Risk management and maintaining a strong security-minded culture at your small business
In this episode, Paul Holmes, and fellow Smart Dolphins employee, Ty Hedden, introduce listeners to Aaron Kraus, information systems and cloud security trainer and consultant. The three of them talk about cybersecurity through the lens of risk management. They outline some of the different types of risks, interesting socioeconomic motivations behind hacking and the tools that are used to exploit software vulnerabilities. Paul, Ty and Aaron conclude with a discussion on just how important it is to maintain a strong security-minded culture in a business environment where technology permeates everything we do.
Click here for the full transcript
Paul: Welcome back to Island Thrive. My name is Paul Holmes and co-hosting with me today, a special guest, Ty from Smart dolphins IT. Those of you who don’t recall, he’s been on a previous episode, and he’s a vCIO here at Smart Dolphins welcome Ty.
Ty: Good morning.
Paul: And we’re also really excited today to bring kind of a special episode, we’re going to talk about cybersecurity, and we brought in Aaron Kraus, who’s a cybersecurity practitioner and educator with 15 years of experience working, teaching and writing, he holds CISSP and CCSP certifications and aims to blend security and business knowledge to help a variety of organizations keep their businesses safe. And I should also say a guest trainer here with Smart Dolphins. we’ve had him on a number of times helping people in our community learn more about cybersecurity as well, including our clients and other businesses here on Vancouver Island. So welcome Aaron to the show today.
Aaron: Hello, hello great to be here.
Paul: Awesome. And Aaron, why don’t we start, why don’t you tell us what CISSP and CSP mean for those who are already confused by acronyms?
Aaron: Yeah. They mean more letters at the end of my signature block is the short answer of the longer answer is certified Information Systems Security practitioner professional excuse me, and certified cloud security professionals for security practitioners in the industry, it indicates a certain level of knowledge and experience, either in general cybersecurity for CISSP or specifically cloud security for the CCSP.
Paul: And for those of you who have taken training with Smart Dolphins with either myself or Ty, you’ll know that we know a fair amount about security because we’ve worked in the industry and we kind of follow the trends and that sort of thing, But Aaron’s level of knowledge is obviously, he lives and breeze, this as his core job in the world, so we’re really excited to be able to dig in a little bit deeper than maybe we’ve been able to do on some of our high level training today. So thanks again, Aaron, for being with us.
And I think we should probably kick this off with the setting the stage, I always like to try to set the stage because security can seem kind to dull to people they are like “oh, I got to take this stupid security course, and blah, blah, blah.” And I think it’s really critical for a number of reasons, the first one being that if something goes wrong from a security perspective, the damage that it can cause to your business is just through the roof enormous, but it’s also important, I think because people need to have an awareness and they need to understand the sort of insidious nature of what we’re dealing with and to sort of just be on the lookout, be prepared. And so I think I’d maybe just open it to both of you, Aaron and Ty, start with maybe with Aaron, if you were to set the stage what’s the big advice that you give people or what’s the thing that you would caution most?
Aaron: Yeah, I think two important things that I always try to highlight when talking about security, and as you mentioned, I live and breath this so I recognize not everybody’s quite as deep in the weeds as I am. I think it’s important to remember that we’re really talking about risk management. Life is an inherently risky activity, there are always things that could potentially go wrong, cybersecurity is really just about addressing those things that could potentially go wrong to your data, to the information systems that your business relies on. And at this point, all businesses rely on data and information systems, unless you are literally bartering goods for surfaces or swapping goods, at some point you’re probably swiping a credit card or taking data using information in some way. As human beings to get a little bit philosophical, we have thousands of years of evolution to help us protect shiny objects and food and other necessities, we’ve developed practices and tools that help us do that, and the information age is still relatively new, so I don’t think we’ve quite matured to the point where we know how to protect this massive database, but we do know how to make use of it to do valuable and cool stuff, track customers, sell products, run our business.
So it’s really just a matter of being aware that, yes, there are sophisticated, sometimes organize, sometimes opportunistic criminal enterprises that are basically exploiting these risks that are taking advantage of these risks, and it’s being aware that those exist, you don’t necessarily need to be paranoid on a daily basis, but definitely recognizing the importance of those risks and how crucial it is to protect your business, it’s something that should be… Should be on your radar at some point.
Ty: Yeah, I think that sums up really well through a lot of the presentations I’ve done, we often get questions about not just how to keep a business secure, but what I do in my personal life, and I’ve often phrased it as being competent in basic security practices is now, it’s not a life skill, basically…It’s sort of learning how to swim. Like everybody needs to do this. It’s no longer okay to ignore these risks, so whether that’s your personal email, your bank account at home, you need to have a certain level of competency and to be engaged and knowing those things.
And it’s the same for business, it’s just the same as your other critical business functions, like having competent financials and bookkeeping, you need to have the right people with the skill set, either on your team or accessible and be engaging with those people and putting those practices in place. It’s just as important as keeping your books balanced, I promise you. You can maybe get away with that for a little bit, but at some point, if you don’t have that buttoned down, it will catch up with you. And that risk that you highlighted there, that will come to their IT, so we need to be really paying attention and integrating this as a core part of our business.
Like so many risks driving is a great one. I think the biggest risk to us comes from complacency, it’s sometimes the perception that, “well, I don’t need to wear my seat belt because I’ve never needed to wear my seat belt.” Well, the reality is with technology nowadays is that maybe you haven’t had that fender bender yet, but when it happens, you don’t have time to reach over and buckle yourself in. i\In some cases, these things happen so quickly and so quietly that you don’t even know that you’ve been in a crash and you don’t you don’t see the impact for some time to come, and the damage can go on for quite a while. So yeah, it’s very, very much a core competency, and it’s one that if you’re feeling like a little behind, you absolutely can and should catch up and make that a part of your operations and continually revisit and invest in that, because these risks are not shrinking and they’re certainly not going away.
