Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime explains why all organisations are a target of cybercrime.
Hi, my name is Roger. And today I would like to talk to you about why all organizations are a target for hackers.
Now, I am not just saying some. I am saying all organizations are a target of hackers.
And there is no such thing as hiding behind we have nothing worth stealing or we are too small to be attacked because it doesn’t work like that. That fallacy that we have nothing of value is that; it’s just a fallacy.
And because you are connected to the Internet, you cannot be too small to be attacked. So you would be wrong in that respect.
We all have something that the criminals want. It doesn’t matter whether it is money, it is trade secrets, it is access to other people, we all have something that they want. So what do you have that makes you a target of cyber criminals?
Let’s look at what we use the digital world for. In business, it is really easy to use because the digital world you can post on Facebook or you can send an email. You can build a website. So it is relatively easy to use. With a bit more knowledge, you can set up a CRM and work in a cloud environment. So that’s why it is so easy to use.
The other thing about the Internet and the digital world is it is inexpensive. It doesn’t cost you much to send an email. It doesn’t cost you anything apart from the infrastructure, but it doesn’t cost you anything to join Facebook. It doesn’t cost you anything to set up a SAD, which is a proto management site.
So you can set up all of this without having any investment in what you need to do, and it makes your functionality as a business so much better. So you can set up a free CRM or a CRM, which is a client relationship management system. It only manages two or three of you, and either it is free or it is only $10 dollars a month per user.
So it is no longer a capital cost. It is not an operational cost to do things in your business. Because of that, it makes it a lot more cost effective. Being cost effective means that it is just so much easier for a small business to do business.
You can set up a website on your own, and it might only cost you $150 dollars a year as long as you are willing to do all the work. But the other thing about the digital world is it increases your range, your reach. You are no longer local or tied to a geo position in the world. You can reach people from Australia to North America. You can reach people from Iceland to Saudi Arabia.
So it doesn’t matter whether you have your priorities believed to be local. It can now go worldwide. But that’s not bad for a very small business.
What about larger organizations? A lot of larger organizations, you can manage your brand. In the digital world, everybody is looking at you if you are large, for instance, Coca Cola, Mcdonalds. They manage their brand. Everything they do on the Internet or in the digital world is exactly the same going forward.
They even use the digital world for R&D, research and development. We all do that ourselves. If I want to develop a new product, the first thing I do is do a search on Google to find out what’s out there, who’s out there and who my competition is.
We can also use the digital world for collaboration, both internally, so I know what my manager is doing and the manager knows what I am doing, or someone external. I have a colleague, for instance, who does my content when I am writing stuff for my website. Now I do a draft and send it to the editor, and they fix it. And that’s where the collaboration comes into it.
And of course, we have social media. Social is Twitter, Facebook, LinkedIn, Pinterest, all of these platforms that you are using. Now you have got to remember they are a platform. You have no control over the algorithm they are using, how they make their money. They might what do what Facebook did at the beginning of last year and change their algorithm so your rich, organically reach goes from 30% to 1%. And that’s a big change, and that’s because they were trying to make money.
You have no control over that because it is a platform.
So with all of this going on, what are the bad guys doing?
What are the bad guys doing to use the digital world?
The bad guys are after a number of things. One is your reputation, going back to Coca Cola and McDonalds. They have a big reputation. It doesn’t matter whether it is good or bad, but you have a big reputation.
And most businesses have a reputation that they utilize to get followers and customers and go forward as a business.
They are also after your money. Money, you might think is a huge driving force, and it is. But it is not the only driving force of what cyber criminals are doing.
Cyber criminals are after your money, but they are also after your access to other people’s money. Hacking into my system and taking over my accounting system, they can send an invoice to someone and that money can go to the wrong bank account.
You will have no idea what’s going on.
So they are after your money and they are also after your clients’ money. You could affect someone else with that email you sent out, and that’s what they are after.
They are also after trade secrets and intellectual property.
Intellectual property is a really tricky one because we all have intellectual property whether it is my tax file number, which is my intellectual property and it is my personal information. That is critical to what the criminals are after.
So we have got the credit cards, so they are after that information.
But trade secrets also include things like your being on a tender and you have a specific price list that you use when you are on a tender. Now that’s great as long as it is kept secret, but the moment that secrets gets to your competition, they are going to undercut you.
Not only are they going to undercut you, but they are going to provide different services that make your offering look bad. So when you are tendering, it gets to a point where they will do something else.
