Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime and cybersecurity discusses – the reason that everyone needs a mantra – you can borrow mine – Cybersecurity is my problem – Rotary Talk
[Start of transcript]
Thank you for the introduction, that was great. Today I like to talk to you about what happens to your financial security and your digital security if you get hacked and the bad guys steal everything.
The digital world has a population of between 2.5 and 3 billion users. It’s the biggest community on the planet. And because we are now focusing everything towards the digital world we are forgetting a number of aspects that really make human life a lot easier.
The digital world is becoming our social platform. It’s where we do business. It’s our network. It’s how we read our news. It’s what we look for if we need to buy something or find something or do something. It’s been an innovation and it’s happening more and more and more. It’s where we keep our websites and its how we market to each other and to the world.
The reason why we are now starting to use the digital world more and more is because of two things. One is its cost effective and it’s very cheap to do. Normally for a small business to go into marketing it used to cost thousands and thousands of dollars but with today’s digital world we now can do our marketing for a fraction of the cost.
But it’s also convenient. I can pay my bills while I’m sitting in a cafe. I don’t have to go to a post office or I don’t have to go to the bank. As we go forward into the digital world governments are going to cut services and going to put more things online. Banks are already closing their branches and putting more things online. Small businesses are now focusing on what the digital world can do for them.
And because of that we now have this really big separation of what the big guys are doing and what the small guys are doing and what the good guys are doing and what the bad guys are doing. In today’s world what we see is this part, the tip of the iceberg, literally the bit above the water. That’s where we do most of our business. That’s where we do most of our searching and that’s where we do our marketing.
This section underneath is so much more dangerous. And it constantly flows from below to the upper. Let’s just do a little bit of history about crime itself. And crime against people used to happen a long time ago when it was one-on-one. It was I needed something and I took it from someone. And whether it was legal or not it was just the way things went.
In the 1600’s we moved our money into the banks or the money used to move around in stage coaches or trains. So we then had the problem where it was if I wanted to steal money from a bank I was a small group of people stealing from a larger group of people. So that was one to many.
In 2014 in target attack there was a group of people who stole something from 34 million people, a third of the entire population in the US, exponential rise in rewards and exponential rise in targets because that is the way we are going.
So really why are they targeting everyone? Well, for one we are connected to the digital word. If you are connected to the digital world you are a target. And not just because you have something, it’s because you use something. Yes, they are after our money and our access to money.
As I said we can do our banking from a cafe. But if you’re connected to a free Wi-Fi system then the bank guys can steal that information. They are after our intellectual property. Our intellectual property is really important to us. It’s our date of birth. It’s our tax file number. It’s where we live. And each one of those individual components of our personal information is not a big problem. But when you start linking them all together it allows a criminal to come out of the digital world and go into the real world and go to a bank and open up a bank account in your name. And you definitely don’t want to be in that kind of a trap.
But they are also targeting our technology. Everybody has a smartphone or a tablet or laptop. And they are targeting the utilization of that technology. But on top of that they are targeting things like your Wi-Fi connection, your Internet connection because that is how they do business.
The bad guys rely on us trusting them because that’s what humans do. Humanness, Gullibility and Honesty is all part of the human animal. The trouble is the bad guys know this. And they are very good at making us trust them.
In real life you meet someone and you shake their hand and you see what they look like. In some cases they are so nice. Sometimes you get the feeling that they are not very trustworthy. The trouble is in the digital world we don’t get that feedback. In the digital world we have one point or one sense that we use and that is trust. And then we have to work out from that picture whether we are going to trust them.
So how do they get in? Well, the bad guys are notoriously good at using the systems we put in place to further their own needs. They are really very good at finding holes in software, some operating systems, applications, apps on your phone, your phone operating system. They are looking for ways to take over the control of that device and that technology.
The problem with a lot of these things is that most of these holes in software don’t lead to anything. It’s one in a hundred that have the capability to be uncompromising and compromise your technology. But that’s all they need because it’s not an individual person sitting in a dark room who is doing this, it is an application that they have on their laptop that is trolling the Internet looking for those exploits. When they find them they then utilize them to take over your technology. And you definitely don’t want to be there.
