometimes it is the technology staff. If you go back to the Equifax breach, back in 2017, which was one of the largest data privacy disasters we've had in America, and you look at what caused that, it was the fact that they did not update their software. It was a technical attack. It wasn't spear phishing, it wasn't whaling. It wasn't any kind of social engineering attack. It literally was a vulnerability in the software that was known about for months that they didn't bother to patch. That you can totally blame on the technology staff and the CTO in that case, they lost their job over it. But in this case (Aflac), you're talking about social engineering. It's the fault of the end user.

And if you're in a large company, you may have tens of thousands of end users. How do you teach them all what they need to know to protect themselves, both at work and at home? Because the same principles apply on your home computers as your work computers. 

So what should AFLAC do? What should any company do on a consistent basis to do their best to ensure that their data is safe, and that employees are diligent in ensuring that goal?

When it comes to an issue like this, the company has to stop and take a look and say, what can we do to prevent this next time? Right. And this isn't just that company. It's pretty much any company. The number one thing you need to be doing is training your staff on what we call good cyber hygiene practices. This includes things like understanding what is a phishing email, how to spot it, and how to avoid clicking on links in it.

This involves making sure that they're patching their systems, especially if it's a home device. Are they updating the software and their antivirus? Because most of us are working in a hybrid or remote environment these days, where we may be working in the office, but then we go home and check our email from our home computer. Well, if you have vulnerabilities on your home computer, those can be attacked as well. And so you now become the weak link. So we want to make sure you know how to take care of your own computer. We want to make sure you're doing good password management. Are you using a different password for every single site? Are you using long, strong passwords that are 15 or 20 characters long with uppercase and lowercase and special characters? Are you using passkeys if those are available? Are you using multi factor authentication if those are available? 

All these are things we want to train our users on. And this is kind of the biggest thing that's difficult when you're dealing with a lot of companies is they're like, well, we don't want to spend the hour or two it's going to take per year to train our folks. But it's like, you know what, that two hours of them in class is going to be way more valuable to you than having to clean up a mess.

In fact, numerous studies have been done over the last 15 and 20 years and every single time they've shown that the number one thing that you can get the best return on investment in your cybersecurity program is training your end users. And when I talk about your end users, I'm not talking about your system administrators, and I'm not talking about your IT staff. I'm talking about the secretaries, the janitors, the worker bees, the account executives, the salespeople. All those folks are the ones who need this training because they need to understand what can they do and what should they be doing to protect themselves and protect the organization. Because it costs a lot more money to clean up the damage than it does to train somebody up front. 

Now what does this training look like? Generally, I see it done in two ways. One is they'll do it as an online training, whether that's video or slides with some quizzes. And the good thing about that is it's relatively inexpensive. You still get the information out there and people can do it on their own time as they need to, especially as you're hiring new people. The other thing we've done is annual cybersecurity training in a live environment. In a previous organization I was in, we had a three day event where every day we had three hours each of those three days, three one-hour blocks. And we would bring in a couple hundred people at a time and teach them this material. And that's because we had about 15,000 people to teach. So we had big rooms of, you know, a thousand people at a time, three times a day, trying to get through everybody.

It's much harder to do that because you got to get everybody physically in a place, but it is more effective because they're actually paying attention to you. I find a lot of times with online training people are off doing something else, especially if they're like an online zoom. They're just, you know, playing and doing their email instead of paying attention to the stuff. So, you know, it's one of the things you're going to get out of it what you're going to put into it. And if you're getting cybersecurity insurance, a lot of companies will require you to do this annual training every year for all of your staff to maintain that policy. 

Last question. If you are Aflac, do you need to worry that somebody broke in at all? Or do they just throw their hands up, knowing that there is nothing they can do about it now except move on and make sure it never happens again?

Well, if you're a company that's been affected by these types of things like Aflac, where somebody broke in and in this case they use social engineering, yeah, you need to be worried, and you need to be worried for a couple of reasons. One is, now that the person has gotten into your system, what else did they do when they were there? Yes, the way they broke in was not the technical folks fault. It was some end user who clicked on a link and let somebody in. But now that they're in your system, they can install backdoors, they can install rootkits, they can install persistent devices so they can now get in. 

One of the things I've learned over the years is you can never prove a negative. And what I mean by that is I can prove the bad person is in my system, I can't prove they're not in my system. And so the fact that somebody was in their system and downloaded some of this personal data means they could still be in the system, they could still have gotten their hooks in other places. And now it's a very drawn out and expensive process to go through every single system and every single database and make sure everything's properly configured and nobody got in and that they only got to this database and not that database and all that kind of stuff. And that's going to take a lot of time and energy. That's why doing this preparation up front and keeping them out is the most important thing.

That being said, what are some things they can do? One is to prevent the same thing from reoccurring, they need to do social engineering training and good cyber hygiene training for all of their users. Second, they're going to need to go in and forensically look at what did those people touch when they got into those systems, what type of data do they steal, what type of systems did they touch?

And for any of those systems that they touched, we need to now verify that nobody is there or literally restore those systems from a known good backup and then bring it back up to speed of where we are. So there's a lot of different techniques we use in incident response, but, yeah, there's a lot of work to be done once there's a breach, to make sure they are out and that there's nobody there anymore.

ABOUT AKYLADE:

Founded by world-renowned cybersecurity and AI specialist & educator Jason Dion, AKYLADE empowers the next generation of IT and cybersecurity professionals by validating real-world skills through practical, experience-driven certification exams. Built by industry experts with decades of hiring and operational leadership experience, our certifications are designed to meet the demands of today's workforce -- not just the classroom. Whether you're launching your career or advancing to the next level, AKYLADE certifications help bridge the gap between learning and doing -- giving you the credibility and confidence to succeed. 

AKYLADE: Founded by veterans and educators. Industry-recognized. Developed by Subject Matter Experts. And ISO 17024 compliant.

For more information, visit akylade.com or call 866-AKYLADE.