But more importantly, the cybercriminal is after your technology.
For instance, you have got a website with lots of people visiting. That website is a target so those visitors could be infected and go back to their own systems.
Also, your smartphone, if you get a virus on your smartphone, then you also have a problem of what that smartphone has access to, such as apps, chat, social media, all of those sorts of things.
Once again, they have got hold of your technology.
The moment someone else is in control of the technology that you own, it is no longer yours.
Also, they have access to your people.
So you have clients, friends, and relations, and those are people they are always after as well.
The biggest one of these the criminals do is they get in through spam. And spam can be innocuous. It can have nothing in it. But if I am a make believe hacker, I am doing everything a criminal can do. I can now send out a million emails.
Now, out of those million emails, 900,000 might get caught in spam filters. Out of that 100,000 that are left, they go to a desktop and someone has opened them. By opening them, they are not exposing themselves to a chance that they are infected.
That’s where phishing comes into it.
Phishing is actually sending out things like links that go back to a website that’s infected with malware. That infected website can be either managed by the criminal or the criminal gang or it can be NBC news, for instance, that has been hacked by people who are pulling people back to it. So you have to be very careful where those links are going.
But the more important one and the most dangerous one is the spear phishing email.
Spear phishing takes in all the other stuff, spam, phishing, but what it also takes into account is that the people who are sending that spear phishing email have done a bit of research on the Internet.
They know who are.
They know what your contacts are or
who you work for.
They know what you are interested in because you have been saying things on Facebook, LinkedIn or Twitter. So they will target an email specifically for you.
Especially for you, if you are an SQL administrator and you have been invited to speak at an SQL conference coming up. If you receive that, it puts your ego over the yop, but it also has a 99% of you going oh shit, I will click on that. And then off you go – you have been compromised.
But the criminals also get in because of our stupidity.
How often do you see on your computer that it comes up and says update, please install? Updates, please install. Again, the criminals are actually looking for people like you. Because an old and unpatched system has the vulnerabilities that those phishing emails and those spear phishing emails are actually targeted at.
Even though you might get a spear phishing email and it is a very technical one, if it is targeting a patch for a system vulnerability, even though you click on it and it tries to install itself, it can’t do anything because the vulnerability that it has been written for is no longer there.
So we have to keep our systems patched.
The other one is social media. We are all on social media in today’s world. Now, social media might just be looking at Twitter every now and again. If you have a look at the slide that I put up here, the guys that came through on my feed and I follow a large number of weird and wonderful people, like a lot of other people.
But two of those tweets that came through are actually cybercriminal phishing social media posts. So they are after everything and anything they can get.
But as I said before, when they are doing social engineering to come up with the spear phishing email, they have had to look at who you are, what you are, who you know to get to a position where they can then go forward and say we can target you.
But social engineering is also for other things as well. Social engineering a couple years ago, like 10 to 15 years ago, used to be that a hacker would get on a phone and ring up. And this happened recently. Hacker got on a phone, rang up, Tesla, for instance, and said we need to change your phone number because the one on the website is wrong.
So he got on with the telco, changed it, and everything from that social engineering contact made Tesla’s life really interesting for three days. And that is really how they do it. Don’t forget that they have got no conscience. They are only after what they can do and how much damage they can do.
But one other critical components of the digital world is the bad guys do scans. And those scans are really important to find out A) what the vulnerabilities are on your system, B) how they can exploit those vulnerabilities, and also to take you to the next level of how they are going to target you.
They go and find www.thisisme.com, for instance. They scan that website and find it has got vulnerabilities. They have a look at the website itself and do a bit of social engineering. Who is the CEO, board members? Who is important? What do they do? Why do they do it?
They then go back and do other components of a cyber-security hack, and this is how they get in. Don’t forget they are persistent. They really are persistent. They try anything and everything because they only have to succeed once. We have to succeed all the time. They have to succeed once.
So how do you know if you have been attacked? We have all seen it, and there are also telltale signs. The telltale signs are usually things like your computer slows down or your computer stops. Anybody ever have an Android device just stop working? It has probably been hacked.
But on top of that, it not only slows down but in some cases it can stop. If it stops, [unclear 0:16:22], or you can start noticing on your device that there is a large amount of traffic coming out of your device.
I have got a friend who downloaded an application from Google that was supposed to make his computer a lot faster. He went through 2 gig in three days of uploads from his system, and this is exactly why. The criminals were after him.
