(On Demand Webinar) – An overview of organisation protection in the digital world
[Start of transcript]
I’m just waiting for a few people to turn up, just to make sure we get everybody.
We’re broadcasting this on Periscope as well, just to be on the safe side. Let’s see if it works because I think it will be an interesting time to see if we can get this type of thing working.
Today I’d like to talk to you about how a small business can create a better framework for business, so to protect yourself in the digital world and also just to make sure that a lot of things are in place so that you don’t get targeted by not only the bad guys but everything else that is out there. So that’s the aim of the presentation, and hopefully you’ll get something out of it and you’ll be able to go to the next level and improve the security around your business and your organization.
We’ll wait another couple of minutes just for a couple of stragglers that are coming, just to make sure we’ve got everybody, and then we’ll just get stuck into it. You won’t see me. I’ll put up a slideshow that is not that much. I’m not going to baffle you with PowerPoint art, but hopefully we’ll get everybody on the same page when it comes to digital security.
Okay, I’m going to start now.
It’s Complicated out there!
We all know how complicated the digital world can be. No matter what you’re doing on it, no matter what you’re in charge of, no matter what part of it you’re using for your business, it gets pretty complicated pretty quickly. On top of that, if you’re not really careful about what is happening, you then become a target of cybercriminals and cybercrime. What we are trying to avoid is making sure that you are not in there.
Understanding the requirements of digital security
What we’re going to do today is discuss the understanding, the requirements of digital security and just give an overview of what you need to do to protect your organization in the digital world.
Roger Smith – Speaker
My name is Roger Smith. I’m a speaker. I’m also an Amazon #1 author on digital crime. I’m the CEO of R&I Consulting, and I focus on getting everyday users of the digital world to understand the dangers, and take necessary precautions. So my role is to stop smart people making dumb mistakes. That’s what it’s all about.
So this presentation, we’ll just go through:
What the bad guys are after and why we know that
How the bad guys get in and how they target you?
What are the basics of digital security?
Then we’re going to go into the 4 pillars of digital protection and what it means to an organization
Then we’ll talk about getting the right balance and why you need to get that balance involved.
Also then, we’ll just go into other things like you also need to look at the non-digital stuff to protect your organization.
On top of that, at the end of it, we’ll go through what you can do now.
The digital world is used by all of us, literally. Anybody in business in the Western world now has some presence in the digital world, whether it’s just a basic email or it’s a full-blown 3,000 people using a cloud-based system all over America or Australia, in those areas. The reason why we’re going to the digital world, mainly because it’s cost-effective, and on top of that, it is low-cost.
But we use it for everything. Social media, business, networking, search, innovation, R&D. We use it on our websites and we use it for marketing and sales. It is a very interesting balance to make sure that you are—you have the convenience of the digital world but you’re also protecting yourself from the bad guys.
Exponential rise in crime
Originally, crime started with I had something that someone else wanted and they took it away from me. Then in the 1600s, 1700s, 1800s, 1900s, we had a large group of people storing their money in specific places, and that’s where we had the rise of the bank robbers and the places like Jessie James, Ned Kelly, Ronald Beats, because a group of people could steal from a larger group of people.
In 2014, we had the Target hack. It was a very small group of people stole information and money from 34 million people. This is what we’re talking about, the exponential rise in crime. Because at the moment, making sure that you are protected means also making sure that when you give your information away, that is protected as well.
What do they want?
But what do the digital criminals want? What do the bad guys really—why are they doing what they do?
Money, access to money and money under your control
Well, they need access to your money, and access to money itself, but also access to money under your control. So that access to money also means that they are looking for ways to get you to compromise your security and give them your money.
IP / trade secrets / tactics and strategies
They’re also after your intellectual property, your trade secrets, your tactics, how you work, how you do business. All of that information is really important if they were to come in and try and take over something else that you’re already doing.
One of the other things they’re most importantly after is they’re after your client information, because with the client information, they can go off and target other people. It becomes part of their social engineering component of the digital world so that they can find out all the right information about what you’re doing and what your clients are doing.
One of the things that people forget is that they’re also after your technology. They’re after your Wi-Fi system. They’re after your router. They’re after your PC. They’re after your laptop. They’re after your smart devices. Because they can then use those smart devices to target other people.
But on top of that, your technology is worth money to them. Because it’s worth money to them, they are quite happy to compromise your system and make sure that you then become non-controlled by yourself. That is why we lose control of our technology with things like malware and viruses, and worms.
What are they using to get in?
So what are they using to get in?
In most cases, the number one attack weapon of the cybercriminal, or the digital criminal, is email, because everybody’s got an email account. Email is easy enough to target. It doesn’t cost them any money.
With the rise of email, we also saw the rise of spam. In the 1990s, early 2000s, we had spam that was more interested in selling Viagra or getting a Nigerian prince’s money out of Nigeria. But then smarter criminals got hold of it and started utilizing it for other things.
Then we had the rise of the phishing email. We’ve still got phishing email like we get nowadays. The classic example is the crypto-virus. We get a phishing email that’s addressed from the APO, or the Post Office, or Internal Revenue. Because we are very willing to open and look at an email when it’s based on that.
