Show Notes

Episode 124 Talking Cybersecurity With Christopher Wright

 

00:00

Hey y’all Robert Cairns here with the SDM show. In today’s podcast, I sit down with Christopher Wright, a security expert. And we talk about all things computer security, including the latest solar winds, tobacco. So grab your favorite drink, please sit down and enjoy this very insightful conversation I had with Chris.

 

00:33

It’s free for everybody. Rob Karen said, I’m here with my friend Chris Wright, who is a well known security expert. How are you today? Chris?

 

00:43

I’m good. I don’t know if I’d say I’m well known and well known around these parts. But

 

00:48

yeah, that’s not a bad thing. No, I mean, local, local is important. How did you get into the computer security it side of business personal?

 

00:59

Oh, well, an IT side of things. I’ve always been around computers. I was programming in third grade, a long, long time ago on black and green screens. But I got into cyber security. When I was in the Air Force, I was an officer in the US Air Force for about 12 years. And about three or four years into that I got pushed into a, I guess effectively a cyber security job. We called it information operations. I worked a lot with people who did like psychological operations, military deception, intelligence work, things like that. So it was a bit of a different path into it. And I always tell people that colors have a look at how I look at cybersecurity, you know, as being not just a technical thing, but it’s a there’s a lot more to the discipline than just the IT side of things. But that kind of started me down the road. And we’ve through some other jobs in the Air Force, spend some time with Air Force Space Command, doing some security testing on their ground systems all over the country worked for the MITRE Corporation for a while doing testing on US federal government agencies and contractors. I moved back to Arkansas, after traveling the world for many years and worked at F is a global financial technology payment processing company built and manage their vulnerability management program there and then stepped out on my own freelance for a little while. And then about two years ago, joined up with one of my freelancing partners and created a an IoT and cybersecurity services business that focuses on other small businesses here in Arkansas in the region.

 

02:46

Yeah, that’s, that’s a really interesting path different from a lot of people have gotten into that. And I’m like you, you know, I, I started in technology and started in programming, probably when I was 15, or 14, or 13, or something like that. So I’ve been around him forever. So I get that side of it. As we jump in this cyber security, we might as well hit the big story of the last two weeks we’re talking about before we started recording, and that’s solar winds outlet. That mean for the average person and kind of preamble it a little bit. People who don’t understand solar winds is a cybersecurity firm that was hacked in the last couple of weeks. They’ve got ties to the Pentagon, they’ve got ties to all major banks in Canada and the US, and they’re kind of everywhere. So what does it mean to the average person.

 

03:41

Um, and a lot of ways that’s yet to be determined. Kind of the direct effect on on the individual is is very minimal. solar winds has been around for many, many years. They’re really well known network management, tool, developer and vendor. So kind of in large data center environments, they’ve been around for 2030 plus years. We used them years ago and big data centers in the in the Air Force had their tools, they were kind of the pristine, you know, top tier tools that we could get our hands on to manage our data centers or different testing environments and things like that. But the there’s a there’s a lot of kind of nuance to it. There is a solar winds, a portion of solar winds that works with small businesses and works with businesses like ours, that manages it for other small businesses. But so far, everything I’ve seen says that portion of solar winds was not affected by this. It was just the larger the larger network management tool portion of that. So we’ve had to answer some questions as some of our businesses we have a peer and competitor, you know, we say And competitor because, you know, technically they’re a competitor around here, but everybody in the IT space knows each other. And our guests are mostly. And we all get along pretty pretty well, we’re all friendly with each other. But, you know, they, they, they use that small business managed service provider platform. And so we had some, some worries on some clients that have come to us from them, that we’ve had to kind of talk people off the ledge for recently. But really, when it comes to, you know, kind of the everyday person, we’re going to see effects here like, potential potentially more like what you would have seen from like Target or Home Depot or the Equifax hack, probably that’s the closest that’s going to get to the everyday user. The biggest, I think, portion of this, the takeaway is that this was a nation state, attacker, as most have. Most people have have attributed this to the Russian intelligence services. And that is, you know, they have different motivations, we look at people, and we think that people are just hacking to get money from you or something like that. And there are quite a few attackers out there, like organized crime and some small scale, kind of small scale beginning to organized crime type attackers. They’re really hard hitting after money. So they’re trying to get money from people, well, a nation state attackers are really trying to, you know, kind of do do one of two things. And that’s to gather information or gather intelligence, or disrupt different systems that kind of allows our country to operate allows our society to operate. And so we’ll see the full fallout of this. And we’ve been watching these kind of attackers. I mean, my first day in cybersecurity back in 2004, I was, you know, article was dropped on my desk, talking about Chinese attackers getting into the Department of Defense, and their contractors and stealing information on the F 22. And the F 35. Joint Strike Fighter to, you know, be able to create this on their own, in their own military. And so the Russian intelligence service operates somewhat like that, but they also kind of operate along the long, you know, long centuries old historical precedent of Russia just kind of sticking its thumb into things just a mess up the waters. There, they’re, you know, they’re not always looking to get, you know, classified data, intelligence, data, design data or anything like that. Sometimes they’re just trying to muck up the works in other countries. And that’s, I mean, this has been a long standing kind of Russian thing, since you know, what, Catherine the Great, so we’re talking hundreds of years, that’s been there. That’s been kind of their country’s modus operandi. Which this that’s that’s what when I look at these things, I always say that I have a little bit of a different perspective in cybersecurity, because I worked in that intelligence world when I first got into it. And you can look back and see, okay, when the Chinese attackers attack, they’re looking for this Russian attackers attack. They’re looking for this North Korean attackers attack, they’re looking for something else.