So how do you know if you have been a target? The other thing if you are scanning the Internet for your business name, what you do, your services, your products, then there is also a chance that there is chatter about it and also you should be doing this for your marketing and help desk system anyway because you should be seeing whenever someone mentions your business name in a post.
But on top of that, if you are doing Google Alerts, don’t forget the bad guys are using chat, blogs, and YouTube. They are also after information about who they are going to target next, and some of the criminal gangs, when they want to target someone, will send out a broadcast to everyone and say we are going to target these people on this day and this is what we want you to do.
They don’t have to do anything so nasty that it’s noticeable, but they can have a DOS attack, for instance. A while that DOS attack is going on, the real bad guys are coming in underneath it and doing a lot of other damage.
Going back to the phishing emails, who has ever heard of Cryptolocker? Cryptolocker is a product that has just come out recently. This is two years.
Cryptolocker is an email that comes from someone you would least expect it to come from, but they have a lot of credibility. So FedEx, Australia Post, Australia Taxation Department, and it usually says you have a refund or they are trying to deliver something to you. Please click here to find out what’s going on.
And the moment you click there, it comes up and goes. That’s what it says. That little signs that it has now encrypted all of your information on your PC or that information that you thought was so valuable that you hadn’t even done a backup.
Now you either have to restore for a backup because getting past Cryptolocker is relatively difficult. You will have to talk to your antivirus people. Don’t forget that antivirus is a stop gap measure. It is now a set and forget. It is not a do all and end all of cyber security. It is a stop gap measure.
So what do you if you have been attacked? Say you have got Cryptolocker on your machine. Cryptolocker, from here, you have three alternatives. One, you can clean it. Hopefully you have got an antivirus that has the encryption piece so it can decrypt what’s on your hard drive. Or you just hope for the best and pay the ransom.
Most people who have been producing Cryptolocker are relatively honest, and they will send you the encryption key after you have paid for it.
But once you have done that to your machine, you need to make sure that everything in your office is already clean as well. And this is also very important because if you don’t do that, some malware automatically infect anything that’s on your internal network, so you have to scan the rest of your systems.
The other way to scan that is to clean that, literally, go through the network, run a scan, make sure it is clean, put it back on the network. And that way is the only way of making sure that it is secure.
What we do suggest is if you get a virus, you cannot always be sure that you have got all the bits of it. And malware can be notoriously bad and installs things like key loggers, so it is actually tracking what you are typing on the keyboard. And that is also very important as well.
So the best thing you can do if you have had a virus or have been infected with malware is blow the whole thing away and start again. Rebuild it from scratch. And this is where a lot of small businesses forget that you need things like your software keys. You need your software. You need user limited passwords. All of these things are really important in case you have to blow away your computer.
Then after you have rebuilt it, you then restore it from backup. And I hope for your sake that you have are doing regular backups.
And then, once you have done that, you have got yourself all clean. Everything has been reinstalled. Change all of your passwords, and change your passwords to complex passwords. More than nine characters to a level where they use letters, numbers, symbols and capitals.
On top of that, make every one of them unique. Unique means that if I go to Facebook, it is a different password. If I go to my bank, it is a totally different password.
But as we always say, prevention is better than cure. How do you prevent yourself from being attacked? One thing is no system is 100% secure. We have even experienced places that have an A gap. This was shown in a seminar recently in Las Vegas that you can actually compromise a computer that is not attached to a [unclear 0:22:51]. Now that is pretty scary stuff.
There are four areas that you really need to implement when you want to secure your business and your organization. You need to worry about the technology. We have already talked about antivirus, but antivirus is only a part of the process and technology that we are going to be talking about.
You need firewall, and not just any firewall. It is not use using a firewall that you can run down to your local retail shop and buy. Because, yes, they connect to the Internet, but they need to have a thing that we call unified threat management.
Unified threat management looks at email coming through the system, your web practices, applications to make sure that they are correct. So all of that is really important.
We then also have to worry about things like wireless. Have you got a wireless connection? Is that wireless connection on your main network? And if it is on that main network, what are you doing about it? That is also really important.
And VPN, if you have got people who are coming into your business externally, how are they doing it? One of the things that we recommend as a business if you have got a VPN connection, it should be on a dedicated network outside your network and the only way into your network is to VPN from the wireless connection into your network. Really secure. Does the job.
