April 14, 2021

Vishing, Smishing and STIR/SHAKEN w/ Mike Manrod

by Cyber Ranch

Listen Now


Show Notes

Welcome to The Cyber Ranch Podcast, recorded under the big blue skies of Texas, where one CISO explores the cybersecurity landscape with the help of friends and experts! Today, host and CISO Allan Alford interviews Mike Manrod, CISO at Grand Canyon Education. Mike has done quite a bit of research on vishing, smishing and the upcoming STIR/SHAKEN legislation meant to combat those two. To start the conversation, Allan asks Mike to share a little about himself, his background in information security and what he does at his day job. Mike started as an IT technologist who orginally resented the security team for slowing down technology projects. Then a friend took him to a security conference, and the rest is history. Mike explains what vishing and smishing are, contrasting them to traditional phishing. Mike and Allan discuss personally targeted vishing and smishing vs. attacks targeted at organizations. Allan and Mike cover the new STIR/SHAKEN legislation and related RFCs, along with the technical limitations inherent in the approach. Finally, Allan asks Mike what keeps him going in cybersecurity, including technical challenges and a strong infosec community. Key Takeaways 0:24 Allan introduces Mike 1:05 Mike explains how he got into cybersecurity and what his daily CISO life is like. 2:48 Mike explains what vishing and smishing are. 3:32 Mike explains the unethical vishing vs. truly illegal vishing and how they might target an organization vs. an individual. 7:18 Mike explains how most smishing is targeted at individuals. SIM swapping and other techniques are generally what is used against enterprises. 8:00 Mike says that smishing is most often used to introduce malware or harvesting user credentials. 9:31 Mike says that smishing, vishing and robocalling definitely mimic the ransomware world where lower-level, even non-technical criminals run the front line of attack. 11:34 Mike compares STIR/SHAKEN to the anti-phishing technologies DKIM, DMARC and SPF. 11:49 Allan explains that those email technologies are opt-in and only effective if all parties choose to opt in. 12:31 Mike explains what STIR/SHAKEN stand for and how they work - they are based on a series of RFCs. 13:43 Mike explains the FCC June 30, 2021 deadline for IP-based carriers to adhere to STIR/SHAKEN. TDM and Cellular networks are asked to implement in good faith. 15:48 Mike says that STIR/SHAKEN is a great step in the right direction. The nature of the problem is that the 'from' value is user-controlled in telco communications. 17:29 Mike sas that an enforced heirachy of tokens will solve the problem ultimately. 18:15 Mike recommend RFC 7340 as the best definition of the problem statement for the telephony challenged end-to-end. 18:45 Mike explains how STIR/SHAKEN also impacts smishing - noting that iMessage and other SMS-derived technologies already offer better security than voice technologies. 19:29 Mike states that a paradigm with certificates bound to number ranges or account ranges is the real solution to the problem. 21:01 Mike explains that fun technical challenges are why he stays in information security - a lack of bordeom. 21:58 Mike also names community as another reason he stays in infosec. Links: Learn more about Mike Manrod on LinkedIn Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Axonius
Read more

Recent Episodes

February 1, 2023
by Cyber Ranch

Joining Allan today are two folks who are passionate about leadership – not just practicing good leadership, but instilling good leadership in future generations.  Joey Rachid is CISO in the ecommerce and financial services industry, is on advisory b...

January 25, 2023
by Cyber Ranch

This week Allan is joined by Nipun Gupta, and industry veteran who has been a consultant, practitioner, vendor, advisor and investor. The topic is "What are we really protecting in cyber?" and the nuances of that question are explored in depth - as w...

January 18, 2023
by Cyber Ranch

This week, Allan is joined by Peter Schawacker, CEO @ Nearshore Cyber, former CISO, advisor to MSPs, etc.  Another one of Allan's illustrious guests with 25 years in cyber.  (https://www.linkedin.com/in/schawacker/).  The topic started as all that th...

January 11, 2023
by Cyber Ranch

This episode is jam-packed with wisdom that is delivered at a rapid pace.  Some folks will find themselves rewinding and taking notes.  Luis Valenzuela, Director of Data Loss Prevention and Data Governance at InComm Payments, joins Allan Alford to ta...

January 4, 2023
by Cyber Ranch

To celebrate the 100th episode, Allan decided to let the audience participate in the show.  21 people called in and answered a wide variety of questions about cybersecurity.  It is a fantastic show and it is very fun to hear all the different perspec...

December 14, 2022
by Cyber Ranch

This is another "'E' for explicit" show as this one is another LIVE! show from the CISO XC conference in Dallas-Fort Worth. Why the 'E'?  Because halfway through Allan Alford's conversation with Andy Ellis (CISO at Orca, Operating Partner at YL Ventu...

December 7, 2022
by Cyber Ranch

In this episode, Allan Alford plays Devil's advocate - challenging the practitioner community to refute the idea that we should quit trying to make the organization care and simply make suggestions and accept the organization's level of risk toleranc...

November 30, 2022
by Cyber Ranch

Scott Schindler, veteran CISO, vCISO, and adjunct professor joins Allan at the ranch to talk about how to build, strengthen, participate in, contribute to and benefit from a cybersecurity community. Allan chose Scott for this show because of his incr...

November 16, 2022
by Cyber Ranch

Dan Holden, a 20+ year industry veteran, former vendor, and current CISO at Big Commerce joins Allan Alford at the ranch to talk about the BIG picture.  Join them on this wild trail ride that goes as far back as the Monroe Doctrine of 1823, the pre-c...

November 9, 2022
by Cyber Ranch

This week Allan Alford is joined by Duane Gran, Director of Information Security at Converge Technology Solutions to discuss three different aspects of the CISO craft -- and to offer practical, concrete guidance on how to achieve the right outcomes: ...