Episode 181: Security 101 With Ritesh Kotak
In this episode, Rob Cairns sits down and talks about online security with Ritesh Kotak.
This is one episode you do not want to miss!
- What is Log4J?
- Should I use a password manager?
- Tips for a small business.
- Phishing Schemes.
- Why you should be proactive instead of reactive.
- Can you recover from a security issue?
Hey everybody, Rob Cairns here today I’m here with Ritesh Kotak. How are you today? Ritesh.
I’m doing well.
It’s a pleasure to have you and I thought we’d start by, could you give the listeners a bit of your background and how you ended up in the space that you’re in now, please.
So I’ve always been in love with tech and in anything, anything tech related, I remember my father came home with a Pentium 486 running Windows 3.1. And I remember seeing this magical box and taking it apart, but not being able to put it back together. And at that moment, my father could have very simply screamed at me, but instead, him and my mother were very encouraging and said, That’s okay, do the best you can I remember, you know, not being able to put it back together, they took it got it fixed, came back home, I did it again. NACA, put 50% of it back together. Before I knew it, I was actually building, building my own computers and programming and trying to make video games and just having having fun with it. I never thought it would actually be a career. For me, I always thought I was going to be and always thought I was going to be an accountant. I actually did a degree in business. And, and thought I was going to be an accountant and actually graduated with two offers one from an accounting firm and one from policing agency, actually. And I remember going home and telling my mother and she hugged me and kissed me and said, I’m so proud, my son’s going to be an accountant. And I think I’ve been disappointing her since actually ended up joining the police service. And as a, you know, kind of D myself as a public safety professional, you know, working in tech related stuff, innovation related stuff, cybercrime. But then after seven years, it was time to time to move on. So I went on a journey to go get educated, I lived in, in Europe, I lived in Asia, did my MBA worked in big tech. And then I kind of told myself, you know, where’s that where’s the puck headed, you know, to use a Gretzky analogy, and I found that it was on emerging tech and getting the regulations right, we talk about AI, we talk about cyber, we talk about privacy. So I decided to go to law school. And I’m currently finishing up law school kind of specialising in tech law related related issues. And, you know, that’s been that’s been the journey. So you know, it wasn’t, you know, it wasn’t a very traditional path. It was very untraditional. But here I am today.
You know, it’s funny, many of us have untraditional paths. And it’s, it’s amazing. But I think it also gives you good life and business experience when you go through this type of journey. And you don’t go just from point A to point B. And, and that’s really amazing. So one of the things I wanted to dive into, and I think it’s probably been a little bit overblown, maybe not, is the log for G server issues been going on? Could you break it down, just so people can understand it on a very grassroots, easy to understand level?
Sure. And and you’re right, this is something that is taking the world by storm, it’s you know, it’s been a top trending story and in tech circles, and cyber and cyber security circles as well. So the best way to simplify this is servers, databases and other components are needed to run the popular sites that we that we visit. But these servers are kind of like the best, maybe the brains of, of these operations. Now with billions of users that leverage these different components of websites, there are issues that naturally will come up. You know, I clicked on this and it didn’t work, or what happened when I tried to download this, you know, this stuff from this website or run a search, and I’m not getting the right results. And there are systems that log all these types of occurrences behind the scenes on the servers, and the most popular logging system was called log for J. And in log for J, a zero day vulnerability was discovered. So what is the zero day it means that it was unknown. But it was in the wild and it was being exploited prior to its discovery. And this is very scary, because when an input any type of input so you talk about the complexity of these hacks. Well, in this case, one of the things that made it really scary was the simplicity of how, how a hacker could essentially exploit the system and it could be literally from any type of input. So think about forms, search bars, even chats. And just by putting a string of characters In, these would then go into the logging system. And if you’re able to put a string of character, a particular string of character, then it would, essentially a remote code would be executed of infecting the system, giving hackers hackers access to the system, and taking over taking over your data. So it made it really serious given the fact of the scalability and how many servers actually use log for J, which is the most popular logging system, but also the simplicity of how an attack could happen.