And that comes to network topology, so making sure that you have those two networks and they are separate. And that makes it a lot easier for you to manage as well. One of the big things that we talk about nowadays is encryption.
Encryption is something that is too difficult and too much overhead on the operating system. I think I would rather have the operating system be a bit more overworked than having someone steal all my data and then having [unclear 0:25:03] when it gets out of the network.
And this is where encryption comes in. So encryption should be so that anything that’s traveling across your network or the Internet is encrypted so nobody else can read it. But if that information is in a database in your business, then that also needs to be encrypted, especially critical fields within that information.
Also, as I spoke earlier, patch management. Patch management is really, really important for everything that you have in the technology world. Patches for your system on your laptop, for your firewall, for your antivirus, for your network, so everything will be updated regularly. You have to make sure.
So that’s the technology of the system, and by having a holistic system, we need the components to it. So we need a management component. A management component consists of making sure that management know what’s going on.
So you have policies, procedures and processes, the three Ps. They are very important for a small and medium business to understand why they are there. Policies tell people what they are allowed to do and what they are not allowed to do. You know that your marketing people need access to Twitter and Facebook, and accounts people need access to the back.
But what about the rest of the people in your business? Are you going to restrict them from going to Facebook and wasting your dime by using your time to get to where they need to go? Are you going to put restrictions around it?
You need processes as well. Processes tell someone what to do. You get John Doe off the street, you stick him into the Accounts Payable section, and these are the processes that you need to nail down because they already been mapped out for you. It is also part of your quality system as well.
And the procedures, I want to build a laptop. How do I do that? I have got the CD out of here and put it in there. I have got run these and do that. I have got to install that. Now that is all part of the procedures.
With all of those in place, you can then look at what is happening on the network and what’s happening inside your business. You can do an audit. With auditing comes a report, and with a report you can now make management decisions based on fact.
Normally you say no one gets a good idea, but this is a good idea and these are the reasons why. We need to update our server, or we have got to move to the cloud. Or we have got to do something, but the report will tell you why.
One of the big things that we promote is getting people to understand that education is really important. If I educate my people in my office to protect themselves, a far off effect from that is they will protect the business because they will know that they have to use complicated passwords.
They will know that email is a broadcast medium. They will know the dangers of what happens on the Internet. So they won’t endanger your business by doing anything stupid at that level.
It also means training as well. You put in a CISCO firewall. It is no use if no one understands how CISCO work. If you put in Fortigate firewall, same problem. Different operating systems, different commands, Fortigate has trouble with CISCO and CISCO has trouble with Fortigate.
And that is really important going forward as well, but one of the most important things you can do as a business is do risk management. What are the risks that on a scan that will get through the firewall? The risks of getting through a firewall that has been supplied by an ISP is pretty high because there is nothing smart about that system that is looking at the information coming in and out and not doing anything with it.
Whereas if you have got a UTN firewall, it is looking at what is going on, what traffic is going backwards and forwards, where it is going and how it is going. With malware, you have command and control. By having that command and control managed because command and control have to go through your firewall and they have go to a specific point and port, so if you know that, you can do something about it.
The third part of our holistic attitude to cyber security is adaptability. You have to be able to adapt. Adaptability looks at things like your business continuity. Have you get a business continuity plan?
What happens if water from a flood starts flooding underneath the door? What’s our next step? What happens if my marketing manager just wins the lottery for $5 million dollars? You have just lost your marketing manager. How is your business continuity going to work?
On top of that, you are looking at disaster recovery. Now both disaster recovery and business continuity are tick boxes. Have I done this? Have I done this? Have I done this? Really important stuff, but there is no human control over it.
The next thing you need to worry about is have you got a backup. Where is the backup going? What’s the best product for it? How fast can we recover? How fast can we restore? Have you got an onsite version compared to an offsite version? Is the off version every 24 hours and the onsite version every 15 minutes? Those questions are part of your risk management component.
Also, make sure the way you are storing it. Are you putting it on tape, on a USB drive, in the cloud? Again, just making sure.
So we have got all of things that we have already done, but best practice is a component of that. CISCO bring in a system, and they will say the best way to utilize this system is this. That is a best practice. The best way of setting up your cloud CRM is this, best practice.
Because those rules and regulations that the designers have put together are designed to use the system to its full potential, and that is very important if you are going to buy a $10,000 dollar router and you don’t know anything about how you are going to put it together.
