Cyber Security Examples in the Real World: A Video Conversation

Transcript

Phil: Thanks for joining us on this video today. We’re going to talk a little bit about cyber security and in particular what we see in the real world when it comes to cyber security. So i’ve gathered some of the greatest minds at The HBP Group together. We’ve got Dan Hewer from our support team, so Dan obviously sees a lot of what goes on in the real world of people phoning up when they unfortunately do have problems around cyber security.

We’ve got James Royle from Kamarin Computers and Darren Jacklin from HBP, and James and Darren are two of our account managers who look after our customers on a regular basis so they get involved right at the beginning, maybe when somebody’s looking at cyber security for the first time all the way through the lifespan of a customer as their needs change, or indeed cyber security and cyber attacks, change as well.

So I suppose the first thing to think about is kind of where we’re at at the moment. We’ve obviously had a lot of change in cyber security over the last sort of 10 years plus probably but in particular over the last year or so we’re obviously working from home, you can see that from where we are, but it has changed the landscape again. So, James what do you think people’s mindset is at the moment? Are they are they scared about cyber security? And should they be?

James: I don’t think they’re necessarily scared. We need them to probably be a little bit more concerned than most companies are. I think in the current climate with us moving more and more of our workforces out of the corporate building and we’re at home now there’s the opportunity there for a lot more risk and attacks to happen without IT managers knowing what’s going on. So I think they should be aware that because of the changing climate the threat has changed maybe more towards the end point than it previously was. And do we think that do we think they should be scared? Probably just more aware of what’s going on and concerned about what the outcomes of an attack would be.

Phil: From your experience Darren what situation a business is in when they first start to look at cyber security? Maybe the first time it’s come on their radar, are they fully aware of the flaws in their system? Are they there because actually they’ve been hacked before or somebody they know has been hacked? What’s the trigger point and where do they think they are generally when you first speak to them?

Darren: It’s a good question. We’ve had a fair few businesses that have approached us to try and get a good understanding of their current infrastructure what their security risks are. Obviously everyone’s heard about what’s being talked about with the GDPR side of thing and businesses wanted to know how we protect them. What happens should we have have a breach happen? Do we report the ICO type of thing, so long and short of it I think a lot of businesses don’t really understand how unsecure their networks possibly can be until someone like us we can come in and do that do those audits and give that information, whether that’s just a case of, as James had mentioned earlier, you’ve got more and more people that are now working from home, you’ve got your data outside of that corporate boundary versus those businesses that are still working internally within their offices, but actually they don’t have any cyber protection in place to start with. I think, probably Dan and James probably will agree, historically people thought antivirus software was enough because they they’ve only historically heard of viruses that attack people’s businesses and they think “oh we’ve got antivirus software we’re fine” or they have that mindset of my data is within my business, it’s sat in a flashing corner “it’s fine, no one’s going to attack me” and they don’t realise that that actually systems are fully connected to the internet, still fully externally presented, accessible to any threat that a cyber criminal wants to try and force on them.

Phil: So you mentioned that they don’t necessarily understand what the threat is at the moment but why do you think that is? Is it that is it too technical for most people to understand? There’s too many acronyms going around? Is there just too much noise in the media about various big businesses getting hacked and not the small ones? What is it that maybe doesn’t make them think that there’s a problem there initially?

Darren: I think two things. One is on that business owners are great at knowing their business. They’re great at knowing what their industry is and what they need to do for their business but not necessarily about what needs to be done in our industry. To make sure that their businesses are protected and I think that’s a prime example that we’ve seen far too often. They know what they need to do to achieve their business goals, but they don’t know how to protect it. The second thing on there is just awareness. They don’t they don’t fully understand exactly what risks are out there and how a simple system can easily be attacked, or how simple things can prevent those attacks from happening. I think for me awareness is the is the key thing that you know we need to start driving home to a lot of businesses.