Aaron: I think that’s a great example for two reasons: number one, I live in the US state that is routinely identified as having the worst drivers, so I can very much relate to that example, but I think the idea of auto-security and as you mentioned seatbelts, that’s actually a very good analogy that captures the evolution of what the risk looks like. When the automobile was first invented, your risk was running into a horse or a horse and carriage on the road. So I know in some places you have animals on the road that you have to worry about that cars are designed to deal with that. In other places, you get further south here in the US, we don’t have moose or elk or horses on the road that frequently so the cars need to be designed to address different threats, but also over time, people weren’t distracted by cellphones in the early days of the automobile. Now, that is a risk that we have to deal with. So you’d think cars have been around for a while, we would have figured out what that looks like with the security, like your belt would be a static thing. It really isn’t. It’s an evolving threat. It’s an evolving risk, so making sure that you’re staying on top of it is crucial as well.
Paul: And just like in technology, we’re all driving a little faster and a little more often now. It’s funny, Aaron, you use the analogy of barter and you know the last time that it’s been a while because of the pandemic, but the last time I went to a farmer’s market, I used my card on the swipe and sent an e-transfer. I still had cash in that era of a year and a half ago, but yeah, it was pretty remarkable in hindsight, and that wouldn’t have been the thing, even four or five years ago. Technology has crept into every aspect of our lives, and I think that’s one of the critical reasons why we need to be upping our game when it comes to security because it’s just all around us. We’re always using it.
Let’s talk a little bit about the bad guys behind the curtain, and I’ve used a few different analogies, and I have in my head, Aaron, I have an idea of who these people are and the shady characters that get involved with this, but maybe you have a bit more direct insight into exactly who are we dealing with, who’s the people behind all of these threats?
Aaron: It’s actually an interesting sociological topic, there’s a current debate on Twitter over reclaiming the word “hacker,” which originally meant something good now has sort of come to be a shorthand for people hacking into and stealing data from systems. But people who do legitimate hacks like figuring out how to make something work want to reclaim that term.
I think we do have an interesting perception of somebody sitting in a dark room probably wearing a hoodie…not actually the case. We tend to talk about threat actors as groups, and some of them are nation-state actors, so they are foreign nation states who may have hostile intent, either in terms of military power or commercial power, they may want to steal trade secrets, or they may want to disrupt the business of a foreign nation state. You may have individuals who have access to tools which automate attacks and they’re doing it for fun or profit. One really interesting aspect of security are the threat actors who are purely motivated by profit, and these are very, very intelligent people who unfortunately live in places where their intellect, their abilities, there’s just no valid outlet for them to make money in a legitimate industry. So you see places in smaller places like smaller countries where these very brilliant people who might be computer scientists, if they were in a larger country, instead they turn to online crime because it pays the most out of all of the things that they can do within their country. And they’re using automated tools, these attacks can be done opportunistically, so they’re not necessarily targeting an organization, they’re just sending out a blast of phishing emails to every valid email address they can find, hoping somebody falls for it, clicks the link. They can make 10,000 in a month, which is more than many people will make in six months in the same country, so the economics actually is what drives a lot of threat actors who are not necessarily motivated by political purposes.
Paul: I wonder, I’ve also been told, and I haven’t done it myself, but as I understand, you can be a pretty average technology, average intelligence person that spends some time searching around the internet, and it’s pretty easy to stumble across the tools and the scripts and all these things that help you to do these hacks, is that true?
Aaron: It is true, and you don’t even necessarily need to have malicious intent, many of the tools that we use for security testing for things you may have heard of penetration testing or pen testing, the tools that those folks use to legitimately try to break into a system to find the weaknesses and help you fix them, those tools are in many cases publicly available or they are open source, their community driven. Just like any tool, it’s how you use it, so if you have malicious intent, I could use a hammer to breakdown a door or I could also use a hammer to fix a door and better protect somebody’s house. Tools like Metasploit or Burp Suite or common pen testing tools that carry out a lot of automated functions, they can also be used for malicious attacks. It’s just a matter of how you use them.
Ty: Okay, another part of that too is the tools are widely available, but so is the knowledge. So a really tangible example of this would be, let’s say, Windows XP, which there’s still many, many more copies of it running out there then they’re really ought to be, but it’s been out of support with Microsoft for years now, probably a decade or more. And what that means is that every single vulnerability that existed, the day Microsoft stopped supporting Windows XP, and every day, afterward, those are really well-documented. Actually in many cases by Microsoft itself because a lot of the vulnerabilities apply to newer operating systems, so it’s very easy to find these, this knowledge is out there, and if you’re running something like that, it’s just sitting there waiting and it doesn’t necessarily take the highest, most mature skill set to go and expliot these older systems, just one example, the tools, the knowledge, it’s all there. If you fit into a category where those tools, knowledge can be used against your system well it’s really sort of just a matter of time in most cases.
