#ExplainIT – Cyber security

Harley: Welcome to another episode of ExplainIT by activIT systems. I’m Harley Mitaros and together with Steve Edwards and for the first time, Matt Rutter, our cybersecurity expert, we’ll be presenting the latest episode of ExplainIT; all about – you guessed it – cybersecurity. Now “cyber sec” as the cool kids call it has really jumped at the start of 2020 with the whole COVID-19 pandemic and what that’s brought for business, so, in a technical sense, Matt can you tell us what a cyber attack exactly looks like?

Matt: Yeah absolutely, thanks Harley. So cybersecurity is a very broad concept. I guess if we just dive down to like just the technical aspect, I guess there’s a couple of, two main things that we’re looking at. You’re looking at a vulnerability that someone exploits, or a business email compromise, that’s a common one. The end result of a cyber attack is going to be data exfiltration, so you’re going to have compromised data or you’re going to lose access to your files through ransomware, resulting in quite a hefty fee to try to get it unlocked. And that’s a very simple technical view, obviously we can dive down a lot deeper into it, but yeah that’s just a broad overview.

Steve: Yeah actually one of the main problems which stems from it is, you’ve got two angles. You’ve got business interruption; whilst the attack is kind of underway and being resolved, you’ve got this business that can’t operate very well or if at all. And then on the flip side you’ve got to try and identify “okay, has my data been exfiltrated, do the bad guys have a copy of it, what do they know that they shouldn’t”. So there’s a lot of things that need to go through a business owner’s kind of mind very very quickly, and it’s not very straightforward.

Harley: Yeah we just spoke about the bad guys and what they can do, and one of the words that just came up was ransomware. What is ransomware exactly?

Matt: Yeah so ransomware is basically where, through encryption, your files will become encrypted and you’ll lose access to it, and you’ll get, a very strongly worded note will appear on your computer basically forcing you to pay up in most commonly bitcoin to get access to your files. And it almost always comes with a disclaimer that says you know, “if you don’t pay we’ll delete your data” and you know you can lose you know years’ worth of historic data. Or alternatively it will suddenly find its way into the internet and the whole world will have a copy of it all of a sudden.

Harley: And that’s the dark web, is that right? Where the bad guys tend to hang out?

Matt: Yeah correct that’s it yeah, hanging out on the dark web. I also find that you know once, once it’s public, you know anyone can have access to it. So business reputations are on the line quite early on.

Harley: Yeah absolutely and that’s, that’d be absolutely crippling for a lot of businesses. And Steve surely a lot of businesses when they hear stuff like this that’s so harrowing, they think “surely they’re just targeting the big boys, like my little business, my hole in the wall in Subiaco or in Midland – surely they’re not targeting me. I’m just a small fish”. What would you say to that?

Steve: You’re wrong is what I would say [laughs]. No, I say, so pretty much that we come across that kind of mindset quite often in small-medium business owners and managers where, because they’re not a massive enterprise or a huge business with thousands and thousands of staff, they think that their business is too small to be a target for the bad guys, which is is entirely not the case. So pretty much 24/7, every day of the year, businesses are under attack, and it’s not people which are attacking them – it’s robots and programs looking for these weaknesses, seeing if they can connect the dots, checking for the ‘doors unlocked’ that we’ve spoken about in a previous episode. Once one of these robots or programs finds that there is a bit of a door that’s unlocked, then it flags a human, and the human being the ‘bad guy’, they start digging a bit deeper. That can happen to any business regardless of size, so in the media recently there’s been some pretty huge cyber incidents. With Lion, the beverage company – they got hit twice I think towards the tail end of April and start of May. Garmin just got hit the other day, which was a huge huge compromise, and I think they were being ransomed for about 10 million dollars – it’s pretty substantial dollars you know, and they were offline for five days. But earlier in the year, late last year, Travelex the foreign exchange company – they got hit, their main website was down. As far as I believe, the Travelex agents throughout the airports, they couldn’t actually do any foreign exchange using the computerised systems, they all had to revert to manual process and they were interrupted for about 45 or 50 days, so it’s pretty substantial.

So they’re the big side of things, you know, the big end of town where you do hear about it in the media because it is such a you know impactful incident or an event. But what about the smaller business with you know maybe 50 staff or 5 or 10 staff? They’re still just as vulnerable to get hit, and they’re not really going to be having things like dedicated cybersecurity budgets, you know, teams of people you know trying to to prevent cyber incidents from occurring, and in many respects they’re the easier target. So if you think about you’ve got one small business or 10 – sorry if you’ve got one large business, a couple of thousand staff, money they’re spending on it, investing to protect themselves – or 10 or 100 smaller businesses who aren’t really doing too much, it’s going to be easier for the bad guys to target 100 small businesses and they probably get through to 10. The bad guys are very smart, they’re not going to spend all their time on one hard target when they’ve got many other small ones to have a go at.