Yeah, it’s so it’s so true. Any and this one from what I’ve read, there’s a couple of things. Microsoft last week reported a couple of ransomware attacks attacked, linked directly to log for j that are out in the wild. So they’ve seen I think it was two or three they’ve reported. And we’ve got numerous other vulnerabilities that have come out of this one. So I think, honestly, people just need to be aware it’s out there and get their servers if they’re in the server game updated soon, sooner than later. Correct.
That’s That’s correct. Right. And I think the thing here is there are updates available, you know, kind of to patch patch the vulnerability, but also for organisations. You don’t, you got to you got to do these audits. And the thing about cybersecurity is it can’t be an it’s not a checkbox exercise is not something that you say you did, and then you don’t have to do it anymore, because hey, I did it. It’s continuous. It’s cultural, it needs to be built in into the very fabric of an organ of the organisation. Because today, it’s this tomorrow, it could be, it could be something, it could be something else.
Yeah, it’s so true. Before we jump into, you know, what we can do for an individual or a small business. One of the things I think a lot of people need to be aware of in the cybersecurity side is a term called Social reengineering. And really, what that means is use people’s social ways or people’s ways of doing things to do a hack. So the hack isn’t a true cyber hack. It’s working your way around it. For example, I call up a company and I managed through a series of questions to figure out a password, or I walk into an office and even worse the passwords on the sticky note on the Secretary’s computer. And one of the best books I’ve ever read about that subject is a book called The Art of Deception. And that was written by Kevin Mitnick. And he’s the hacker who has the claim to fame of bringing down the FBI website. years ago, what do you think about that many hacks are actually caused by people and not actually the technology? Do you have any thoughts on that one?
So it’s getting it’s getting even scarier, right. And I think with social engineering in particular, right, it’s kind of like this manipulation or trickery, to get somebody to give up information to give up, you know, sometimes pretty sensitive information, as as well. Now, it’s technology as a target, right? We clearly with the log for j, we saw how tech could be exploited to get to to gain access to individuals information. But also individuals can be exploited as well, we got to remember the type of society that we’re living in. We’re living in a world where data is readily available on individuals, and it might be in places where you might not necessarily think that people are actually able to exploit it from right. So your Facebook profile, for example, might have a lot of information, just think about the security questions. In some cases that you that you use, I find the worst security question that I ever come across is What’s your mother’s maiden name? Yeah, it is so easy to find out somebody’s mother’s maiden maiden name. There’s records when when you change your name, there’s a record that gets created. Your your if we just take a family, let’s just look at it this way. We take a family. So you have a house, you have a car and you have and you have a spouse and potentially, let’s see children, just then the car in itself if it’s if you purchase the car and you’re having at least so if you’re having it finance, there’s a lien on the vehicle. Well, that lien is actually searchable under the under the PPSA. Anyone can spend eight bucks and think it’s $8. I don’t know if the price has been increased. and see if there’s a lien on the vehicle. And what it will tell you, I’ll tell you what type of what type of car it is the address to where it’s to where it’s registered. So there’s information out there, you can also, you know, there’s the house probably has a title, the kids and, and the spouse might have social media accounts. Now you might have your stuff, you might not have a social media profile, and you say, well, Ritesh I don’t have a, you know, what I call a digital footprint, but you have a digital shadow? And what information are other people putting up about you, and then remember, we hear about breaches, and we hear about hacks all the time, that information is out there, in cyberspace somewhere, and people can purchase that information. So when you know, we start getting into a world where data privacy is important. Protecting our identity is important, because the ramifications if we don’t are so grave.
Yeah, it’s it’s so true. And people don’t realise, I mean, it could be something as simple as being mentioned in an article in your name showing up. I mean, it’s, it’s like, it’s far reaching, and people don’t realise that. So on that note, what are the three or four really good things that people can do to protect themselves online? individually?