As I said before, business continuity, disaster recovery are tick boxes. Have you done this? Tick, tick, tick. Resilience and culture, on the other hand, is totally different. Resilience and culture is how your business runs, the people in the business.
If the people in the business are really, really good at what they do, they will come up with really, really good ideas about where you want to go and how you want to take the business. Don’t disregard some of their ideas because those people at the core face, if they have to spend an extra two minutes doing a sale, they are going to get really annoyed, but they will know a better way of doing it.
That is where the culture and resilience comes into it. Of course, on top of that, you have your compliance. Compliance is one of those things that we are forced to do as a small business, meaning for profit organization, and huge organizations because we have to comply to certain regulations.
If I take money out of the Internet, I have a compliance component that means I have got to make sure that things are safe. That compliance because we have done the other stuff in the background, if we have done the technology and management, we already have 90% of the compliance component done.
Now, if you have done that and someone comes to you and says these compliance regulations are X, X, X, and X, what have you done? And you can go we have that, that and that in place. Because you have already thought about how you are protecting your business, not we have to comply with a regulation so that’s go and do it all. You are looking at a holistic change in attitude.
Part of the compliance is also a thing called penetration testing. A penetration tester or a white hatter will actually come into your business and attack areas that a true hacker would hack. They will do the scans. They may even do a bit of social engineering. They will do a bit of engineering on who you are, what you do and why you do it.
An experiment was done in Columbia University about four years ago where they said what they wanted to do was they wanted to get the Facebook and a local regional airline to a point where they are managing the airline and nobody else is involved. The actual professor called off the experiment when one of the people sent a tweet to these people and said hold the plane, I am delayed half an hour and they did.
That’s when he stopped it. Now that is what social engineering can do. That is really important to remember as a small organization.
Finally, as I said, this is not rocket science. This is really basic understanding of what the criminals are doing and why they are doing it. Why are they trying to get access to your systems? Why are they trying to get access to your money? Why are they trying to get access to you as a person?
Digital security and cyber security is not set and forget. One of the big things that we can always say is it is not set and forget. Your job is if you put an antivirus in, then you have to update it and make sure that the systems are up-to-date with the newest version available.
Also, things like if you have got an antivirus in, are you doing a regular scan? People don’t like doing regular scans. The reasons why they don’t like doing regular scans is the fact that when you do a regular scan, once every week on Monday morning or night or whatever, what it is doing is it is using the newest update of an antivirus to look at your system from a different perspective of what happened when the file was actually loaded onto the system.
That may not seem like much, but if you have got malware on your system, and this happened to me recently, and it has been there via a zero day exploit, then when the patch has caught up and when the antivirus has caught up, you will see that you have had malware on there.
You can go back to when that malware was delivered to your system and you can look at what has happened since. So don’t disregard doing a regular scan. But it also concerns things like making sure you have a antivirus, a UTM second generation firewall, business policies and procedures and that your patch management is managed properly so there is no chance that that Android device is not patched and it is connecting into your network or that laptop is not patched and connecting to your network.
On top of that, you are educating your people why every time a PC comes up and says you need to patch your system, instead of going I am not going to do that, you go yeah, I will do that. No problem. I will make a cup of coffee while it is doing it.
The other thing you can really do is set up [unclear 0:38:34], making sure that those bad guys out there and what’s happening in your business is visible as well. Also, on top of that, if you have got someone internally who has got a gripe problem and they go bitching and griping on the Internet about your product and services, you may not know about it until it appears on an Alert.
So if you want more information, I have two books out. One, Cyber Crime, A Clear and Present Danger is available as a hardback and an eBook download. Both you don’t have to pay for. The other one is the Basics of Information Security, which is a free book that is available from our website, and that’s the link you can download from.
If you are interested in more information, just jump on the email and send me an email, or you can follow us. We have got a fairly substantial and rigorous area that we work in. So we are quite happy to give out all the information.
We also run webinars and seminars. Webinars we run on Google Hangouts, and if you follow us on Google+, then you will automatically get the invitation. We also run seminars, monthly in Sydney, Melbourne, and Canberra, and quarterly in Adelaide, Perth and Brisbane. Those seminars are four hours long, breakfast is included, parking is usually free, but the idea is to make sure that you understand a holistic attitude is quite important and how you can get to it.
If you go to that link there and jump on the forums there, just pick whatever city you want to do and when it comes to having the seminar, we will send you an invitation. If you do do that, you get a 50% discount, which is about $250 to $275 dollars off.
Thank you very much.