James: I’d add to that as well for there’s a lot of companies that still think that it can’t happen to them, it won’t happen to them. Maybe Dan can give us some more info on this because he’s at the front line of talking to people but with customers I’ve had that have been attacked, there’s still a degree of apathy that they say “it can’t happen to us” or “it won’t happen to us again” so I think that part of the purpose of this is to raise awareness that it can happen to any customer or any company of any size regardless of how many users you’ve got or how many customers you’ve got. Everybody is a threat.

Phil: What sort of threats do we see Dan? What are the most common ones at the moment?

Dan: The tricky thing is that we often see new threats, new breaches, happening to different companies almost on a daily basis and it can be hard to keep up especially with how quickly the IT industry in general changes. To give a couple of examples there’s been a couple of big phishing campaigns that have popped up in the last week that specifically are targeted here in the UK. In one of these we see people receiving a text message from what appears to be Yorkshire Bank of all places. Now it doesn’t matter where in the UK are but you still get the message as if it’s from Yorkshire Bank and it will say something along the lines of “we’ve detected suspicious activity on your account, please log in to resolve these issues” and then it just gives you a link which you can click on. It goes to a legitimate looking website which, if you’re not being particularly careful you might log into and at that point, they have your bank details. Game over. Another similar one with COVID obviously being such a massive issue here in the UK and with the ongoing vaccine roll out this has presented an opportunity to these attackers and there’s been lots of instances of people receiving an email that says “hey look we it’s your turn to go and get the vaccination, click here log in to book your appointment.” It takes you to a legitimate looking government website. You log in with your government gateway id they ask you for some form of ID, so like your passport driving license, and as soon as someone’s got that information on you, what would you do then? Game over.

Phil: Phishing is, from my experience then, when I first got involved in cyber security was a very technical approach. If you wanted to hack a business it was about finding out a route into the network and delving around on all the servers. What you’re saying from those examples now is we’ve gone completely the other way and it’s what’s known as social engineering, but effectively tricking an end user. And what we’re saying here is kind of any end user to, let’s say, make a mistake and give away some details. What percentage of it is around that social engineering side now?

Dan: These days, things are a lot more secure by design without requiring any additional user input as it were, so what we actually see, and I’ve actually got a couple of stats here so of all breaches and attacks in the last 12 months, is 86% of them involved some sort of phishing or social engineering -that’s essentially almost all of them in the last 12 months alone. 46% of businesses have been subject to a successful breach or an attack and so overall it works out to about one in five, that have also lost either money or some form of important data to one of these attacks. That comes from this type of social engineering or phishing attack and this is the kind of thing where it’s very easy to do to a lot of companies at the same time. These type of emails or messages that get sent out, you can send millions of them instantly with no problem whatsoever. You don’t have to learn your target, learn how to break into the business and with that sort of success rate, yeah why not do it that way? It definitely is the way that works.

Phil: So in that respect James, how did how do you deal with a customer? As Dan said, technology’s evolved so much, I mean we won’t talk about it much now, but antivirus is now really advanced. It’s so much further along than what it what it was 10 years ago and almost faultless to the point of what it’s specifically designed to do. But actually now, once I’ve invested in my antivirus and I’ve put my firewall in and I’ve done this and I’ve done that all of a sudden now I’ve got a brand new risk and I’ve got users clicking on text messages, potentially, or emails and bypassing this. How did how does the customers attitude change once they’ve got that security in place? And how do they how do they think about these new type of threats? Is it frustrating for them? Or do they understand it’s constantly evolving?

James: I think each individual business has to have a strategy of continually looking at how the market is changing. If you haven’t got the time to do that yourself, you rely on a partner like us to make sure the tools are in place that will address those the sorts of solutions. The services we deliver are continually updated by the vendors and using our experience to make sure that they are as up-to-date as possible. But one of the key things is awareness. Those stats that Dan gave us there, I would say the vast majority of all of those tax attacks would have come via email and, it was something he said right at the beginning was “if you weren’t paying it paying attention whilst you’re typing your details in.” Because of the volume of attacks it only takes one accident one Monday morning when you’re a bit tired and you start typing your details in, a fake Linkedin message for example telling you you’ve got some people looking at your account that gets you a bit excited and you click through. It just takes that one minute of unawareness that can actually bring the whole house down. So a strategic approach, advice off some people like us who know what we’re talking about, but also awareness general awareness of anxious staff of what a phishing email looks like and what a fake email looks like. I think that’s really key.