But then again, we then had the introduction of the spear phishing. This has only been around for the last maybe six to seven years. Spear phishing is an email that comes into your system that is specifically targeted at you. Because they’re specifically targeted at you, they’ve done their research.
They know you are. They know who you are targeting. They know what your friends are. They know what your business is. They know what your hobbies are. They will write an email that is specifically aimed at you, making that idiot decision to click on the link.
But what phishing email and spam, and the spear phishing email are doing is they’re targeting exploits within your system. The exploits are pieces of code that haven’t been written properly, or they’ve been removed but they haven’t been deleted from programs. These programs that have these exploits, you know, Windows has 2 ½ million lines of code. Finding a specific error in that takes a lot of work. The trouble is, the cybercriminals have got the time and the energy to do that, and that’s what they do.
Infected web sites
But just like we have operating systems on PCs, we have operating systems on websites as well. We have the underlying operating system. The underlying operating system is what hosts the website itself. So if that gets compromised, all of the websites above it get compromised as well. They use that compromised system to actually file out malware to other people.
The Insider (malicious and unintentional)
We’ve also got the insider. The insider can either be a malicious person who doesn’t like your systems, doesn’t like you, doesn’t like your business, and they’ve been employed by you, and you’ve realized they don’t like you and they have stolen information, or stolen systems, or put malware on your system.
But there’s also the unintentional one. That person who has clicked on the link that you didn’t want them to click on. That has exposed both your PC and your business to the digital criminal. You don’t want that to happen.
What are the basics?
So what are the basics? The basics are really easy. There’s 8 of them. Those 8 basic things that you need to do will protect you in the digital world.
I’ll miss the first one, but passwords. Passwords are really important. They’re your passport to the internet. They are your passport to the internet on any number of websites that you go to. Passwords have to be longer than 8 characters. They have to be complex, so anything on the keyboard is fair game. They have to be unique for every website you go to.
That, as you can understand, that is a problem just in and of itself unless you have a system on doing it. I have a number of videos that you can watch that will actually explain how to create complex passwords that are really easy to remember.
I was talking about exploits earlier. So when an application or an operating system developed or found that they have an exploit, they will patch it. They will send out an update that will remove the capability of something being able to target that issue. Although 99.9% of exploits are benign, they can’t do anything. Maybe you can create a character on the screen, but it’s not going to cause a problem. They’re not going to allow access to the back end of the computer.
The next thing you need to do is worry about anti-virus. An anti-virus is really important because it catches that 99.9% of the viruses that have been around for a while. By catching that, it then means that you can keep an eye out for that other 0.01%, or 0.1%.
Back it UP
The problem with the digital world is it’s digital. My laptop falls in the—gets flooded out, or I drop a cup of coffee on it, or I drop my phone in the toilet, or someone steals my tablet, then all of that information that was on it is now gone. So we have to make sure that we are backing it up and backing it up in such a way that is not stored in the same place. So if I lose my phone, I have a backup of all my contacts, all my videos, all my films.
The next thing we have to worry about is firewalls. Firewalls are used to protect you from the digital world. They stop those basic attacks coming into your PC or into your business. They are there to make sure that whatever coming from inside the business goes out but everything on the outside doesn’t come back in.
There’s two that we’ve coined. Paranoia. Fear the digital world. Don’t be scared of it, but have that underlying system in place that you go, “Should I do that or shouldn’t I do that? Why am I doing that?”
The last one is common sense. Common sense is really important when it comes to making that split-second decision between clicking on that link that decrypts all your data on your PC, or not clicking on that link. Common sense is a question about “Where did they get my email address? How come they’re targeting me, and why are they sending me an email?’
What is a framework?
So what is a framework? I’d like to talk to you, the framework we’ve developed that is, I suppose, an easier way to understand how you can protect yourself. There are a number of frameworks out there. This is just a few.
We’ve got the Control Objectives for Information and Related Technology (COBIT).
We’ve also got the ISO 27000 Series.
We’ve got the NIST Special Production 800 Series
These are complicated frameworks around how you do business. They want you to change your business to fit in with these frameworks. That’s where the problems really start from, because no longer can we say you are a x in this industry, so this is how you have to do business, because if everybody else is doing business that way, there’s no advantage in doing it. That’s where technology is really come into its own.
But also we’ve got the vendor-based technologies and the vendor-based frameworks. Those frameworks are things like the Cisco Security Framework that relies on Cisco products, or Strategic Framework if you’re using cloud, or an IT Security Policy, which is a really basic framework about how you are going to protect your business.
The 4 pillars of digital security
So we’ve taken all this information and we’ve tailored it down to four pillars of digital security.
What you really need to do to protect your organization
You need to worry about the technology. The technology in place of how you are going to do business. That technology makes your business so much better and makes you competitive in the industry.
You also need to have a management component. That management component takes into account all of the other components and the pillars of security.
We then have to have an adaptability component. The adaptability component is not about if something goes wrong, but it also involves having your organization able to change direction without losing impetus. So you can see an opportunity, and if you are adaptable, you can actually grasp that opportunity without having a problem.
Then the last one is we all have a government compliance component. That government compliance component is how it’s all based in the industry, or via government, or how you want to do business yourself.
So let’s just take a step back and go through each of these areas.