Harley: Definitely. One of the things I heard you say was 50 days. 50 days for a business to be out of their systems, and you’ve got Travelex people writing down things on notepads, and that’s unbelievable. I mean if I was a business owner listening to this I’d be thinking “what would happen if I didn’t have my files, my systems, for 50 days?” It’s a month and a half for those who uh, who need the math to be done for them, it’s harrowing.

Steve: Pretty much, yeah. There was a recent report that came out earlier in the year where a company, they surveyed I think it was like four thousand, five thousand different businesses all different sizes around the country. And the info that came back from IT managers and business owners, that after there had been a cybersecurity incident; the time from [when] the incident was first detected until they got the green light to resume operations was just under 14 days. So you can imagine you know small small-medium business being offline for two weeks until they’ve got the green light to continue on – a lot of places can’t survive, you know it’s it’s pretty much doom and gloom at that stage.

Harley: Jeez. But there is hope, and that’s why we’ve got Matt on the show here, and we talk to an IT company, which is cybersecurity or cyber sec as we said before [aware]. So Matt, do you want to give us a little insight into what cybersecurity is and how it combats something like ransomware and cyberattacks?

Matt: Yeah absolutely. So when we talk about cybersecurity, where you’re taking the traditional IT security that extra step further. So your general IT security is your basic locking down of servers, you know make sure everything’s configured correctly. The cybersecurity aspect is the more analysis into what’s going on, being aware of what active threats are out in in the wild at the moment, and making sure that our environment or our client environments aren’t susceptible to these level of attacks. We’re doing things like analysing passwords to see if they’ve been compromised, you know the ways to to to run it on your what’s called your domain controller, and see if any of those passwords have been breached, and then we’re proactively getting clients to change those passwords. So we’re, you know, trying to stay ahead of those hackers as much as we can to try to minimize the exposure for our clients.

Steve: Yeah and following on from that, there’s a very, there needs to be a good mindset shift that goes on, where you’ve got, you’ve basically got your traditional IT security – been around for 20 odd, 30, 40, 50 years for example. It’s all, that’s really about protecting your business and your systems from yourself for the for the most part. But what’s happening in the last 10-15 years is the threat from external attack is increasing. So when we’re talking about from a cybersecurity perspective, a large part is, what preventative steps or measures or actions can you take to minimise that risk that’s coming through? So Matt looks at it on a very kind of technical level and we can get extremely, extremely deep. I tackle it from more of a like a mindset and management level – you’ve got to have the management on board and promoting a good cybersecurity culture amongst the team, then that’s got a trickle-down effect to the rest of the like the staff throughout a company. But yeah there’s two elements; there’s the technical side which is really important, you can stop a lot of things happening but not everything, and then you’ve got the human side where you can help people make better decisions, excuse me, better decisions surrounding “should I click on that link?”.

And if they can make the correct decisions that says “no I’m not going to click on it” – that’s great. If they do click on the link, you know maybe they’re having a bad day, not had enough coffee in the morning, they click on the link – then we’ve got the technical side of things where the bit of software can interpret what’s going on and go “hang on, no no no you shouldn’t be clicking on that this is actually a fraudulent link”. So there’s many different layers to it and it’s all about having that preventative mindset. Because you’re under attack the whole time pretty much, every every minute of the day.

Harley: Yeah definitely I think a good way to actually find out how under attack you are is to simply open your junk emails every now and then, and you can sometimes just see a whole barrel of them that Microsoft picks out – but some get through.

Steve: Yeah correct and I suppose – there’s very interesting studies done, but I’ll just quickly jump in Harley, and then I’m going to handball to Matt on it where we talk about honey pots a little bit, which is a bit of a technical kind of kind of idea. The idea is that you set up a system – larger businesses kind of do it quite frequently – set up a system that you want to be breached so you can keep an eye on what the bad guys are doing. Matt was telling me probably a couple of weeks ago of a a study or report that he was reading, that they set up a new honeypot and it got breached very fast.

Matt: Yeah that’s it. So a couple of researchers spun up what’s called an RDP server just to kind of test what happens to it. And within about five minutes of this server being online there was basically brute force login attempts happening. So all it takes is you know delaying your implementing of the correct security measures and you could be breached before you know it. And there’s another stat that came out and said most, most of these threats will get onto your network and they’ll hang around for about 100 days before they actually do anything. So it’s 100 days of them looking through emails, looking through data, working out how things work or trying to pivot to other resources on your network before they actually you know do the encryption or start copying data and get detected. And it’s just crazy how quickly you know these things happen.