Phil: With that stat that Dan gave us and what you’ve mentioned that 86% coming through that social engineering, most of them coming through email. Unfortunately we tend not to give people good news when it comes to what they have to spend on cyber security. By the sound of things it’s a constantly evolving process but Darren what’s probably top of the shopping list at the moment? Let’s assume that people have invested in the past and they’re not starting from scratch, what’s the one solution at the moment? If you can’t narrow it down to one I’ll let you have two…

Darren: One priority which I’m speaking to a lot of people about is two factor authentication. This is a simple something and something you’ve been given process of. The something you know is my username and password you know I’m the only one that knows that something. I’ve been given is a token or an authentication to push a button to let me in the way. Those two go then, hand in hand, works quite well if I lose my password for whatever reason, whether that be that social engineering platform or a Dan had mentioned I missed a website that looks genuine and I put my details in. That person wanted those details has tried to trick me into giving them. They’ve got them but what they can’t do with them is anything with them. They can’t go onto the website, so they can’t go into certain platforms or certain portals because as soon as they use my username and password which i’ve accidentally given them because they haven’t got that something. I’ve been given that token, that two factor authentication, to actually approve that request to get logged in. So as much as that doesn’t negate the risk of losing your password it dramatically reduces the risk of someone being able to use it moving forward. And again that’s, for me, the most important thing which can be can be implemented. It’s a very simple, very low cost process. You know there’s these these platforms out there, I think is Dan mentioned earlier some of the securities included by design now, you know elements such as Office 365 have got a form of multi-factor or two-factor authentication included in that going hand-in-hand. They’ve got a free authenticator app which you can put on your mobile phone. It’s very very minimalist, it doesn’t do anything else on mobile phones other than approve that process and it’s the simplest easiest method which can protect you against that first attack. Can have two? So the second one is how do we educate people. You know how to do that and, again, there is simple software out there. Phishing simulator attacks which you can you can publish, you can send out to your employees, send out to your staff to see how many of these people are actually falling foul of these scenarios on a day-to-day basis. Long and short of it, you create campaigns on various different topics, you randomly send them out to your staff. They either click on them, they open them they do nothing with them because they know what’s going on, but you’ve got dashboards where you can log into and see “right, I’ve sent an email to James, Phil and Dan. Dan knows what he’s on about he’s not opened this in any way shape or form, one of the others has actually been curious and clicked on the link. Now if that was real there’s the risk to the business, but luckily it’s a simulation, it’s a test as such, and then you can go back to the to the MD, to the IT manager, the FD, whoever’s got the control of the IT within the business. Say “right okay, these are the elements, this is the training that needs to provided and this is the awareness that still needs to be raised internally” and those two things hand in hand it can stop a lot of the risk that we can probably see, and probably cut down a lot of 86% that that I mentioned earlier.

Phil: So what we’re getting at here again is something that we we’ve talked about talked about, probably harped on a bit for a long time, which is a layered approach isn’t it? It’s not just the two factor and the training, it’s every layer before that as well. Where your antivirus and your firewall and everything else goes into that process to stop that.

James: Can I have a couple Phil?

Phil: Yeah, go for it.

James: I would say to invest in a decent spam filter. Spam shouldn’t be something that you just accept. Have a spam filter that can block everything out. If you can take out 80%-90% of the obvious rubbish then that stops people from clicking on it, but also I think, I mentioned earlier on, because we’re all now working from home or working remotely, or a lot of us are, your business perimeter has gone all wobbly rather than nice and neat behind the firewall where it should be. The endpoints are now personal devices, so make sure that the endpoint protection is as fully featured as it possibly can be. If it addresses antivirus, brilliant. If it can also address malware even better. If it can address something like ransomware attacks, brilliant. Make sure you’ve got as many features covered as you possibly can.