 

08:10

Yeah, so true. And, and, and nation, state attacks happen all the time. Like, I’ll give you an example. And I’ve been caught up in a little bit of one lately. So CRA, which is the Canada Revenue Agency, just similar to the IRS, they were hacked three times in the last year. And recently, I went through an incident a couple of weeks ago, where money went into my bank account, money came out of my bank account. But because I’ve worked on my own until recently, my account number was nowhere except for my wife, myself, and the Canada Revenue Agency. So I can attribute it directly to somebody having access to my account information from CRA now what I can tell you is the money that went in my account went in via China, and the money that came out of my account tried to go, which was the same money that went in, was trying to go to another Canadian bank, it’s, it’s 1000s of money laundering, to be honest, yes. But again, and everybody’s saying, how’s that possible? Where’s your debit card? And I said, said it my bank card sitting in front of me. So things do happen, but you have to be aware of what’s going on.

 

09:26

Right, Chris? Oh, it’s it’s so much more complex. I think a lot of people when you’re talking to kind of your regular average person, you know, they don’t understand the complexity of where all this data flows, and just how easy it is to get these kind of things. I mean, you know, the fact that your credit card number is a you know, it’s just an algorithm to to generate that number to determine if that number is a valid number or not, you don’t need a stolen your credit card number to, to actually have, you know, to use that credit card number and even you know, It’s it’s harder to kind of guess it those things with all the additional protections that we’ve put in place. But even with that your credit card number flows around in so many different places that, you know, we don’t even know, you know, people who want to kind of go off the grid. And, you know, I don’t I don’t know that that’s really truly possible in in the year 2020 2021. anymore.

 

10:24

I would agree with it. A lot of people think cybersecurity starts with social reengineering is a big problem. We’ve all heard that term. There was a hacker, and I’m sure you’re aware of them a guy by the name of Kevin Mitnick, you know, Kevin, yeah. And he wrote a book called The Art of deception, which is one of my favorite books. He still the FBI is number one security consultant after going to jail. And for those who don’t don’t know, Kevin’s business cards, it’s actually a lockpick kit on his business card. And he talked in his book about the whole advent of social reengineering and working your stuff through what do you see out in what your company’s doing with social reengineer? Yeah, so

 

11:16

that’s the biggest threat that we see to the Small Business arena. Small businesses have so little network kind of space, you know, they’re not, you know, we have called the attack surface, you know, that have very little that’s actually visible on the internet. And the, the real way to get into a lot of these small businesses is through the employees. And so we put a lot of emphasis on on training and finding the right kind of augmenting systems to, to handle these social engineering attacks, I say augmenting systems, because, again, a lot of people that are, you know, totally technology focus when it come in, and they just want to, they want to start, you know, what, what technology solution can I put in place to fix the problem, and specifically in social engineering, that has been the wrong approach. And for many years in cybersecurity, we just said, Hey, the user can’t be trusted, let’s, you know, make it work, they don’t need to take it, they don’t need to make a decision, or they don’t need to make a choice. And we’ve failed miserably at that, because we have not taken into account, you know, that these social engineers are doing everything they can to bypass those technical controls you put in place. And those technical controls take so much more engineering, than just educating the user to say, this is what this looks like, be wary of this. And when you teach that computer to be wary of something, it’s very exacting, that signature has to be perfect. And it has to match that signature perfectly for that computer to take action. But when you train that end user, the end user goes well, this kind of looks a little bit like what Chris told me about, you know, a month ago, I’m going to call somebody up and, and you know, get a second opinion on this parameter, you know, send it over to Chris and see what he says on this. And so that human brain works a lot more, you know, kind of they can, it can branch out, and it can, you know, see things that look kind of like something, but that triggers those hairs in the back of your neck to stand up and you know, you to question that and ultimately not click on it, not run that software, not open that document. Enter your credentials, not do the thing that the attacker wants you to do.