Harley: Yeah it could be really scary, and one of the more harrowing stories that I’ve heard, and correct me if I’m wrong here, but sometimes they can listen to your emails, work out the tone in which you write and when an invoice is about to be sent they’ll say “actually, send them to these details” from the email address that is actually your colleague’s email address and you won’t even know it came, they won’t even know it came from their own email. Is that correct?

Matt: Yeah that’s spot on, it’s happened many times before so you know, these ‘threat actors’ as we call them will, you know, potentially guess a user’s password to an email account and they’ll log in and they’ll just watch emails coming and going, like you said learn the tone of voice, the communications, and then just when you know, just when they’ve got enough information they’ll you know, input themselves into the middle and they’ll send the email on behalf of the user. And then they’ll, you know, they’ll delete all the sent items so we can’t track it.

Harley: Wow. That’s scary. That – for a business, not knowing that someone’s in, inside your house and does something like that?

Steve: Correct yeah, and that opens up a lot of other implications there on after as well. So if you can imagine, let’s say you’ve got these bad guys within your corporate network for a hundred days, so that’s a tick over three months, they’re sniffing around on emails. What other data are they actually accessing, and are they exfiltrating this or copying out of your system and you know duplicating it over to theirs? Does that open you up for things like compliance with the mandatory data breach notification laws from the Australian government? That’s part of the privacy act that came through a few years ago. What if they’ve managed to get, what if you’ve done something like, you’ve got a list of passwords in an Excel document or a Word document – which you would think is a bad idea, but you’d be surprised how many times we see that, you know over the course of of our roles. We always shake our heads and what-not, but imagine if that kind of document was exfiltrated off of your network without you knowing, and it had maybe the passwords to your clients in it, or things like that. And then they might ransom you for that information or basically are trying to extort you for it, and if you don’t pay up they might release it to the dark web or inflict damage on those parties that you’ve just given away their data for. So there it can have like reputational kind of consequences there on after, yeah.

Harley: That’s, that is very very scary. So we will take you back to the term you use Steve, and that was “doors left unlocked”. People leave these doors unlocked, and if you’re a business owner obviously most businesses that are listening to this probably haven’t experienced something yet or haven’t been in this situation. So how can they lock these doors? How can we close these doors? How can they get prepared?

Steve: Yeah well I can I could pretty much guarantee you and anyone that’s watching that if you have an email address or a website, people are “knocking on the doors” so to speak, looking for ways to get through. 100% guarantee it. Whether or not they’ve been successful yet is just a matter of time. Pretty much they just need to keep trying the different types of doors until they get through. Those doors could be something like you’ve got a bad password in place, or it’s a previously known password, or maybe you’re sharing it with another website that’s just been breached, or you’ve got a vulnerability in your software, or you’ve written down your password and stuck it on a post-it note on your laptop screen or your desktop computer and they’ve walked past and they’ve had a look and seen it. All these different kind of “doors” can be left unlocked and it’s just a matter of time until they kind of get through and find one that is unlocked, and even if they just get a sniff of one that is slightly ajar, they know that that could be a potential way to get through, so that’s called an attack vector. So there’s, and the the problem is these days, it’s very very multi-layered with what they’re doing, so they might get in one way, they’re in your network, but they don’t actually cause any damage once they’re in – yet. They’ll do what’s called ‘pivoting,’ and they’ll just look elsewhere amongst your systems to find out what else they can get a hold of. They don’t always execute – so well, basically they don’t do their malicious work until they’ve got something of value to them.

Harley: Got it.

Matt: So if I jump in there and just in terms of that in terms of like you know, these yeah knocking on the door, trying to get passwords. You always hear about these – the big data breaches so LinkedIn got breached a couple years ago, and as a result of that, all these passwords got copied. So if you happen to use the same password for your LinkedIn account as your work email, you basically, your password is now open and exposed on the internet, and these are the passwords they use to try to get in. So I guess that’s another attack vector like Steve mentioned, is when you use the same password for public services like LinkedIn and Facebook as your work email, you basically you leave the door unlocked as such.

Harley: Got it.

Steve: Pretty much yeah, and we could – how much time have we got? We could go on for hours.

Harley: Absolutely. So how do we – so we’re talking passwords there, surely what we’re talking about to close those doors is have different strong passwords. Is there anything more they can do than that?

Matt: Yeah I mean definitely. so multi-factor authentication will be the, I guess the easiest thing to do, which will secure a lot of your logins, and use something like a password manager is probably the biggest one. So you know you want different passwords for every application, obviously it’s impossible for us to remember all these passwords. So using like a password manager where you can create a completely random text of you know 16 characters long, so that the chance of someone guessing it is very small. It allows you to have different passwords for everything. I guess the important thing with that is make sure that your – the password to your password manager is secured, decent and has two-factor authentication otherwise you’ve basically undone all the hard work you’ve gone through for making it in the first place.

Harley: Yeah that would, that would be pretty bad.