The technology. Literally all of the technology components of your business. So you have your operating systems, your hardware, your software, your applications, your encryption, your cloud, BYOD and how you’re going to manage it, firewalls, wireless, VPN, anti-virus, and tie it all together with best practice.
Best practice is usually created by the vendors that say “This is the best way of putting my system together.” To me, that is really important, because if you don’t have the best practice of how that system is put together, then it’s not going to work to your benefit anyway.
The second component is management. So management process that we need to know, and who is involved in what they are. So we have the three P’s – processes, policies and procedures. Because you don’t want to have your accountant come to the business and go “What is my role?” So that’s part of your procedures, part of your processes, part of your policies.
But also on top of that, you need to audit all your technology. You need to have reports coming out of your technology. And you’ve got to be very aware of the reports that come out of technology because they’re only reporting on those systems. So you need to have an overrule reporting system that will help you make decisions at the top level.
You also need training and education. Education and training are really important if you want to protect your business, because if you start training and educating your people, they will then actually come back and say, “We need to do x because x is what my education has told me.”
Then we have the adaptability. So we’re looking at risk assessment, risk management, disaster recovery, business continuity, your cyber and digital resilience and also your culture. Your culture is also just as important as everything else because if your culture doesn’t allow Joe Bob, who’s working at reception, to come to the managing director and say, “We’ve got a problem and this is why.” And the managing director actually accepting that he has a problem, then culture is going to have a big impact in protecting your organization.
And then as I said, we have compliance. Compliance is probably the most difficult component to define because all business or industries, and all organizations are unique. They are different from each other, and different from anywhere else because we are all unique and how we do business depends on who you are.
So all of these framework components make your framework a lot better and a lot easier to understand. It also means you’re going to be making decisions based on fact, not on what’s coming out of the back end, not coming from the IT department saying everything’s rosy.
But as I said, most frameworks are created by companies, and they usually say, “Buy my widget because my widget is the best and it will protect you, and you will be secure.” What a load of poppycock. There’s no silver bullet in the digital world. There’s no way of significantly protecting yourself by using a product.
From Cisco all the way through to D-Link and TP-Link, there is a way around every system. You might not be able to get through a FortiGate, or a Juniper, or a Fortinet firewall, but there are ways around it. That’s why you need to have a framework in place.
By having this attitude that “My widget is the best,” we’re not having a holistic impact on your business. We are not protecting the business. That is also what this is all about.
A Framework has to have certain features
But a framework has to have certain features to make it all work. It has to have features to a level where we are making sure that everything we’re doing for the framework is actually helping the framework.
The framework has to be agnostic
It has to be agnostic. It doesn’t matter whether you’ve got a Cisco firewall, a FortiGate access point, you’re using Symantec on the inside to protect yourself at endpoint protection level. All of those components have to work together. It doesn’t matter whether it’s a FortiGate firewall or a Cisco firewall. It is a firewall, second-generation firewall that does x. So it doesn’t matter what the hardware is.
Your framework has to be understandable
It has to be understandable. All the people in the organization has to understand why you are doing something to make sure your business is protected, and what is in place. We have to have some sort of puzzle that we keep putting a little bit together and making it so that everybody understands that the firewall is there for a reason. The reason why we’ve got these policies is there for a reason, so it has to be understandable by everybody involved.
Your framework has to support your business
One of the things we find in most technology companies is they want your business to change to support their technology. To me, it’s the other way around. The framework has to support your business, and it has to support your business to a level where you don’t have to change how you do business.
Because if you change how you do business, you don’t have the alacrity to go we can swivel on a pin to change direction. So the technology has to be in place to make sure that you can do that swivel if you need to. So it has to support your business, not the other way around.
Your framework has to be manageable
It has to be manageable. What I mean by manageable, someone has to know where all the bits go together and what bits are doing what. Your framework, whether it’s either your technology or it’s adaptability, has to be something that you know “This is what we do. We have a business continuity plan, and this business continuity plan does x.” That is really important for what we’re trying to do with this framework.
Your framework has to protect
Most importantly, your framework has to protect. We know there’s no such thing as 100% security, but we can try for it. That’s what this is all about, trying to make yourself as secure as both your money and your capability, and your team, can make you. So it has to protect you.
Your framework has to be cost-effective
And because we’re trying to protect you, we’re not going to go out and buy—if we’ve got an income, let’s say we’ve got a revenue of $100,000 a year, we’re not going to go out and buy a $50,000 firewall. So we have to have some cost effectiveness in place to make sure that we are getting the best bang for our buck.
Your framework has to build defense in depth
We all know what the old castles used to be, and why they were built, and what stopped them from being as efficient as what they used to be. Originally, the medieval castle was designed to protect the Lord who was in the castle itself. It lasted up until we started creating cannons and we started firing cannonballs at each other. But your framework has to build defense in depth. The thing about a castle was you had a moat. You had a drawbridge. You had high walls. You had people behind those walls. Because you had people behind those walls, if they got through the first levels of security, then they were up there with the people who were trying to attack you.
Each component has to support the other parts of the framework
Most importantly, no matter what we’re trying to do with the framework, each component has to support the other components of the framework itself. So we need to have the right technology in place to make sure that we can have the right management planes in place, and to assist in working out what risk is involved.