Aaron: And I think it’s important to note all software will have vulnerabilities. So Windows XP is a great example. I think at this point, Windows 7 is also out of even extended support, although some people may have individual contracts with Microsoft. It’s not necessarily Microsoft’s fault, any complex piece of software is going to have vulnerabilities, so we talk about managing them, we talk about being proactive. When a patch is released, making sure that it’s applied and Ty to your point for software that is no longer receiving patches yes, those vulnerabilities exist. In many cases, they’re well-known and have been publicly disclosed and can be used against you, and the risk there of using that outdated software is you have no way to fix it, you have no way to apply a patch that takes care of that vulnerability for you. And exploding those things, that’s what those tools like Metasploit, as the name implies, “meta,” big “sploit” exploitation, basically, it’s an automated framework that will just try to exploit any vulnerabilities in software that it can find and it can run 24/7 doesn’t need breaks, doesn’t need vacations can run at scale using cloud computing, so the economics here really are in the favor of the attackers.
I think another interesting point, and even just outside of technology, we talk about a major source of cybersecurity risk that comes from people, and that is social engineering, even if you know nothing about technology, you don’t necessarily have to and I’m putting this in air quotes or inverted commas, “you don’t have to hack somebody, if you can get them to give up their credentials, if I can trick you into giving me your username and password for your online bank account, there’s no technical skill involved in that at all.” And it’s a really effective scam, it’s a very effective tool that is often used, especially in phishing.
Paul: Yeah, we should talk about that. In the Canadian context, of course, we are in tax season. Congratulations everybody, who just had a little moment when I said that…Everybody’s favorite time of year, but there is a very sophisticated organized crime industry in Canada that perpetrates scams pretending to be the Canada Review Agency and Ty I know you’ve done a fair amount of research on this, so what should people be looking out for?
Ty: Yeah. I think the CRA scam is something that’s known to just about every Canadian at this point, I’m not sure how many years I’ve been a target of this, but for quite some time. So basically, this is just impersonation attempt, and this has been going on for a very, very long time through email, text messaging, calls and extreme cases even in person. And basically, the rouse here is that you get some form of communication, which looks like it’s from the CRA, and they’ll either be asking for information or more commonly, they’ll tell you that you that you owe money. And it’s really well-timed in a lot of cases because people have just filed their taxes, they’re not quite sure if it’s been processed, maybe they do owe money, and then they’re coming out to you saying, “well, you need to pay up, so you need to send us Bitcoin or iTunes gift cards,” and like in any these cases, it’s a numbers game. Most people are going to brush it off, but there is a small subset of people that are very trusting or it may just not be aware that this is a thing, or may actually owe money and just mistake this for legitimate communication and pay up.
And to speak to the sophistication, I mean, obviously there’s a lot of technology behind this, there are systems that call millions of people and email millions of people, and then people that actually will talk to you on the phone, so they’re located in the call center somewhere, and there’s a payroll, admin and management managing these people. It’s quite impressive in a way, in extreme cases, they’ve actually been scammers that have shown up at people’s doors after calling them, posing as police or sheriffs that type of thing. It’s been going on for so long, and I think that really speaks to how hard it is to dismantle these things as a whole. They’re not just going to go away overnight, so the way we can combat this largely is through education and making sure that as many people as possible, are aware of what this is and know how to identify it and what to do when they’re targeted because I guarantee almost everybody in Canada or somebody to know haven’t been touched by this.
Paul: Yeah, and I think… I think it’s a good example because people are aware of it, and if there’s one takeaway I would like people to think about is, if you see how insidious that is and how common, you know somebody has been affected probably you or somebody in your family. Now, think about that in the broader context, in your business and everything else, these threats you can hear about, that you think, “oh well, this is probably not going to affect me because I’m a small business, I’m this or I’m that” everybody has a good reason to think they’re not going to be affected by it. And it’s just simply not true. And so the CRA, I guess, example is good as a warning for what’s really out there? And they’re not just going on, they’re not just coming after you. They’re coming after your business and they’re coming after everything else. There’s a particular caution here as Well, Aaron, we talked about before the recording today, certain industries being targeted right now as well. Right, why don’t you tell us about that?
Aaron: Yeah, I think not only could businesses be the target, but they could also unfortunately be used in these types of tax scams. Here in the States, obviously, we have the IRS, similar types of scams have been impacting individuals. For some reason I’m going a little bit off-topic here, but I seem to get these automated recordings, they’ll call…I’m a millennial, so I never pick up my phone unless I know the person who’s calling and it goes to voicemail, and for some reason the voice mail scams are in Mandarin, and I verified this by forwarding to a friend who translated and he said, “yes, they’re telling you, you owe back taxes and they need you to send an iTunes gift card.” So on the plus side, not all of these scams are super sophisticated, obviously they don’t have the right demographic information for me because I don’t speak Mandarin, so that particular scam is not going to hit its target. Chatting with a security pro I know in Newfoundland actually pointed out that in the case of tax fraud up in Canada, some businesses are being used as, I guess, unwitting pawns in these attempts to collect social insurance numbers. So people are receiving emails that look like they come from your tax preparer, look like they come from your financial advisor or some financial services firm with whom you have done business, and they’re asking you to provide all of the relevant information that they need to handle your investments or prepare your taxes. It feels like a legitimate request, it feels like something. I just went through this myself. I securely uploaded all of my tax documents to my accountant, I know not to send an email to my accountant with my tax forms because it has my social security number, so roughly the equivalent of your social insurance number email is not secure. I know that I should never send an SSN, as we call it, through an email, the goal of these particular attacks is to make it look like the attackers are someone legitimate, legit financial services organization, and then collect people’s Social Insurance Numbers, financial account information, whatever they can get their hands on and again, not a targeted attack, they’re not going after extremely wealthy people, these are just broad what we call “spray and prey attacks,” you go after his big an audience as possible and hope that out of a million emails you send, even 100 of them, respond with some information that you can use. And because these emails are sent out using automated tools, there’s very little effort required, so again, the economics makes sense. In this case, the key takeaway, obviously from an individual perspective, never, ever, ever, please under no circumstances whatsoever use email to share secure, sensitive information. Email is not secure.