Dan: Quick thing to add into this, one other, sort of fairly major thing that you can do which doesn’t cost you anything, other than really the time taken to sort of implement it in the first place, is you can use a system that’s called ‘least privileged access’. So the idea is that you only give your members of staff access to things that they absolutely need and to be able to do their job. So things like files they can access, software they’re using and even physical locations in your offices. Do you need your receptionist going into your server room, for example? Maybe you do in your case, but this is the question to be asked. And this ensures that, I mean 86% of companies have fallen to some sort of attack that has succeeded. In those cases where someone does get access to someone’s account, then they’re going to be limited to the things that they’ve got access to. And i think that if you’re not already set up for it, it can be it can take a while to actually set this sort of system up but it can massively improve the results on the sort of occasion that you do actually get attacked or breached.

Phil: I always like an analogy and I think that that we often compare cyber security to physical security and I think, like you’re saying, if you think about your office – who’s got the front door key and then who is allowed everywhere and actually which parts of my building do people not need to go to all time, and i actually just need a few people there. I think about that like our file structure as well. It’s the same situation and it’s obviously fairly straightforward. I think to think about for most it’s probably by department isn’t it? And you’ve got a few super users that could go everywhere? Does that tie in with what you guys see? Maybe to you Darren, although we can restrict that to everybody is it the fact that you’re Managing Director, or the Directors within the business, the Managers in your business, who have the most access are therefore the ones that the biggest risk and probably have to be most on their guard?

Darren: That’s right and actually. Just touching what Dan has just said, when we looked at when GDPR came in a couple years back one of the one of the main slogans, or comments was, there was to take “appropriate measures to mitigate risk” and you know that’s what needs to be done to protect you, to protect your network and as Dan mentioned, does the secretary need certain access to certain elements? Possibly not, so we can fully restrict that down the Managing Directors, the Finance Directors and the people that you mentioned at the top of the chain within the business. They want to have full visibility of everything that goes on and they’re the ones that actually, as a cyber criminal, they’re the ones that really want to be targeted. Which goes back to what you meant about the social engineering earlier. Do we social engineer and start at that secretary, do we go from the secretary and we move up a level, do we then move up a level move up level, to the point, where the Managing Director has had multiple people within their business? Speak to this person and they’re automatically assuming that this must be a trustworthy person because several people below have already spoke to them. And again that’s what that person wants to achieve, they want to achieve the highest level of access that they can get and if that’s the Managing Director, fantastic. They’ve achieved it, they’ve got through that that social engineering process built the way up the chain it’s not it’s not an overnight task. They do they can periodically do this over a two to three, to six months and that’s how long certain things can take, but ultimately they’re the ones that need to be protected the most I would suggest.

Phil: That’s a good point. Now, just coming towards the end of our questions and I think it’s a good one to speak to Dan about that. So one thing that’s very difficult to understand for users, is that sometimes we see what appear to be a hack that has no obvious monetary gain for the hacker. So to give to give an example, we’ve seen a lot of emails going around sharing files the link takes you to a Microsoft 365 login page. Obviously a huge amount of users use that for their email now. Somebody will unwittingly put in their details into that page giving away their username obviously and their password, probably most importantly. And then they don’t access the file, or there was nothing there in the first place, but then the hacker goes into their account and starts sending out more of these emails. Now on the face of it there’s no obvious monetary gain. They’re just constantly moving from one target to another, so how long can it be that a hacker is willing to wait to monetize that? And how can that transfer from being effectively a spam campaign into something where they get money out of it, whether that’s directly from the person involved or from someone further down the chain?