The other thing they use and regularly use is Spam. An email that comes to you that is not warranted. Now previously over 5 years ago Spam just used to be a nuisance. “Do you want to buy Viagra?” 5 years ago the cyber criminal saw how beneficial it was to be able to use Spam to target people. That targeting of people makes it very interesting for us as users because now we get email that is caught by or sent to us and we look at it and we then make decisions.
The next step up from that is fishing where they use a bait. And spear fishing is they literally go out and target you and aim arrows at you and that’s where spear fishing came from. Spear fishing is mainly social engineering. They will go onto your social websites. They will go onto your social profile and look at what you do and who you do it with, who your friends are, who you know, where you’ve been and what you’ve been doing. And then they will target you in an email that is designed specifically for you. When that happens you have to be very aware of what’s going on.
I was saying that we have to protect our own technology. Our own technology is very important. But the people who got websites need to have that protected as well. If you’ve got a Cloud-based system or a Website hosting system then the underlying operating system also needs to be patched because that is also a target of cyber digital criminals.
So how do I create security in my own self? I’ve got to keep my information systems secure. I’ve got to protect my assets. I’ve got to understand the dangers and I’ve got to back things up because you never know when things might happen that you have no control of.
For instance if I leave my mobile phone over the top of the car and drive away, then A-I’ve lost my mobile phone. But I’ve also lost my contacts. I’ve lost all my information about what I’ve been doing. I’ve lost a lot of information that is irreplaceable because I haven’t backed it up. The digital world is notoriously bad that if you turn something off then most of the information is lost and you have to be really aware of that.
So how do we protect ourselves? For me I have a mantra, Cybersecurity is MY problem. And if everybody else had that mantra, Cybersecurity is MY problem then we will be able to make sure that we are protecting ourselves all the time. But my mantra has 6 components. And this is what makes a secure environment for your own safety.
The first thing we need to look at is Passwords. And everybody has passwords and we all have used passwords. And those passwords can be literally anywhere doing anything. Your passwords are your passport to the digital world. And they are very important. But with the rise of the cyber criminal they are becoming more and more protective of what you do.
So passwords have to be complex. Anything on the table can be used in your password. They have to be more than 8 characters. If they are less than 8 characters, for instance a 5-character complex password can be cracked with a Brute-force attack in 2 hours. And it goes up, it escalates from there.
One of the things that people really have trouble with is your passwords have to be unique for every site you visit. First question people are going to ask and everybody in the audience is going to ask is, “how the hell I’m going to remember all those passwords?”
Well, there’s a number of ways that you can do it. One is you get a system like PassSafe which is a system that sits in your browser that remembers passwords. You have a master password that has to be complex and with that you do everything else. But the second thing of that LastPass is it creates complex passwords that it remembers.
But if you don’t want to really go down that and if you want to keep human control of your passwords come up with a phrase that you will remember. “Every Saturday I play golf.” Turn the end into 1 and put a space at the front and put a dot on the end. You can actually write that down, “Every Saturday I play golf” because you’re going to remember that. Okay, that’s 7 characters already.
Now I want to go to Gmail, “every Saturday I play golf” Gmail. “Every Saturday I play golf” LinkedIn. “Every Saturday I play golf” Internet. You know what the password is because you know what your standard password is that nobody else does. And you can actually make sure that people can’t understand that.
The second thing we have to look at is patching. We all know how annoying Microsoft, Apple and Android can get when it comes out and say’s we’ve released a new update and you have to update your ownership. Well the new update in most cases is not for functionality. In most cases it is a security update because someone has told them that they have a problem with their software that they have now created something that stops that problem from arising.
Going back to the exploits most viruses and malware are targeted at those exploits. Because they are targeted at those exploits then if you don’t patch those exploits then we have a problem.
In 2003 I think it was we had the Code Red problem with all the database servers on the Internet who were running Microsoft Explorer. This is the first time that patching really came to the fore. Microsoft wanted to have a patch 6 months before Code Red was released. And all of the systems administrators went “No”
Code Red was released and it was infecting a hundred thousand servers an hour and at that time if it was patched Code Red would have gone away, not a problem. It was very important that they did it.