Find another way, if you have to share your social insurance number or account information at the very least. As a millennial, I know this will be ironic, but pick up the phone and give somebody a call.
As a business, also make sure that you are looking at securing your email, so there are some technologies that you can use that make it harder for you to be a pawn in this kind of game, particularly something known as SPF or Sender Policy Framework, basically a way for you to say a company name dot com can only be used to send email from this particular service, whether that’s Microsoft 365, Google workspace, if you happen to run your own email server, SPF provides you a way to say legitimate email coming from my company only comes from this particular source, so it prevents somebody else from setting up an email server and sending messages that look like they come from you, and that can be a way for you to safeguard your users, your customers, or your client’s data.
Paul: And there’s still work around there too, like we talk about all these tools and how great many of them are and SPF is a great tool, but social engineering could be used, right? You could become the victim of a “man in the middle email scam” where it’s the CEO using his personal email, pretending to use his personal email, “I’m using my Gmail today, because for some reason I couldn’t access my work email, but I really need you to send me x dollars, so I really need you, and it’s very urgent or I need you to go buy those gift cards” and usually it’s really urgent, whatever it is. So it’s generally all these tools and all this technology is great, and it’s getting better the way that we’re preventing these bad guys from getting in there and creating a mess with our lives right but social engineering and all the manipulation of people is still out there. It’s still a possibility. We should talk a little bit about…Oh, just before we wrap up on the tax scams, I think you had more to add Ty too…It gets even more complicated because there’s legitimate issues that come up that become kind of opportunity vectors for these guys.
So in the case of the Canada Revenue Agency here in Canada, there was news recently that they cancelled 800,000 online accounts because they were concerned that they may have been compromised, and there was a compromise back in August where something like 5600 online accounts were actually compromised, and then they’ve now since decided that, “well, we’re going to (for safety’s sake) cancel 800,000. And so an opportunist is going to come along and say, “hey, this is Canada Revenue calling, we’re helping you reset your online password” and that’s the manipulation. People just need to be aware that these people are out there, they are ready to scam you, and they’re going to use every tool in their arsenal to try to trick you into thinking that they’re who they say they are. And I would say, hang up that phone, delete that email, just don’t do it. Assume the worst until you can prove otherwise, and that’s unfortunately kind of where we’re at in the world today. Ty you wanted to add something on the CRA thing before we go to them?
Ty: Yeah, had I thought when Aaron was going through SPF as a tool that you could put in place to protect against your domains being spoofed or impersonated with email, and I suspect that SPF is probably a term that’s new to most of our listeners, but that’s a seat belt, that’s seat belt. And I think what’s really key here is making sure that you have somebody that can help make sure that those seat belts are buckled up, that those are in place, because these aren’t going to be familiar, and there’s 1000 other things like SPF that most businesses are going to want to have in place. Tying this back to making sure that you’ve got this as a function of your business.
The other thought I had was on the social engineering side, we’ve talked about some of the very specific targeted ones where they’re calling certain phone numbers, and interesting one I saw all over the last year or so is this similar domain attack, which we’ve seen a whole bunch of. And basically what that is, is they’ll go in the register a domain that’s very, very similar to yours, so in the case of Smart Dolphins, they might register smart dolphins with an upper case “I” instead of an “L” or maybe two “l’s” or something like that, and then they’ll begin to send out emails from that brand new domain, which doesn’t have any negative spam reputation online, and because of the way we read, our brains are very efficient, we don’t need to stop and read every single letter we can browse over that very, very quickly, and it’s sort of this scaling up of social engineering. While it’s sort of the “spray and prey” that Aaron talked about, it’s a “spray and prey” but also with a little bit of those targeted elements in it as well, going after specific businesses or specific industries, so it’s just that constant evolution is soon as you have something in place to guard against that somebody is sitting down and they’re thinking how they can get around that, just like when the CRA sends out a communication that they need to lock a bunch of accounts, a light bulb is going off for a bad guy there and going, “well, you know what, I could probably jump on this, I can piggy back on this and craft something similar and send it to a bunch of people and get them to reset their passwords.” It’s worryingly impressive with what we see day-to-day, I think.
Paul: I think the message for business leaders is lead on this really, really take the lead in your organization to not just promote security awareness, but also another really key thing I think that business leaders should do is set the tone for the policy. So you’re probably in your company to the listener, you have policies in place to protect people from being scammed out of money, like you have certain protocols that need to be followed when money goes out the door, lot of organizations have really good policies in place, enforce them and make your staff aware that everybody in the organization, including you, are never allowed to use anything but the rules, because somebody is going to pretend to be you if you’re the CEO or the president in order to make somebody else who’s maybe not as high in your organization feel like, “oh well, they’re asking me to break the rules, but it’s the boss, so that’s okay.” And if you can set the stage to say, even if the boss sends you a message and says, “please wire this money to here or do this the outside of the policy.” Even that’s not okay. And as leaders, you really have the opportunity to set that framework and that understanding, and then everybody in your organization knows we follow the policy 100% of the time, and the reason we do it isn’t because we’re trying to be inefficient, or we’re trying to create red tape, but because we’re trying to avoid these very insidious scams that are out there and just make sure that our company doesn’t suffer as a result.