So there’s a couple things right, so the first thing I would say no, no, we can speak from a technical standpoint, right, is what I call cyber hygiene. So that includes and I know, I probably sound like a broken record, but change your pot, you know, change your passwords, frequently. Use strong passwords that include uppercase, lowercase, symbols, and numbers. And, and make sure that you enable multi factor authentication, you know, kind of those basic cyber hygiene, things that you can do to minimise the potential, you know, the potential of, of, of becoming a victim of a cyber attack. That doesn’t mean you’re not going to you know that you’re going to be fully protected. I think it’s a lot more complex than that. So that kind of brings us up into the other, the other elements and that is think before you click the amount of these phishing, or in some cases, spear phishing related attacks have increased significantly, especially because a lot of us are spending much more time online. Now. The whole work from home element, as well. And we’ve there was a rush to implement net new technology back in March 2020. And I don’t blame organisations for this. The idea was, how do we keep the lights on? How do we have business continuity when we’re living in a world of uncertainty, but at the same time, we didn’t really equip individuals with the right cyber tools to protect them. And I think that is one thing that, as organisations, you know, really need to take seriously of how do you actually, you know, cyber proof your employees and an individual’s as well. And then kind of like the third big aspect is just know the type of data you’re actually putting out there. Because there’s, I kind of have two lines that I continuously recycle. And the first one is, there’s no such thing as Delete. Delete just doesn’t exist. once something’s out there. in cyberspace, it’s out there, out there forever. And secondly, we all love free stuff, right? We love free apps, we love free tools, free plugins, we love free stuff. But if you’re not paying for the product, in this day and age, then you are the product. And and you got to ask yourself, what type of data is being collected on me? How is it being repurposed? Where is it being stored? Who has access to it? And these are some questions that you got to ask yourself, before you arbitrarily give up information to individuals and organisations and those kind of those three overarching things, I think will help individuals stay safe in a social cyber digital era.
Yeah, thank and thanks for mentioning that people are the product. There is no such thing as a free app. And that’s what people need to realise the cost of free is your data. So that’s I’m really glad you brought that up. Susie, the let’s talk about two FA or two factor authentication for a minute. You mentioned it. There’s three types. There’s, well there’s more than three types. But there’s the big ones are SMS, which is text messaging. Using an authenticator app. We’re using some thing like a third party key, like a Yuba key, or something like that. What are your thoughts on those three? And which one should you use at all possible?
Yeah, and there’s nothing stopping you. Now we talked about two factor there’s nothing stopping you from using multi factor, right. So using a combination of factors to get in to get in as well, clearly, the the most popular one is SMS base, but there are issues with SMS base systems, right. We talked about sim swapping, for example, where, you know, essentially a number gets cloned or is hijacked. And we’ve seen a we’ve seen an increase in those types of those types of attacks as as well. The most common is definitely these authenticator apps, whether using Microsoft authenticator, Google Authenticator, these types of apps have really shown to be ways of protecting, protecting individuals, there are physical tokens as well, that you must that you must insert, they, you know, there’s some cheap solutions out there. But usually, the really good stuff is quite costly to purchase and to implement and to and to maintain. But that also brings us up to, you know, another point is, no matter what type of multi factor authentication you’re using, you know, enable notifications, know when somebody is actually logging in, excuse me logging into your account, is it so I have notifications set up on my accounts. So if a transaction happens on with respect to my credit card, or there’s a net new login, with respect to my email on a new device, I get notified, I get notified right away. And if it’s not me, clearly, what I’ll do is I will go ahead and suspend access, I will, I will change my passwords, I will look at the logs to see where that you know where that came in from, that that login came in from, but you just got to be more, you got to be more vigilant. But which one is you know which one is the best? I think in the future, we’re kind of looking at things like authenticator apps and password list worlds. My favourite thing to actually click to click on on a website, in recent days has been Forgot Password. I can’t, you know, how often just given the fact that we’re always, you know, changing up changing passwords, I know there’s password keepers and, and stuff like that. But password less is the future. And that’s going to involve authenticator apps. And, and even that is multi factor, because not only do you need to put in the right password to get in, now you’re using an app to authenticate in which is also using the factor of face ID or, or a fingerprint or some sort of biometric to further authenticate you. So I think that’s the future. That’s what that’s what currently people are using. That’s what should be enabled by default, by vendors as well for their for their products, it shouldn’t be something that you have an option to enable, it should be enabled by default. And it should be a an opt in, you know, kind of a opt out, instead of a sort of an opt in saying, you know, do you want to opt in to multi factor authentication? No, you already opted in? Do you want to opt out of it? And no one should? Yeah,
I actually read an interesting story to share about face ID. And there was a case in the states where a unscrupulous acts of somebody managed to, shall we say, get her drunk and basically, open her eyelids to unlock her iPhone using face ID if you can believe that. So I don’t think the technology is totally there yet. For face ID but I think it’s it’s getting there. And I think that’s a really good option. Do you have any thoughts on password managers to help get people to that point? Are they a good idea? Are they bad ideas? Should you shouldn’t you? What’s your theory on that?