Each additional component has to be stronger than its predecessor
And one of the things that we push is if you’ve got a system in place for the moment and you don’t want to spend lots of money when you do spend money, that you don’t replace the NetCom router with another NetCom router. You go to the next level. So you replace it with a Linksys, for instance. More expensive, but it does a lot better.
Your framework has to be stable
But most importantly, your framework has to be stable. It has to allow you to do things that if you unplug things and plug things in, it’s not going to cause the whole system to fall out. That is very important to making sure that your business can do business.
Finally, your framework has to work
And finally, your business framework has to work. If you haven’t got all the components in place, and they’re not all acting holistically, then your framework’s not going to work and it’s not going to protect you at all.
Getting the balance right
So it’s very hard to understand how we get the balance right. The balance is very important and it does depend on how much money you’ve got and how much you want to throw around.
Is there a problem with SME’s?
So, is there a problem with SME’s and how we protect digital security? Well, yes there is. Because an SME has a number of problems just in its inherent capability itself.
Lack of money
We have a problem with money. As I said, if you’re $100,000 business, you’re not going to spend $50,000 on securing that business itself. You might spend $5,000, and if there’s only two or three of you, $5,000 will probably do the job. But because you lack the funds to be able to put a security system in place and create a framework, there are other ways around the framework itself.
Lack of expertise
We also lack the expertise. We don’t understand things like threat intelligence. We understand endpoint protection because that’s usually an anti-virus system. But we don’t understand identity management. Or we don’t understand incidence response or anomaly detection.
Because these are words that are thrown around by vendors that really mean the threat intelligence of you being attacked is probably about 60%. That’s not including a targeted attack on you yourself. How are you managing your identity and your internal people? What usernames and passwords are you using? Those are the things that we just haven’t got the expertise to manage.
Lack of time
And also, we all know that time and money is absolutely annoying when you’re in a small business because when you are in a small business then you have a problem with making sure that the time and the money that you have are focused on the business itself. Because if you don’t focus on the business, the security doesn’t bloody matter anyway. So you have to focus on money, time and the find out how you can cover the expertise.
It’s just not digital
But it’s not just about digital. The digital component, yes is very important. But also, your non-digital stuff. Have you got locks on your phones? When your phones are sitting in the café, are they locked? Do they wipe themselves if someone puts the passcode wrong five times? That is not a digital solution. It is a physical solution. You have locks on your doors and windows. You have internal doors on specific offices. These are not digital, but they’re just as important to protecting your business.
What you can do now
So what can you do now?
Well the first thing you can do is go back to your office and do a risk analysis. Work out what your risks are. Work out what risks are being created by having not the right technology in place.
Upgrade all non-business related components to business systems
The second thing you need to do is find some money to upgrade all your non-business related components to business systems. That includes getting a decent firewall or getting a decent access point.
Educate your people
The other thing you need to do is educate your users. Because if you educate your staff, then as I said before, it will be delivered to your business tenfold because you have people who are actually looking at the issues.
This increases awareness. What you really need is for people to be very aware of what’s going on.
Here are some simple things to do
And there’s some simple things you need to do.
Put some posters up around your organization. If you’ll send me an email, I’ll quite happily send you a PDF of 10 of them that you can put up. Get them printed at Officeworks, off you go.
Initiate a training and education program. I’ll just explain between training and education. Education is when you take everybody and uplift their level to a different level from what they are. So you’ve got to educate them inside of digital security. But training is usually based on getting someone to understand the complexities of a piece of technology. That training is really important as well.
You also need to run competitions, because competitions increase awareness within your organization as well. Make it fun. Don’t bore people with, “Yeah, you’ve got to have a complex password of 25 characters.” But if you have a competition that runs, the first person who gets the answer every day gets a $5 card from somewhere, and the person who does it the most during the week gets a $30 whatever, then you will see that your awareness will increase across the board.
So thank you very much. If you need to get in contact with me, drop me an email at email@example.com, or give us a phone, or jump on the website. You can also follow us on LinkedIn, Twitter, Facebook, Google +, all of those places.
And thank you very much for your coming to the webinar. Much appreciated. This will be uploaded to Google Hangouts and also to YouTube in the next half hour, so if you want to re-watch it you can. And if you have any questions, just pop them into the system and the system will actually tell me if you’ve got a question.
Okay. We don’t seem to have any questions, which is really nice. So thank you very much. I will talk to you next time.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – How being paranoid is a good digital security strategy!
[Start of transcript]
Hello. My name is Roger.
And today, I’d like to talk to you about why being paranoid makes you more secure in the digital world.
In the digital world, everybody is after you. Everybody wants to target you. You get spam, you get phishing emails, you get spear phishing emails. If you go to a website, you could be targeted from the website.
If you download drivers, you could be downloading literally from the Google search. And there are websites and there are torrents where you can get infected by. So, looking at all of that information that’s coming towards you, on the chance that they want to steal something from you, should make you a damn sight more paranoid, the more people are at the moment.
One of the best things that bad guys do is that they will infect torrents. And torrents are used by people who want to download illegally from the internet. And those torrents can have back doors into your business, and your organization and your home computers.
And it’s very important that you get paranoid about why you have this information on your systems. But the good thing about being paranoid is you actually start to protect yourself. You make that assumption that you are in trouble and you need to look at other ways of protecting yourself. And by being paranoid, it makes you a lot more focused on how you protect yourself.