Funny, you mentioned Ty is external address, where the similar domain attack, right? One of the things you can do is you can have your email program let you know when an email is coming from an external address, so if you get some email appearing to be from somebody in your organization, and it says it’s coming from an external address, it could set off a red flag but again that’s just another seat belt, another preventative tool. Really, the key thing is slow down, if something is weird it’s probably something you need to take your time on. Verify, as Aaron said, pick up the phone. Did you really send me that file attachment or not?
One of the things, just before we leave, the sophisticated organized crime industry topic, I really want to dig in, and Aaron, I’m very curious to hear from you on this, I kind of have a vision in my mind that there is a massive database of people and companies online, and that it’s constantly being updated with stolen information and passwords and data and Social Insurance Numbers and passport photos and all of those things, and that criminals can go in and buy and sell and share amongst themselves this data as they please. Is the market is efficient in my mind, as I think it is, or what does it really look like?
Aaron: It’s everything and more so everything that you just said, I would say make it plural, so multiple databases, multiple markets where you can purchase these things, you may have heard of the dark web or the deep web. Dark web stuff that we can’t necessarily see from a search engine, so things that don’t show up in Google. Online banking technically counts on the good side, because obviously you can’t reach someone’s online account data just by using a search engine that’s behind a login or a paywall, but then the deep web is stuff that you do have to have some technical skills to get access to, so you may need to access special non-public parts of what we call the global internet, interconnected networks there, you may have to use special tools, I think something known as tor, the onion router. But all of these things exist, all of them give you access, if you know where to look and what to do and what tools to use to exactly these kinds of databases of stolen credit card information or stolen identity information. I can talk until I’m blue in the face about why you shouldn’t share things like social security number or social insurance number with an unknown party, with an organization who doesn’t need it, because if they have that breach once that number is out there, it’s out there forever.
I fell victim to this myself, there were times when I couldn’t avoid sharing this type of information and those organizations have now been breached, I have to have identity theft monitoring for the rest of my life and credit monitoring for the rest of my life. So there are real long-lasting impacts on individuals, on people to put a human face on it, but then from a company’s standpoint, the organizations that were breached, they’re actually the ones who have to pay for that credit monitoring and identity theft monitoring. And many privacy laws now include that as an explicit cost. If you are a business, you have a database of privacy-related information for your customers or your users, and there’s a breach, you may be on the hook to pay for that credit monitoring for the rest of those people’s lives for a set period of time, that’s an actual real per user per year cost that you need to take into account, so we all often talk about cost-benefit analysis, how much do those seatbelts cost that might be an unattractive cost, you don’t want to pay to upgrade to the more robust security tier, well, what’s the potential downside cost if you don’t have those seatbelts in place? How much are you going to be paying to clean up the mess after it happens?
Paul: Well, and the “I didn’t know” answer only gets you so far in life, and that’s going away pretty quickly. There’s privacy laws everywhere, people are very haphazard and how they manage other people’s data and stuff like that, “well, I didn’t know any better.” That doesn’t hold up in court the same way it might have a decade ago, so businesses need to be on top, they need to be aware, they need to be protecting their customers data because you’re on the hook if you lose it, right?
Ty: And there’s holding up in court and then there’s just holding up as far PR. You don’t even have to get to court.
Paul: The court of public opinion.
Ty: Yeah reputational damage is very real and you don’t want to be in the papers.
Paul: For sure. I want to switch gears a little bit. For people who are listening, there is training that we offer on an ongoing basis with Smart Dolphins. We will have Aaron back again to do some of that, which is awesome. I do an introductory course, that’s great for your staff to help build awareness, I help people build (I don’t know who coined the term) but I stole it from Ty, the human firewall of people who in the organization are aware and help build up that whole thing within your organization, so please come and attend those. But if you’re not going to come and attend those, I want to leave you with some practical tips for today, and I want to turn this over to Aaron first and Aaron passwords, we talked about this database of all the information’s out there on the dark web. And a lot of that, of course, is passwords that have been hacked from other sites that get added into this database, there’s a massive collection. I know I can go on to haveIbeenpwned.com and see that my gmail address has been used in 35 different packs and any password, any other information I had in those accounts is probably out there on the dark web, all about me. And so there’s some obvious stuff around passwords like don’t use the same one, use good passwords, that sort of thing, but I know that you have a whole sort of philosophy around that, so I’m going to turn it over to you Aaron.
Aaron: Yeah, I love the idea of password hygiene, basically keeping these things that we use to gain access or to control access to all these sensitive resources and data and services, just kind of maintaining them in good state, so yeah, don’t re-use passwords, do not share them with other people. I know a lot of cases that’s unavoidable, especially in business where you may have one account to something, so that kind of then pushes you into what I think is the most important aspect of password hygiene, which is a password manager is really becoming table stakes entry level foundational requirements, whatever metaphor works, but having a tool that helps you generate random passwords for each of these services. So the goal there, obviously if service a is breached, even if you use the same email address to sign in to service b the password that was reached is not grant access. So password managers can do that, they help you to remember these random passwords, and many of them are now also starting to incorporate…And I love Paul that you mentioned, haveIbeenpwned.com? A service that basically shows when data breaches have occurred that exposed to your username and password, password managers are now starting to incorporate that kind of intelligence to say, “hey, this particular account is compromised, you need to go and change the password.”
Final thought on them, they also facilitate secure sharing, so in those business instances where you have to share an account with another co-worker or even in personal instances, and I do recommend to use a password manager and in everyday life, if you’re going to share your streaming service password, you can do it securely using these password managers rather than dropping that say, into an email, which as we already discussed is not secure.