Again, I think we’re kind of moving to a a passwordless kind of like a password less world but there are and just for anyone that is, you know, is wondering what a password manager is. It’s essentially an app or a programme usually there are some plugins that kind of plug right into the browser that that generate and manage your passwords, passwords for you. I’m torn on password on password managers. I personally don’t use them. But I can see I can see how it could be of benefit. I have used them to generate strong passwords and and stuff like that, but to actually start Are my passwords I? I choose? I tried I try not to. But that’s that’s me personally.
I it’s an interesting viewpoint. Now, in terms of small businesses, and you know, a lot of them are so busy dealing with their core business. They don’t think about the security side, I certainly know from somebody who works in the WordPress security space, they certainly don’t think about the website, what should they be doing at the bare minimum to protect their businesses in the digital world.
So there’s a couple of things I recommend small businesses do. And this is definitely something that’s really near and dear and close to me, because my parents are small business owners, I grew up in a small business, my crib was in us in my parents store. And, and I’ve, I’ve tried to dedicate as much time to assisting small to midsize businesses on becoming, you know, thinking about cyber and thinking about protecting individuals actually had an opportunity to testify as a witness at the House of Commons. And I clearly mentioned that, we got to get this, we got to get this right. We can’t say small businesses are the backbone of our economy. And if they get breached, you know, not only is that an impact to our economy, into the competitiveness of Canada, but also these are individuals and, and they got families. And I think this is really important. And my advice to them is, you know, we know that the most common methods that hackers are using are, you know, are fishing related, or credential stuffing, which is if we just break it up credentials are username and password and stuffing is when you just start throwing usernames and passwords to multiple, multiple sites to gain to gain access. And, and because people you know, they recycle usernames and passwords. And clearly, one of the things I recommend is don’t do that. So if there is a breach, people aren’t getting access to your to other systems. But the best way to kind of summarise this is businesses are really good at protecting themselves in the physical world. Here’s what I mean, when the fire alarm goes up, goes off. People know exactly what to do. They got fire safety protocols in place, they got fire extinguishers and smoke detectors. But when it comes to cyber alarms, they don’t know what to do. They haven’t invested in cyber cybersecurity, they don’t know who to call, they don’t have, you know, kind of like the 911 for cyber, they haven’t thought these things through, they haven’t done these these drills. They don’t have employees don’t know what to do and, and who to contact if the fire alarm goes off at three o’clock in the morning on a Saturday, and you’re the only one in the office, for whatever reason you’d be in the office at that time. You still know what to do. But what would you do if it was a cyber alarm? So we practice fire drills, but we haven’t really practice cyber drills. So if we start thinking about it from from that, that perspective, we start to think about incident response plans, we start to think about, you know, proactive cyber measures, instead of reactive cyber measures. We keep up with the updates, we use, you know, for smaller organisations, I can’t afford cybersecurity professionals because they’re expensive, you know, thinking about using some sort of managed service provider who are, are, you know, bringing in some, you know, some consultants that can actually help them, do your audit their systems, help them secure their systems, and it doesn’t have to be expensive. The cost of a breach will significantly outweigh the cost of being proactive and having backups and in training your employees and knowing who to call when something happens. So you can have business continuity and and restore your systems to get back up and running and mitigate against future breaches. These are all things that small businesses are very good doing in the in the physical world, but got to get much better in the cyber world.
So true. And one of the things she touched on was backups. And one of the biggest things I see with small businesses is they all take backups, every one of them. But many of them have never actually tried to restore that backup before it’s needed. And I’ve seen many, many cases over the years where they go to they say, Oh, I’ve got the backup great. They thought the backup and the backup doesn’t work. And I think they have to be a little more proactive because the backup is only as good as the ability to restore.