 

13:36

Yeah, it’s so true. And I can remember, we’re talking before we went to record that. I worked with one of Toronto’s biggest hospitals. And I was actually the team leader for the on call team for client services. So we got all the front end requests, and I can distinctly remember a night where somebody put a helpdesk request in our operator working called me at home and said, Rob, you’re on call. What do you think? And I said, honestly, don’t change his password. Don’t give him what he wants. If he wants to scream up to I know a VP level, let me deal with it. Just say no. And it turned out, he was a legitimate and even tried to scream to the CTO at the time. And the CTO got me on the phone and said, You’re saying no. I said, Yeah. I said you want him in your network. And and it turned down. After investigation. The next day, he was trying to social engineer himself on Christmas Day of all days at midnight, into the hospital network. And we just and we picked up on it. And we turned out he was total fraud, had no authorization no nothing and it was just, you just got to learn. You’re almost better to say no, and let it fall where it falls, then they do something you shouldn’t do. Right?

 

14:56

Yeah. That’s what I tell users all the time. Look, I’d rather have you call me and me to me to spend two seconds telling you that something is legit or something is not legit, then you not call me fall for it. And then for us to spend weeks or months trying to clean up the mess. But the intricacy of it’s amazing I did a several months ago, actually, probably over a year ago now. I did a story with a local reporter here in Iraq, and she had been socially engineered by scammers trying to get into her bank account. And the scammers had her on one line and had the bank on the other line. And we’re basically pretending to be the bank to her and pretending to be her to the bank and relaying information back getting her to the second factor authentication data from her and relating back to the bank, and they were kind of playing man in the middle over the phone in real time, you know, against this against this person who did not, you know, at the time know what that was. And, you know, once she found out that she had been attacked, and you know, successfully social engineering, she’s like, I need to go do a story on this and make sure that everybody else knows what’s going on. And so we did a pretty in depth kind of expose day on that, to get the news out. But when she told me that I was like, Wow, that is that’s That’s intense, you know, for something that’s kind of so individualistic, and is going to get, you know, probably so little money out of somebody. That’s a lot of work for an attacker to put into that.

 

16:43

Yeah, it sure it sure is actually. As we move on, we small businesses, what’s a couple of wins a small business could do right away, that you would say

 

17:01

there’s the I can think of several off the top of my head. First and foremost would be get your get your employees and training. Probably that’s easiest and quickest when it’s not perfect. That security awareness training. And anything that’s really a process or anything with humans involved is not a perfect solution to any of these problems. But it does give you so much of a return on investment, especially in small businesses. Because the Small Business employees usually feel more like they’re part of the family so that businesses there is just as much as the owner, at least in our, our small businesses that we work with, where you’ve got people who have worked there for decades, you know, they’re just as much you know, that business as the owner is in that business. So you know, getting that making, you’re making those kind of people aware of what’s out there, because they want to do good, they want to be able to protect the business. But if you don’t give them the knowledge that they need to do, so they find it very difficult. Another thing would be to make sure that you are applying your security patches regularly. You know, kind of those two things are the two good first parts of that defense in depth aspect of things. You want to make sure that that you are patching those vulnerabilities and those holes that have been discovered, because that’s what’s going to be used in a lot of cases when those employees can’t be socially engineered. So I would say those are probably your you know, if you’re not doing anything else, and you’re not thinking of security in any way, shape, or form whatsoever in your business, those are the two first things that are going to get you the biggest return on investment. And they’re going to cost you very little.

 

18:55

And of course, the third big one is to make sure you have a backup. So if you have to store data anywhere, you could, you could do a restore and by defaults, test your backups, please. I know of at least three clients. And one was a web client who I picked up but I know of a couple of situations in business where they get back for three years. And it turned out the backups weren’t good.

 

19:21

Yep, so there’s this, there’s a laundry list of things that you can play, you can go into there and backups are extremely important. And yeah, definitely if you’re not testing your backup, you might as well not even be back backing things up. Because if you don’t know I mean, we’re not gonna play Schrodinger his backup here. You know, you both simultaneously have a good backup and a bad backup until you test it.