Paul: Well, and the password managers, this is such a huge topic we could really dive into, but people get worried because they think, “oh, my passwords are now stored in a database online, can they all be stolen from there,” and of course, the answer to that is “no, it’s all encrypted and the decryption code lives on your computer not on the computers at LastPass.” So go ahead Aaron.
Aaron: Yes, so good actual point there is to make sure that you choose a reputable one, I generally don’t recommend that people use the built-in browser password management tools, the one exception there being if you’re on the Apple ecosystem and platform, iCloud keychain is a separate service that is integrated into Apple’s web browsers, but it doesn’t use the same kind of storage as like chrome would use for passwords so I do have family members that I say use that. It’s easy, relatively transparent. You don’t need to download something like LastPass or OnePassword.
Paul: Does it integrate with iPhones and other products as well?
Aaron: It does, so it integrates with all the apps as well as in the browser, and it synchronizes across if you have a Mac laptop, an iPad and an iPhone, your passwords are in sync across all of them, so very useful there.
Chrome can do something similar if you’re using the Chrome browser across different devices, I tend to trust Google just a little bit less for proportional data, obviously, because they’re in the business of collecting personal data to sell me ads, but Google does have a very robust security and privacy focus for sensitive information like that. So it’s still better than nothing.
Aaron: But then a good password manager, like LastPass or OnePassword, one that has a good reputation in the industry, I wouldn’t use Bob’s password manager that I’ve never heard of, because I can’t guarantee that that is going to be secure, I don’t have verification of the seat belts that are in place there to keep using our analogy.
Paul: Yeah, the OnePassword thing is an interesting one, we’ve come up with solutions like these password managers where everybody in your business has a login and they can share that password, but you can actually hide it so they don’t actually see it, which is great, right so nobody can of run off and steal your password. So if an employee leaves your organization, you just disconnect their password account, they have no way of accessing. So there’s all these tools that are great, but fundamentally, really what you want be doing is having a separate password for every person, and the rationale there is high level, if somebody is logging in and creating some problem in your program, you want be able to identify who that person is right? Even if it’s not nefarious, even if they’re just doing something wrong, they’re messing up some of the data because they’re doing something well, if there’s 30 people all using the same password, how are you going identify that you’re going to have staff meetings with 30 people chastising them because one person in the room who might not be there that day, what happens to be doing things wrong? And so there’s plenty of really practical reasons where you can you should always have each individual employee login with their own information, especially when you get into things liked within an orgI’ve heard of a situation where somebody was deleting hours billed for clients that they liked and they did it out of the kindness of their heart and cost the company tens of thousands of dollars, and because it was a shared password they couldn’t prove… They knew who was, they figured it out, but they couldn’t prove it because of course, they were all using a shared password on that system. So there’s examples like that, and there’s probably dozens more where just where you can set up a separate password for each user, it protects them as individuals and it protects your organization as well.
Aaron: And I think this comes down to the fundamental reason that we use usernames and passwords, often we talk about access control, and one of the elements of that is identification and authentication, you identify your users, that’s what the username does, and then the password proves that they are who they say they are. So only the user who has knowledge of their individual password should be able to supply it when they’re logging in, so to the point about shared passwords, you basically cut that off at the knees by sharing a password because you can no longer uniquely identify users, and I think that also leads to an interesting other aspect of not necessarily password hygiene, but access control hygiene, which would be the use of multi-factor authentication. So in this case, if a user has given up their username and password to a phishing scheme, if they responded to an email, they logged into a fake website and gave up their username and password, how do you as a business know, this is Jane Smith logging in with her username and password, or this is dark web hacker O2 logging in using Jane Smith’s stolen username and password. So multi-factor authentication adds a new what’s known as factor, hence the name to the authentication process, so not just a password is required to login, Jane Smith has to enter both her password as well as, let’s say, a code generated by a hardware token, little keychain fob that displays a six-digit code or a smartphone app that does the same thing. This helps to prevent exactly that type of attack, and it helps to make the stolen credentials that an attacker might have captured in a phishing scheme basically worthless because they have Jane Smith’s username and password, but unless they’ve also stolen her smartphone and can open the app to get the six digit code, they can’t actually use that to login, and this is… I think I can say this without fear of anyone successfully challenging me, I think at this point, multi-factor authentication is also table stakes, it is also a good requirement anywhere and everywhere that you can implement.
Paul: 100%, and I tell people, I give people the example of my Gmail. So we talked about all the things you’re not supposed to email out, like your driver’s license photo and your social insurance number, and your taxes and credit card numbers, all of those things. I’ve had my Gmail so long, I’ve emailed every single one of those things, and if you think about it, I want the listeners to think about this right now, what is all the personal data that you’ve emailed out of your personal Gmail over the years, and what could a hack or get if they could log in to your Gmail now or whatever your personal email is, as you and access everything you’ve ever sent out. I want that to terrify you, and I want you to now take 10 minutes and go and figure out multi-factor authentication and set it up so that if somebody steals your username and your password, your username, by the way, for most email programs is just your email address, which is already probably out there anyway, so really, there’s only one piece of information they need to steal, and then now they have basically access to every piece of detail in your entire life and maybe deletes your mailbox when they’re finished.
So go and do that now, if you haven’t done that already, it’s very simple, it takes a few minutes to set up and you don’t need fancy equipment or anything else, you can use your cell phone, and it really slows it, it’s not perfect, but it slows them down, right? And this is the thing, as Aaron said, you’re connecting now your account to the hardware on your phone, it becomes pretty much next to impossible for somebody to steal now your account without stealing your phone, but there is still work around, and I know the obvious one, Ty is the social engineering angle it, so why don’t you lay that one out and then Aaron, I’m going to turn it over to us to talk about all the sophisticated same hijacking and stuff that’s going on. So go ahead Ty.