That’s that’s absolutely it right. And as we said, you know, we practice fire drills. We got to practice cyber drills and one of those things is the lights go off. What do you what do you do Who do you call How do you hear systems back up, back up and running, you got it. And you can’t test this when no one’s on, you know, no one’s working on, you know, on a, on a Saturday, you know, Saturday or Sunday at like 2am, when only one or one or two people might be, might be working, or there might be no one working, that’s not the time to test this stuff, the time tested stuff is during your busiest time of operations, to see kind of where things fail, what needs to be improved. And even with the backups, right, you want to ensure that these backups are done in such a way that if there is ransomware on the system, or there is or something does, or file system does get corrupted, it doesn’t corrupt the entire backup as well. And I think that is that is important to that is important to know. So you have, you know, specific backups of essential data, but you should be doing system backups, right? So your operating system, your files, a central data, and then going on the assumption and doing that things are going to go wrong at some point and doing a cyber drill during your busiest time of the week and seeing what happens. And then kind of regrouping with your, with your staff. And, and and going through it and saying, Okay, let’s let’s go through this, what worked, what didn’t work? What do we need to improve where the where are the gaps, and filling them?
I know, I know of a case recently Ritesh, where a store owner got broken into. He was doing backups to a USB hard drive, we know where the USB hard drive floods right right next to the computer in the store. So the problem with that is that doesn’t protect yourself against a fire a theft or a you know, or any other damage to the facility. In this case, the thief took the the hard drive or nor the computer and threw it against the foreign frustration. The harddrive was damaged. But fortunately not to point a data recovery. The data recovery costs on the hard drive was over $5,000 Not uncommon. And this all could have been avoided by in my opinion, a couple $100 backup solution. They even backup into the cloud, and not keep everything in one spot.
Yeah, so Cloud backups are I think, you know, or any type of off Site Backups are essential, right? Your data can’t just be in the same physical location. Where we’re where your systems are, you got to build in redundancies, you got to build in you got to build, you know, you got to account for those factors that, you know, I always say like if there was a, there was a fire and everything burned down? Would you still have you know, would you still have access to that data? And if the answer is no, then you’re not doing your data your backups properly?
Yeah, I would I would 100% agree with you moving forward, and we’re almost at the time of this record at the New Year. And I don’t think personally, the cyber attacks are going to get less in 2022 I think they’re actually going to get worse. What are some simple New Year’s housekeeping things? Beyond everything we’ve talked about that you should do?
Well, I think I think we kind of, you know, discussed it. But you know, just to reiterate, I think that cyber hygiene bit. I think that’s, that’s, that’s really important. And, you know, make sure that you’re using different usernames and passwords for for your different accounts. And, you know, enable the enable that multi factor authentication, make make the backups, you know, another tip is, you know, the fact that, you know, we’re in this myths that, you know, we’re in the midst of fifth wave right now. And more and more people are actually doing online shopping, as well. And, you know, just just be cognizant of the type of data that you’re putting up, ensure that the site that you’re putting your data is secured, the best way to check for that is look for the lock the padlock symbol in the browser or the s the HTTPS The S stands for secure in the in the URL. So if you’re going to a website, make sure it says https colon dash dash and then WWW dot whatever website it is, if the SS in there, don’t give your credit card information and your personal information on it because it’s not going to be it’s not going to be secured. So I think, you know, kind of those kind of those small things. I think what we find is a lot of these high tech crimes are really low tech ways of getting victimising people so avoid you know just the best way to avoid it is and and to ensure that you’re able to get up and running in the case if something does happen, is this just the stuff that we discuss the cyber hygiene, the backups, you know, being cyber, cyber safe thinking before you click and doing those updates on your devices. You know, I think I can’t emphasise enough. You know, if you look at your phone right now, and you’re in you look at all your apps, and there’s updates there. You know, those updates, majority of the time aren’t net new features on your app in a security updates, so do those updates?
No, I wholeheartedly agree with you. Thanks very much for your time today. If somebody wanted to get a hold, do they ask a question as a real good way?
Sure. Visit my website. I got a contact form there. It’s Riteshkotak.com.
Thank you very much. Ritesh