Steve: Yeah it’d be a bit like having – imagine running a cleaning company and having a cupboard full of keys for all of you the places you go and clean, but not locking that cupboard.

Harley: Love it, yeah so just having a master key for everyone so to speak effectively is what you’re doing at the end of the day. That’s obviously something we – that you know is an immediate thing we can all look at immediately, but talking activIT systems, you’re a business that actively comes in and helps a corporation put the walls up. How do you go about that as a business, and part of your service what – as part of your service, how does cybersecurity get included in that?

Steve: Yeah good question mate. So we’ve been in the game for about 15 years now traditionally doing general kind of IT support and service for small medium business, but I suppose in probably the last three or four years, there’s been a pretty substantial shift and emphasis on the cybersecurity component to all of that – as the risk is becoming, is becoming greater, the you know the threat is is continually increasing, and everything’s becoming a lot more complex as well. So the way that we’re tackling that at the moment is we’re going through a lot of education with, with business owners and managers. We can do a lot in a technology sense, but where the biggest bang for, for a company’s dollar is, the biggest bang for their buck is basically getting the people that are already being paid to to work and make decisions – helping them make the correct decisions. “Should I click this link? Should I enter my password here? Does this look a bit suspect? should I report it to IT?”

Getting them to answer those type of questions correctly goes a long, long way in increasing the – what we call the cybersecurity posture or the maturity of an organisation. It’s easily 50% of the threat is from the people within, because they make incorrect decisions. Some people are really tuned in, some people aren’t as tuned in, and until businesses and managers and owners can help help their staff, educate them and increase their awareness, you know, that’s pretty much one of the areas where we’re addressing quite a lot of emphasis on that at the moment. The second part is from a technology sense, there’s a lot of cool stuff that’s going on in technology, and it’s helping it, helping the people make easier decisions. So it’s giving them clues and blocking things, a lot of artificial intelligence that’s getting included in it these days as well. So the technology is great but it doesn’t encompass everything, people need to make better decisions, and they are slowly getting better, but they need education and and awareness and training to help that happen. So we’re tackling it on those two levels. We’re building that into our standard kind of service packages, whether it’s included by default or as an add-on, and we’re getting ready to launch basically a, a stand-alone cybersecurity offering. So that’ll be a great one for if a business has already got maybe an IT manager, maybe one or two kind of internal IT staff, we’ll be ready to go “okay well look, these are the cybersecurity things that we can help you out, you’re obviously busy doing IT stuff, let us look after everything from a cyber perspective” and we can report back to management and help out on that level. Plus a million and one other things that I can’t tell you because the hackers will find out.

Harley: Yeah good move. Don’t show them, don’t show them your cards.

Steve: That’s it.

Harley: Very good tip. And talking of tips, just to round up today – if you’re gonna leave people with one piece of advice, one very quick tip that you think is pretty pertinent to staying on top of your cyberattacks, what would that be?

Steve: Okay Matt.

Matt: Oh that’s a tricky one. One tip – oh well I’d say, from from again from like the the technical aspect, I’d say going back to the passwords, so make sure everyone’s got a strong password in place, use a password manager, it’ll solve a lot of your issues in an instant I guess.

Steve: Yep. But not all of them.

Matt: Correct.

Harley: Good foundation.

Steve: Yeah I suppose from from my and Harley on that that one, it’s it’s multi-pronged. If you’re watching this or reading this and you’re a business owner or manager you need to start taking cybersecurity seriously. There’s been a million reports in the news over the last couple of months; big businesses, small businesses being breached, so you’ve got to start taking it seriously. You’ve got to educate your staff and got to start talking to them about cybersecurity to show that you’re serious about it, you know the culture flows downwards you know in that kind of fashion. And then the other aspect is, if you don’t have cybersecurity insurance, you need to get it like right now, start talking to your broker, and then immediately after that, do everything you can possibly do to never have to trigger that policy. Because once you have to trigger the cybersecurity policy, you’ve already had the bad incident occur and you want to avoid it from happening to begin with. Because if you have to trigger the policy you’re already in a world of hurt, business is going to be interrupted, you might have a lot of other problems occurring so you want to prevent that from ever needing to be triggered. But you need it nonetheless.

Harley: Great advice guys. So firstly password manager, secondly take it seriously, and third get some insurance just in case.

Steve: Correct

Harley: Definitely. Well thanks again guys, that concludes the episode of ExplainIT. Congratulations to Matt on your debut on the show

Matt: Thanks mate.

Harley: Great to have you on, and Steve great to have you here again. Thanks.

Steve: Thank you very much, I’m here all week.

Harley: Awesome. Thanks everyone for tuning in and if you need any details about activIT systems’ services you can head to aitsys.com.au to learn more. Thanks fellas and we’ll see you next time.

Steve: Thanks, Harley.

Matt: Cheers, thanks mate.