So, thank you. If you need any more information, please contact us.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – The hidden cost of doing ICT yourself
[start of transcript]
Hello. My name is Roger.
And today, I’d like to talk to you about the hidden costs of small business doing their own ICT.
In a small business, we have direct costs, how much we buy something for, how much we sell it for. And we have indirect costs. And the indirect costs usually are the costs that we have no control of. And what happens when people start doing their own technical support is your indirect costs go up.
Now, most people are in business to make money and they are in business to do core business, whether that’s for selling widgets or consulting or any of those things. You’re not there, and your people are not there, to work on the information technology, information technology stuff that is making your business work.
And what happens with doing the ICT yourself is it really does take your focus off core business. It’s a lot easier to say to someone, “Come in and fix this and then go away,” than Joe Bob, who’s is the receptionist, or the senior salesperson or the marketing manager, look at the printer problem and say, “Well I just spent nine hours trying to get the printer to work. Now, I’ve got to call someone in.”
So, doing your own ICT is not cost-effective. And there really is no convenience in doing it. Because, as I’ve said, ICT is what makes your business run. But you don’t need to understand that 90 percent of making that system run, you need to understand the 10 percent that you used to make it all work for your business and do core business.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – Clever ways cybercriminals get you to let them in
[start of transcript]
Hello. My name is Roger.
And today, I’d like to talk to you about the clever ways cybercriminals get you to let them in.
So, there are a number of tactics and strategies that the cybercriminals use, both physical and electrical, that allows you to let them in so that they can do their nefarious deeds.
One of the ones that we’ve seen is they used fake access points. And there’s a thing called water-holing where all people congregate within a business. And usually where they’re congregating is actually where you are fixing and attaching to a Wi-Fi point. And if you make an access point the same username and you don’t give it a password, then, all of that information that you’re connecting to is being recorded.
But there are other things they do. One of the things that the bad guys do is they change file names so you might get an attachment that say “readthis.txt,” but you, and because Windows and Apple only read the .txt part, they don’t know that it says “.txt.exe.”
And most anti-viruses won’t allow that to happen. But there are some that regularly will bypass. There are other things that they do. Location of files, they use the actual operating system and the way it searches for information to serve out, so they might have a “notebook.xe” and “notebook.exe,” which is the real one. This one is found before this one, this actives malware and viruses.
Or, we use hosts and DNS redirects. And all those redirects take us to totally different sites. And there’s a number of sites, for instance, if you go to anz.com.au, you go to Australia National Bank. But, if you go to anz, then you go to a fake bank. And that’s how they catch you, just by substituting that one letter.
But one of the other things they do is they use a bait and switch. They get you to download legitimate software, especially if you’re downloading legitimate software from a pirate site. Because if you are doing that, then you are making yourself vulnerable. Because that information that you’re downloading is being stolen by the criminals and has been created to make look like a real information.
So, as you can see, the cybercriminals can be very, very clever. And we have to use a number of systems to make sure that we catch them before they get into our system.
If you need any more information, please contact us. Thank you.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – A firewall does protect you in the digital world
[start of transcript]
Hello. My name is Roger.
I’d like to talk to you today about A Firewall does protect you in the Digital World.
A Firewall is a piece of hardware or software that sits between the real digital world and your device – whether it’s your laptop, your server, your network, your smart device. It sits between the digital world which is out there, and your privately owned piece of it.
And that’s all it’s there to do. It’s there to stop the bad guys coming in to your system and doing damage on your system. It allows information from your system that is requested to go out to the digital world and then come back in again.
And in other cases, it’s very effective about stopping that first level of attack that we have from the digital world.
When it comes to network management and protecting yourself at a network level, then, you need to spend a little bit of money to get a more expensive model of the router/firewall modem component because that is what is going to protect you from the digital world. And that expensive model, whether it’s a FortiGate or a CISCO, or a Palo Alto, is really important because it has a lot more features as well. And we have things like 2nd generation firewalls coming in to the information.
Thank you for listening and if you have any other, if you have any questions, please contact us on the slides after this.
We all approach the cybercrime issue with a very unrealistic attitude that the cybercriminal is a geek who really does not understand what they are doing. To most people the cybercriminal is just in it for the fun.
Compound that with our own attitude of
we are too small to be a target,
it won’t happen to me and
we have nothing worth stealing
And you can see why we have a problem.
Cybercrime perpetrated on the digital world is no longer hap hazard or uncoordinated.
The cybercrime gangs are well organised, exceptionally well run and ruthless in who and what they target. In most situations the main cybercrime gangs are better run and managed than the small and medium business and large Organisations that they target.
What most people do not realise is that most of the high level cybercrime gangs have the same principles as everyone else who is using the digital world.
Make as much as they can!
Make it as fast as possible!
They steal, destroy and manipulate the normal users of the digital world because there is little or no perceived repercussions if they get caught.
The difference is that they know so much more about the digital world than we ever will. They also know how to exploit our vulnerabilities.
Most of the criminal enterprises have a similar structure to every other business.
They have a management team, they have marketing and sales, they have advertising and sales, they deliver products to their clients and they use research and development to create more product.
Their clients are the 12 – 24 year old wanna be hackers who think they would like the glamorous world of a cybercriminal.