Dan: We’ve all seen the emails that have a Word document or a PDF attached in them that you download and open, then and it doesn’t seem to do anything. There’s no sort of instant payoff like you said. There’s a there’s a campaign that’s been going for, at this point, close to a decade called Emotet and that’s where most of these come from. The idea is that once you’ve opened it, it is on your PC and it will sit in the background and not do anything now. These sort of controllers turns into what we call a botnet, so when this happens on enough computers you now have control of, say, three million computers around the planet. If you want to do something that requires a large amount of processing power, now you’ve got it individual PCs on their own. For a person using them sure, fine, but for anything that needs huge amounts of processing power aren’t particularly useful. But now you’ve got millions of them all connected where the user and the owners of these PCs aren’t aware that it’s happened, but you can now put them to work farming cryptocurrencies or having them all send traffic to a particular website that you want to take off the internet with like a DDOS attack. Whether you want to then just have this sitting there waiting to deploy something else to them later on, whether that’s ransomware or some such software. So there’s a few different ways that you can go with it and it’s very important that you catch it before it happens because if they’ve already got past the initial antivirus checking files, they’re much more likely to just sit on that system until they do get activated or do get used by the attacker.

Phil: The fact that you mentioned the same piece of software has now been going for over a decade really says where the problem lies doesn’t it? When the solutions are available it is, as James and Darren said, about awareness here. And saying that that there are solutions for virtually all of these problems, and of course it is constantly changing and constantly evolving, but ultimately there are relatively simple fixes for most of the things that are coming out now. So just to come to the summary of this then James, do you want to kind of just give your view then on where we’re at the moment and what businesses should do next?

James: I think where we are at the moment is that it’s an ever-changing threat landscape. There’s stuff going on all the time it’s almost impossible, unless you’re interested in the subject to keep abreast of it all times. So I would say that most customers that I speak to have got a little bit of putting their head in the sand and hoping that they’re covered. They might have antivirus, they it might not be an updated so they don’t know it’s okay. So we’ve got something we’re kind of happy with, so it can’t happen to us. If I was going to give anybody free advice, it would be find out and make yourself aware of how safe, or not, your business is. If that means an audit, if that means a sit-down review of what access people have got inside your business, whatever. It is that first step. Don’t put your head in the sand don’t ignore it, it’s happening all around you and if it does happen to you it can have a massive effect in terms of time loss, of income loss, of customer satisfaction and all of these things can come on the back of a an attack which can stop your business from trading. So whatever funds you’ve got available, I would make yourself aware of what situation you’re currently in. That would be my best advice.

Phil: From a strategy point of view Darren, just as the final question for this this little session, as James mentioned, if the funding’s available, which is absolutely key and they’re actually building this in in terms of what you can spend it’s some respects, except it’s an open checkbook you could get going on forever and ever. How do you work with your customers to say well these are the priorities and these are the challenges? What sort of period of time should we be looking at when it comes to a cyber security strategy?

Darren: Well as in terms of period of time for a strategy, as James mentioned, it’s an ever evolving landscape so theoretically let’s do it on day one let’s get a good understanding of what you are, what you’ve got, where you are and then start building in how can we prevent some of these aspects from coming in. And then we’ll just look at that as a risk versus impact. Let’s sit down, let’s discuss, let’s have a grand conversation about “what is the chance of this happening?” versus “if it does happen what does that mean to you as a business?” and then work out a strategy based on that. I think that’s the easiest and the best approach of doing it. I don’t think you can really put a time frame on it because as Dan has mentioned this has been something that’s been going on for a decade so then actually there is no time frame. It’s let’s look at priorities, let’s start implementing certain aspects and let that evolve and let that grow based on what’s seen happening, The priority though is let’s get the first the strongest, the most risk resolved and then work backwards from there really.
Dan: One of the one of the common things that I think a lot of businesses tend to do is that they’ll bundle security along with the IT budget. They’ll have refreshes every three to five years whereas with security I think probably it needs to be, especially these days, it needs to be its own separate thing that you budget for and review at different time scales. Three to five years – everything changes in that time period so it needs to be something that you’re looking at near enough constantly, as the landscape changes as you say.

Phil: Excellent thank you all very much for your insight, your opinions and your views. Thank you if you’ve watched this and you’ve enjoyed it and hopefully we’ll come back with another one soon.