All the systems that are connected to the Internet and connected to the digital world have to have some form of antivirus installed, whether it’s an Android, an Apple, a Microsoft, an iPhone or whatever it needs to have some level of antivirus to protect it from malware and viruses, it’s really very important.
People go, “well I can’t afford that.” Well, you can’t afford that, in most cases it’s expensive but there are solutions. We bought a product called FortiClient which is from FortiGate. And what it does is it’s on all of those platforms and it’s one of the best antiviruses available and it’s free.
And the reason why it’s free is because FortiGate are an Internet security company. Their products are high-end Firewalls that are going to enterprises and organizations. But when J-Bolt is connecting via VPN, Virtual Private Network to our systems they needed to make sure that the PC’s were clear and that’s why they came up with this solution. What they said is, “okay, we will create an antivirus product which also does the Virtual Private Network component. And we will make sure that the PC’s are clean.”
All systems also have a Firewall. And a Firewall is literally a wall between you and the digital world, your device and the digital world. A Firewall has stuff to go from your digital device and go out to the big wide digital world, get information and bring it back. But what the Firewall does is it stops anybody connecting to your device and a set request is left for the system. So it’s very important to have firewall.
As I said before you never know that you are going to lose your phone. You never know when your laptop hardware is going to fail. You never know when your server is going to fail. You never know when your building is going to burn down and it’s going to take everything with it. So back it up.
But the thing about backing it up is to make sure that the backup is not where the device is. So if you got a USB hardware on your laptop and you’re travelling a lot make sure the backup is at home while you’re traveling. So if something happens to your laptop you are certain that you haven’t lost everything. And I’ll tell you what when that happens to people it is really heart-breaking because you lose your files, you lose your data that you have been working on, sometimes you lose things like access to bank accounts and all of this stuff, very important.
There are two things that we push as IT people who are very aware of what is going on in the digital world. Be paranoid and it makes sense really. But the reason why you’re paranoid is that practically everybody on the digital world is after you. And that is really how you have to look at it. They are after you for all of those things I just talked about before, your money, your access and whatever. It’s very important that you do not let people get to it.
The other one is that you use common sense which surprisingly is lacking in the digital world. The common sense will protect you when other things won’t. If the website you go to says “I’m free,” no you’re not because they are looking for the information. They want you to fill in a form. They want you to do something. That initial point of contact is again what they are building trust on.
Here’s the bit on drivers. So you’ve installed a new printer but the CD is no good as you’ve got Windows 8 and this system is d designed for Windows 7. And you got onto the Internet you go to HP 5600 drivers Windows 8.
If you do that you’ll notice within the Google search results that a top 5 or 6 will have nothing to do with that HP. So again be paranoid. Go to the end of the third one that says HP or www3.hp.com/ or whatever. That’s an HP site. If you go to hpdrivers.com then you are not going to an HP site. It will even look like HP but I can guarantee you it’s not.
So this is how you secure yourself. Keep the mantra going, Cybersecurity is MY problem because if you do that you have a smaller change of being compromised than the person who hasn’t got that kind of a help. Use complicated, individual and unique passwords.
Patch everything. Patch it in a timely fashion. What happens to some of our clients is they come to us and they go, well my laptops playing up. When we got a look at it they haven’t applied patches for 12 months and there’s 220 of them. This is a problem.
Use a good antivirus whether you pay for it or not, use a good antivirus. Never turn your firewall off. You can make holes in your firewall but never turn it off. Get paranoid because in the real world and in the digital world everybody is after you because there are automated systems that are testing you and your appearances all the time.
And you use common sense. Read what the website or the site says. One of the ways that criminals get you to do things is they will have a URL that looks like a real URL because they know that if you go to anzbank.com.au it’s not the same as anz.com.au. It’s a criminal’s site.
My name is Roger. I have a couple of books that I wrote if you want to have a look at them. If you need to access some questions of us contact us on any of those. We run a regular Twitter feed. We are on LinkedIn. We have a Google Plus page. We are on Facebook and we are on YouTube.
And we run Seminars and webinars regularly. Webinars are run on Google Hangouts. We haven’t run one yet but we will be. Seminars are running in Sydney, Melbourne and Canberra monthly and in Adelaide, Perth and Brisbane quarterly. Thank you very much for your time.
[End of transcript]