Their product is automated systems that gather data and probe exploits on anyone or anything that is connected to the digital world.
They then feed that information back to the command and control systems to create better and more complex systems that are easy for the wanna bes to use.
When it comes to making money they have the same attitude as most SME’s. Make more than you spend.
Apart for the fact that you do not get fired and the retirement plan for the bottom level of the organisation is not very good. Once in the gang, the smallest stuff up and you could be found in the lake face down or even worse never found at all.
If you understand the cybercrime business then you have a better chance of protecting yourself against it.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – why and How antivirus protects you in the digital world
[start of transcript]
Hi. My name is Roger and today I’d like to talk to you about antivirus and how antivirus protects you in the digital world. Now there’s a couple of schools of thought about antivirus. One it doesn’t work, one it does work. Those schools of thought, correct in both respects, sometimes it doesn’t work, sometimes it does work, but an antivirus system is also designed to do a number of things.
One, it catches the old problems that we’ve had. It catches all viruses, which are out there and they are [0:40 inaudible], but it also catches things that have been in store on your system that weren’t classified or weren’t called out before but are now.
A regular scan will catch those infections because the regular scan is now using the new systems because those updates are now looking for the components that are on your system. But anti-virus also does one thing. It only does its job if two things that are happening.
One if you’re patching your system and two if you’re regularly updating your antivirus. So whether you update or scan [1:27 inaudible] your definition is part of the process to make sure your antivirus does protect you from digital work.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime and cybersecurity discusses – the reason that everyone needs a mantra – you can borrow mine – Cybersecurity is my problem – Rotary Talk
[Start of transcript]
Thank you for the introduction, that was great. Today I like to talk to you about what happens to your financial security and your digital security if you get hacked and the bad guys steal everything.
The digital world has a population of between 2.5 and 3 billion users. It’s the biggest community on the planet. And because we are now focusing everything towards the digital world we are forgetting a number of aspects that really make human life a lot easier.
The digital world is becoming our social platform. It’s where we do business. It’s our network. It’s how we read our news. It’s what we look for if we need to buy something or find something or do something. It’s been an innovation and it’s happening more and more and more. It’s where we keep our websites and its how we market to each other and to the world.
The reason why we are now starting to use the digital world more and more is because of two things. One is its cost effective and it’s very cheap to do. Normally for a small business to go into marketing it used to cost thousands and thousands of dollars but with today’s digital world we now can do our marketing for a fraction of the cost.
But it’s also convenient. I can pay my bills while I’m sitting in a cafe. I don’t have to go to a post office or I don’t have to go to the bank. As we go forward into the digital world governments are going to cut services and going to put more things online. Banks are already closing their branches and putting more things online. Small businesses are now focusing on what the digital world can do for them.
And because of that we now have this really big separation of what the big guys are doing and what the small guys are doing and what the good guys are doing and what the bad guys are doing. In today’s world what we see is this part, the tip of the iceberg, literally the bit above the water. That’s where we do most of our business. That’s where we do most of our searching and that’s where we do our marketing.
This section underneath is so much more dangerous. And it constantly flows from below to the upper. Let’s just do a little bit of history about crime itself. And crime against people used to happen a long time ago when it was one-on-one. It was I needed something and I took it from someone. And whether it was legal or not it was just the way things went.
In the 1600’s we moved our money into the banks or the money used to move around in stage coaches or trains. So we then had the problem where it was if I wanted to steal money from a bank I was a small group of people stealing from a larger group of people. So that was one to many.
In 2014 in target attack there was a group of people who stole something from 34 million people, a third of the entire population in the US, exponential rise in rewards and exponential rise in targets because that is the way we are going.
So really why are they targeting everyone? Well, for one we are connected to the digital word. If you are connected to the digital world you are a target. And not just because you have something, it’s because you use something. Yes, they are after our money and our access to money.
As I said we can do our banking from a cafe. But if you’re connected to a free Wi-Fi system then the bank guys can steal that information. They are after our intellectual property. Our intellectual property is really important to us. It’s our date of birth. It’s our tax file number. It’s where we live. And each one of those individual components of our personal information is not a big problem. But when you start linking them all together it allows a criminal to come out of the digital world and go into the real world and go to a bank and open up a bank account in your name. And you definitely don’t want to be in that kind of a trap.
But they are also targeting our technology. Everybody has a smartphone or a tablet or laptop. And they are targeting the utilization of that technology. But on top of that they are targeting things like your Wi-Fi connection, your Internet connection because that is how they do business.
The bad guys rely on us trusting them because that’s what humans do. Humanness, Gullibility and Honesty is all part of the human animal. The trouble is the bad guys know this. And they are very good at making us trust them.
In real life you meet someone and you shake their hand and you see what they look like. In some cases they are so nice. Sometimes you get the feeling that they are not very trustworthy. The trouble is in the digital world we don’t get that feedback. In the digital world we have one point or one sense that we use and that is trust. And then we have to work out from that picture whether we are going to trust them.
So how do they get in? Well, the bad guys are notoriously good at using the systems we put in place to further their own needs. They are really very good at finding holes in software, some operating systems, applications, apps on your phone, your phone operating system. They are looking for ways to take over the control of that device and that technology.