Ty: Just about any system that we come up with, it’s usually just a matter of time, as you mentioned, just even setting up a fake login page and trying to convince somebody that the next prompt that they see is just a confirmation code, or a code for their ticket or something that you’re helping them with and getting them to actually type that in from their phone and basically bypassing their own multi-factor it t’s pretty impressive.
I know that Aaron, I have spoken in the past about some of the more technical exploits, I think even possibly intercepting SMS-based, multi-factor authentication?
Aaron: Yeah, there are two. We talk about SMS mostly because it can be used as a part of a multi-factor set-up, so you may be familiar with this, you log into an account and you get a text message with a code that you have to enter. Almost everyone has a mobile phone number, so this is an easy way for companies or organizations to implement two-factor authentication, the problem is SMS is not really a secure and delivery mechanism, so just like username and password can be stolen, it’s possible to either re-route intercept or otherwise steal that SMS so
in that case, the attackers obviously first step, steal the username and password, and then they go on to hijack those text messages with the authentication codes.
Two things to be on the lookout for here, actually, before I start that just even better, if at all possible avoid SMS as a two-factor or multi-factor authentication at this point, it’s not secure worth finding a better solution. One way that it can be potentially re-routed and this has actually happened in cryptocurrency scams, it’s known as Sim hijacking, and it’s a social engineering attack where someone tricks a telecom provider into porting your number or porting a SIM card over to a device that they control. So obviously the phone number is what’s used to route that message, and that is all that they need to then log into accounts and a couple of big name cryptocurrency attacks have happened this way, where people lost access to their cryptocurrency wallets by having a text message re-routed to a malicious user.
The other very, very timely issue just broke, I think last week, great news article, a hacker got all my texts for $16, and this was basically using an SMS marketing service, which provides a legitimate way to re-route messages being sent to a user’s phone number for marketing or research purposes, when you have a customer support experience and they send you that message saying, Please rate your experience, services like this can give you access to text messages being sent out to users, and in this case, the author of the article hired an ethical hacker to basically do this for them and get or intercept these SMS, two-factor authentication codes that were being sent. The service costs $16 a month. The ethical signed up using a prepaid, untraceable payment card, and then was basically able to using these databases of stolen usernames and passwords, plus the information sent to the text messages, login as the author of this article. So for 16 bucks, if somebody can take over your digital life, and if you think about the amount of stuff, Paul, to your point, not only that is in your email, stuff that you’ve sent in the past, but also the amount of stuff that your email gets you access to all of your password resets, we do that via email. So if I compromise your Gmail account, I can then go in and compromise all of your other accounts by sending password reset emails. If I have access to your inbox, I obviously can see those. I reset your other online accounts, and I’ve basically taken over your digital life, which at this point is almost all of your life.
Paul: It’s almost as scary to think about everything that’s out there publicly, even before they hack you right? Facebook, that’s why people need to be really smart about what they do. Post your vacation photos but do it after you get back because otherwise you are just advertising to people that you are away on holidays and no one is watching your house. We give away so much information just the terrifying thought of what if someone gets into your email inbox and everything they can get into is just insane in my brain.
Aaron: I know Ty you have a thought on this, but there’s just one thing that I’m so fascinated by – there were social engineering attacks that exactly what Paul was saying, we’re basically taking data, which people posted publicly vacation photos, and they actually used that to craft what’s known as the pre-text. So they write an email that looks legitimate and they casually pepper in some details about your recent trip to the Bahamas, not that anyone’s doing that right now, but back in the before times when that was a thing. So the email seems more legit, you think this is somebody who I actually have met, interacted with and know they know these details about my life, what you don’t realize is you share that publicly, literally anyone in the world knows that you just took that trip, but they use that to lower your defenses and get you to respond to what’s in the email, so thinking about what you post publicly, not only personally, but also on LinkedIn from a business standpoint as well, how much detail do you put in about the job that you do, which someone could use to craft an attack very targeted at you.
Ty: That’s a perfect segue into a thought I had, but first, I just remembered when you were talking about how SMS-based MFA is just not secure anymore. I remember a few weeks ago, the CRA just finally enabled MFA and it’s SMS-based. So better than nothing. But yeah.
The thought you had there about constructing that story and taking in all of that available information using it against you, that’s sort of representative of all of the information that gets out there in the world, and Paul asked earlier, is there just this giant database out there of phone numbers and credit card numbers. And yeah, there is, but I think it’s even more important to think about all of the aggregate information over time. So let’s say 10 years ago, you are part of a breach and maybe they just got your home address and your phone number, not terribly useful on their own but another breach happens and that breach has your Social Insurance Number, and now another breach happens and that’s got some credit card information, and then there’s another one and it’s got some details about your cell phone plan, so this builds over time. It’s like a big snowball and it just keeps getting bigger and the information keeps getting better, and sure they could use that against you to know you’re on vacation, but they can also use it against the services that you use, so if somebody can buy all of this information, and now they’ve got enough of a picture of you to call up your phone carrier and pretend to be you because they’ve got your address, they’ve got your latest invoice and all this other stuff, they phone them up and they say, I want to port my phone number over to another phone, or, I want to change X, Y, and Z in my account.
And it’s this profile that’s being built on all of us, and it might happen slowly for some and very quickly for others, but it’s only moving forward, the profile is only getting better, so we really need to be… I think putting the basics in MFA, but also just really re-thinking even those little bits of information and how we guard those and putting out as little as we can, because it almost never helps us to put more information, it can almost only exclusively hurt you in the long run.