The problem with a lot of these things is that most of these holes in software don’t lead to anything. It’s one in a hundred that have the capability to be uncompromising and compromise your technology. But that’s all they need because it’s not an individual person sitting in a dark room who is doing this, it is an application that they have on their laptop that is trolling the Internet looking for those exploits. When they find them they then utilize them to take over your technology. And you definitely don’t want to be there.
The other thing they use and regularly use is Spam. An email that comes to you that is not warranted. Now previously over 5 years ago Spam just used to be a nuisance. “Do you want to buy Viagra?” 5 years ago the cyber criminal saw how beneficial it was to be able to use Spam to target people. That targeting of people makes it very interesting for us as users because now we get email that is caught by or sent to us and we look at it and we then make decisions.
The next step up from that is fishing where they use a bait. And spear fishing is they literally go out and target you and aim arrows at you and that’s where spear fishing came from. Spear fishing is mainly social engineering. They will go onto your social websites. They will go onto your social profile and look at what you do and who you do it with, who your friends are, who you know, where you’ve been and what you’ve been doing. And then they will target you in an email that is designed specifically for you. When that happens you have to be very aware of what’s going on.
I was saying that we have to protect our own technology. Our own technology is very important. But the people who got websites need to have that protected as well. If you’ve got a Cloud-based system or a Website hosting system then the underlying operating system also needs to be patched because that is also a target of cyber digital criminals.
So how do I create security in my own self? I’ve got to keep my information systems secure. I’ve got to protect my assets. I’ve got to understand the dangers and I’ve got to back things up because you never know when things might happen that you have no control of.
For instance if I leave my mobile phone over the top of the car and drive away, then A-I’ve lost my mobile phone. But I’ve also lost my contacts. I’ve lost all my information about what I’ve been doing. I’ve lost a lot of information that is irreplaceable because I haven’t backed it up. The digital world is notoriously bad that if you turn something off then most of the information is lost and you have to be really aware of that.
So how do we protect ourselves? For me I have a mantra, Cybersecurity is MY problem. And if everybody else had that mantra, Cybersecurity is MY problem then we will be able to make sure that we are protecting ourselves all the time. But my mantra has 6 components. And this is what makes a secure environment for your own safety.
The first thing we need to look at is Passwords. And everybody has passwords and we all have used passwords. And those passwords can be literally anywhere doing anything. Your passwords are your passport to the digital world. And they are very important. But with the rise of the cyber criminal they are becoming more and more protective of what you do.
So passwords have to be complex. Anything on the table can be used in your password. They have to be more than 8 characters. If they are less than 8 characters, for instance a 5-character complex password can be cracked with a Brute-force attack in 2 hours. And it goes up, it escalates from there.
One of the things that people really have trouble with is your passwords have to be unique for every site you visit. First question people are going to ask and everybody in the audience is going to ask is, “how the hell I’m going to remember all those passwords?”
Well, there’s a number of ways that you can do it. One is you get a system like PassSafe which is a system that sits in your browser that remembers passwords. You have a master password that has to be complex and with that you do everything else. But the second thing of that LastPass is it creates complex passwords that it remembers.
But if you don’t want to really go down that and if you want to keep human control of your passwords come up with a phrase that you will remember. “Every Saturday I play golf.” Turn the end into 1 and put a space at the front and put a dot on the end. You can actually write that down, “Every Saturday I play golf” because you’re going to remember that. Okay, that’s 7 characters already.
Now I want to go to Gmail, “every Saturday I play golf” Gmail. “Every Saturday I play golf” LinkedIn. “Every Saturday I play golf” Internet. You know what the password is because you know what your standard password is that nobody else does. And you can actually make sure that people can’t understand that.
The second thing we have to look at is patching. We all know how annoying Microsoft, Apple and Android can get when it comes out and say’s we’ve released a new update and you have to update your ownership. Well the new update in most cases is not for functionality. In most cases it is a security update because someone has told them that they have a problem with their software that they have now created something that stops that problem from arising.
Going back to the exploits most viruses and malware are targeted at those exploits. Because they are targeted at those exploits then if you don’t patch those exploits then we have a problem.
In 2003 I think it was we had the Code Red problem with all the database servers on the Internet who were running Microsoft Explorer. This is the first time that patching really came to the fore. Microsoft wanted to have a patch 6 months before Code Red was released. And all of the systems administrators went “No”
Code Red was released and it was infecting a hundred thousand servers an hour and at that time if it was patched Code Red would have gone away, not a problem. It was very important that they did it.
All the systems that are connected to the Internet and connected to the digital world have to have some form of antivirus installed, whether it’s an Android, an Apple, a Microsoft, an iPhone or whatever it needs to have some level of antivirus to protect it from malware and viruses, it’s really very important.
People go, “well I can’t afford that.” Well, you can’t afford that, in most cases it’s expensive but there are solutions. We bought a product called FortiClient which is from FortiGate. And what it does is it’s on all of those platforms and it’s one of the best antiviruses available and it’s free.
And the reason why it’s free is because FortiGate are an Internet security company. Their products are high-end Firewalls that are going to enterprises and organizations. But when J-Bolt is connecting via VPN, Virtual Private Network to our systems they needed to make sure that the PC’s were clear and that’s why they came up with this solution. What they said is, “okay, we will create an antivirus product which also does the Virtual Private Network component. And we will make sure that the PC’s are clean.”
All systems also have a Firewall. And a Firewall is literally a wall between you and the digital world, your device and the digital world. A Firewall has stuff to go from your digital device and go out to the big wide digital world, get information and bring it back. But what the Firewall does is it stops anybody connecting to your device and a set request is left for the system. So it’s very important to have firewall.
As I said before you never know that you are going to lose your phone. You never know when your laptop hardware is going to fail. You never know when your server is going to fail. You never know when your building is going to burn down and it’s going to take everything with it. So back it up.
But the thing about backing it up is to make sure that the backup is not where the device is. So if you got a USB hardware on your laptop and you’re travelling a lot make sure the backup is at home while you’re traveling. So if something happens to your laptop you are certain that you haven’t lost everything. And I’ll tell you what when that happens to people it is really heart-breaking because you lose your files, you lose your data that you have been working on, sometimes you lose things like access to bank accounts and all of this stuff, very important.
There are two things that we push as IT people who are very aware of what is going on in the digital world. Be paranoid and it makes sense really. But the reason why you’re paranoid is that practically everybody on the digital world is after you. And that is really how you have to look at it. They are after you for all of those things I just talked about before, your money, your access and whatever. It’s very important that you do not let people get to it.
The other one is that you use common sense which surprisingly is lacking in the digital world. The common sense will protect you when other things won’t. If the website you go to says “I’m free,” no you’re not because they are looking for the information. They want you to fill in a form. They want you to do something. That initial point of contact is again what they are building trust on.
Here’s the bit on drivers. So you’ve installed a new printer but the CD is no good as you’ve got Windows 8 and this system is d designed for Windows 7. And you got onto the Internet you go to HP 5600 drivers Windows 8.
If you do that you’ll notice within the Google search results that a top 5 or 6 will have nothing to do with that HP. So again be paranoid. Go to the end of the third one that says HP or www3.hp.com/ or whatever. That’s an HP site. If you go to hpdrivers.com then you are not going to an HP site. It will even look like HP but I can guarantee you it’s not.
So this is how you secure yourself. Keep the mantra going, Cybersecurity is MY problem because if you do that you have a smaller change of being compromised than the person who hasn’t got that kind of a help. Use complicated, individual and unique passwords.
Patch everything. Patch it in a timely fashion. What happens to some of our clients is they come to us and they go, well my laptops playing up. When we got a look at it they haven’t applied patches for 12 months and there’s 220 of them. This is a problem.
Use a good antivirus whether you pay for it or not, use a good antivirus. Never turn your firewall off. You can make holes in your firewall but never turn it off. Get paranoid because in the real world and in the digital world everybody is after you because there are automated systems that are testing you and your appearances all the time.
And you use common sense. Read what the website or the site says. One of the ways that criminals get you to do things is they will have a URL that looks like a real URL because they know that if you go to anzbank.com.au it’s not the same as anz.com.au. It’s a criminal’s site.
My name is Roger. I have a couple of books that I wrote if you want to have a look at them. If you need to access some questions of us contact us on any of those. We run a regular Twitter feed. We are on LinkedIn. We have a Google Plus page. We are on Facebook and we are on YouTube.
And we run Seminars and webinars regularly. Webinars are run on Google Hangouts. We haven’t run one yet but we will be. Seminars are running in Sydney, Melbourne and Canberra monthly and in Adelaide, Perth and Brisbane quarterly. Thank you very much for your time.
There are hundreds, if not thousands of security experts out there who will tell you that you have to listen to them.
So, Why would you listen to me?
I do not know everything! Come to that, no one does! No one ever will! But, They will try to tell you that they know everything.
There is nothing on the planet that will protect you fully in the digital world. And Nothing is available or will it be available in the foreseeable future.
We have to change. We have to change before the bad guys take over the digital world.
What we do know is that we have a problem.
What we know is we have a problem keeping our digital information secure.
We have to – improvise, adapt and overcome. Oh raa
What I know is that digital protection has to be holistic.
A holistic outlook will deliver better digital protection.
To fully achieve holistic digital protection you have to have a mantra. An affirmation. A focus for your protection.
We have a mantra. Our mantra is “Cybersecurity is MY problem” say it with me “Cybersecurity is MY problem”
What does it mean?
It means that there is no silver bullet . It means that it is hard work. It means that it can be expensive and costly.
It means that everyone in the organisation is responsible for protecting your organisation.
Everyone does their bit.
Everyone is aware.
Everyone, not just the ICT department, or the managers, or the board members but everyone has to do their bit.
Digital security is intensive, focused and above all hard work. There is no set and forget. It is a constant battle between you, your staff, your organisation and the bad guys. Attacks change, defences adapt – this is the way of digital protection.
Why am I telling you this? We build and supply holistic digital security systems to small and medium business and not for profit Organisations.
What I do have is a passion, no that is wrong, I have a focus on protecting people from the criminals that inhabit the digital world.
So why would you listen to me? I am just a normal ICT consultant with an extrordinary outlook on digital crime. I do not understand the need to say – buy this because it is the best thing you can buy – especially when it is untrue.
If you want to create a more secure organisation in the digital world you need to talk to me. Talk to me now