Paul: I think we’re going to wrap pretty quick here, this has been…I’ve learned a few things. It’s always interesting when you’re in these circles and you learn things as you go along, I just want to underline for people, multi-factor authentication is still, in my opinion, the very best next step for you to implement in your security if you don’t have it already. Period, we’ve talked today about some of the risks around it, social engineering, text-based isn’t the best MFA, there’s lots of other things like that, but honestly, any multi-factor authentication is still better than no multi-factor authentication because the very least you’re going slow the hackers down and with any tool that’s available in your security arsenal, doing your due diligence and doing your very best to slow people down is still great, but if you’re looking at implementing multi-factor authentication for the very first time, and by all means, you should be looking at the better options than text message, but if you implemented it a year ago and you’re using text message, don’t freak out, you’re still way better than the people that haven’t implemented it at all, but there is definitely a next level you should be looking at as well so I just wanted to say that. Funny, the password scam you were talking about, there’s a very nefarious version of this, where people get a fake email saying that they were let’s just say watching something inappropriate on their computer and their camera was on them, and by the way, we recorded everything you were doing on your camera while you were watching something inappropriate on your computer, and just in case you don’t think this is real, here’s the password you used. And that scam, they pull that password from that breachede password database, and if you recognize this used this particular password on a website at some point or other in the past, you might think, “oh my goodness, this is a real thing,” especially if you’re inclined to doing the sort of things that I mentioned in the email. And so then they demand payment or they’ll release the video or they’ll send it to your spouse or your family. I don’t know how successful that scam is, because who’s going talk about it, if they paid the demand of payment, the Bitcoin or whatever it is they’re demanding, are you going to tell the police about that? Probably not, right? So there’s varying very strange and nefarious ways that your information being stolen can be used against you, that’s just one of probably thousands of examples.
Aaron: And to wrap that up with everything that we’ve talked about at the beginning of quarantine lockdown, one of the major online adult services offered their premium product for free, I’ll leave it to you all to look it up if you wish, but within hours of that happening exactly, these types of malicious emails started to come out and they were automated, they were just sent out to every possible email address, and they were actually pretty well done, as you mentioned, they incorporated previously breached passwords, they also included trending search topics from the adult sites to further set the stage to set the pretext, they said, “we know this is what you searched for, we know that you used this service, we have your password,” and this was all done within hours of the service offering being made free because people were stuck in lockdown with apparently nothing else to do. And again, it wasn’t targeted, they weren’t going after particular individuals to try and blackmail them, it was just, “hey, if we send out 10 million emails, even if we find 1000 people willing to send us 100 bucks, that’s enough money to make the automated infrastructure needed to run this thing worthwhile” took all of about 10 minutes of coding, and then you just press send. So again, some of these are highly targeted nation-state actors going after particular organizations, others are just people who see the opportunity to make a little bit of money quickly.
Paul: They’re out there and they are coming for us all and our businesses. Of course, the final point, keeping your software up-to-date, we talked about that earlier, it’s not just Windows, it’s not just don’t use Windows 7 because it’s out of support or her, God forbid, earlier versions of Windows, but they’re cellphones in your phones up-to-date, keeping your keeping your apps up-to-date, keeping every device that you have that has some kind of firmware and it… There’s probably security firmware that comes out periodically. And I feel like that’s kind of important in the general scheme, we should be thinking about these things because if you’re not running the updates, then that sort of baseline of security is gone right?
Ty: My suggestion that I think that marries that is keeping your culture up-to-date. We talked earlier about having good security policies and putting all the right rules in place for your employees, people are far more likely to follow rules and policies that they believe in, and that they understand the risk that ties back to them, keeping your culture up-to-date, keeping your employees engaged in these risks and really helping them understand why you’re asking them to do sometimes tough for different things than you’ve done in the past.
I think you’re going to find that people are much more likely to play ball and to be an ally within your organization, rather than somebody who might skirt the rules and click on something one day and cause a whole lot of trouble. So culture is really key here.
Paul: I love it. And for those who are listening, still listening to this length the episode, business owners and managers and people in the Victoria and Vancouver Island business community, that’s really a great piece of advice, is building that security awareness right into the culture of your organization. Your final thoughts Aaron.
Aaron: I wish I had anything half as brilliant as Ty, full disclosure Ty, I’m going to borrow that and use it, I love that idea of kept up-to-date because I do think security starts at the top. But it is truly a team effort, so it’s a matter of reinforcing the impact of security, making sure that it is a strategic objective that everybody understands it, and most importantly as a business leader, making sure that you’re demonstrating security so you can’t be exempt from it. All of the cyber hygiene that we’ve talked about, all of the potential risks. If you don’t address those other people in the organization won’t address them, and therefore any investment that you make won’t be worth the money that you paid for it. So I love that idea of keep the culture up-to-date.
Paul: Leadership begins at the top, and so as a leader in your organization, lead people, when it comes to security awareness, and when it comes to making this front and center. I just want to say a big thank you to Aaron for joining us today. Cybersecurity practitioner and educator, Aaron Kraus, thank you so much, I really appreciate and I’ve learned a lot, and I’ve learned a lot actually attending your training that we’ve offered through Smart Dolphins which has been awesome. So really looking forward to seeing you again, Aaron, and I just want to say thanks.
Aaron: Same, thank you all, and glad to not only learn stuff myself, but also hopefully teach a few things, so have a great day.
Paul: Awesome. And Ty, always a pleasure to have you back on Island Thrive.