 

19:42

Yeah, so so true.

 

19:44

That’s a great way and it’s becoming a little less of a silver bullet in the ransomware world. Now the ransomware attackers are starting to leak sensitive information, but it is still a pretty big help to have that backup where you can Look at that ransomware attack or and go look, you don’t really hold my data hostage because I have backup copies of it.

 

20:06

So true. virus scanners, a favorite a contentious topic. Because I personally, as somebody who understands security more than most people, I don’t run one. Now, I don’t suggest to the average person you do that. Do you have any theories on that? And what works? Well, what doesn’t work? Well, what you should do or not do?

 

20:32

Yeah, we have, I have this conversation all the time. virus scanners are not in any way, shape, or form, the end all be all, they’re a 1990 solution to a 2020 problem, they will still help you with that low hanging fruit, you know, they will find things wherever they are, I still get emails from office 365. That said, we can’t deliver this email to you, because it has a piece of malware in it. So it’s still capturing things out there. I heard 30 to 40% effective is about as good as I’ve heard. That being said, though, it’s still a very important thing to have the business and it’s more for that peace of mind, to the business owner or to that decision maker that we’ve got that you know, kickplate for the low hanging fruit to trip over. So we can catch them early before they do anything. Now our biggest when we’re when we’re working with with antivirus, our biggest look is we want central management. So I want to be able to go to a website, I want that single pane of glass, for us for all of our clients. If you’re doing it for one business, you want a single pane of glass over all of your endpoints. So all of your computers, you want to be able to update those, those signatures regularly, automatically, regularly, you want to be able to do on access scans and on demand scan. So whenever you you know, whenever one of your users accesses a file, you want to scan it, and then you want to run through a full scan on a daily or weekly basis. Yeah. And that kind of covers those bases, you know, the very basic level of antivirus stuff. But one more thing that are a couple more things that we look for is that Endpoint Protection aspects of these, we want to be able to and our clients, we don’t have the luxury of being able to go install all sorts of really fancy expensive pieces of equipment on the network. So one of the things we do with our antivirus and Endpoint Protection solutions, is to do content filtering. So we want to keep the end users from being able to go to pornography sites or gambling sites or known hacker tool sites or other things like that. So we you know, that’s another one of those kind of layers in the in the defense and depth scheme that we use to protect the users we also a lot of our clients are healthcare and financial companies, since we tend to focus on the kind of the regulated businesses here. And we can do things like prevent the use of USB drives. So we can prevent somebody from coming in plug in in a row, potentially infected USB drive and introducing malware onto the network. At the same time, we can prevent somebody from inadvertently or intentionally taking sensitive data off that network for nefarious purposes, or even benign purposes, just without the knowledge of what they’re doing is is a wrong way to to solve that problem. And, you know, we can do more things like application control with that to stay out I don’t want to be I don’t want the user to be able to load any applications except for these specific ones. So we really focus more on that Endpoint Protection side of things, then we do the antivirus side of things. But you still need the antivirus just for that low hanging fruit,

 

24:01

as somebody in a small business was going to run to a store and buy an anti virus, do you have a recommendation or no?

 

24:08

We so we use we use bitdefender currently in ours, and you’re typically not going to run to the store and buy it for your small business, you’re going to go through, you know, kind of a business portal online to get it I would heavily recommend that if you are trying to set it up in a business, that you’re not just going to the store and buying licenses because that will typically be for home use. And it’s not going to give you that single pane of glass view into your organization.

 

24:37

Yeah,

 

24:37

I know

 

24:38

what you mean it’s a it’s a euphemism, but I just wanted to make sure that we have that across because there are a lot of small businesses that their solution eating on the computer is to go to Best Buy and buy that $300 computer off the shelf that all fell apart in 66 months. Yeah.

 

24:51

And they and they do things like that. I know when we were when I was in health care. We were a McAfee shop just because McAfee has a Central management tool, Norton 365 is a central management tool. But what I find what both of those is they tend to be resource heavy. Yeah, yeah. I know, for home use. What I usually recommend to people for home use is to go to some wacky set just because the print the footprints are a little smaller. But ya know,

 

25:25

yeah, we use. So we use Trend Micro in the past, we use bitdefender. Now, and both of those have good good management consoles and good levels of endpoint, additional endpoint functionality. We’ve had issues another one there. So foes kind of we’ve looked at, we looked at Sophos, it’s a little bit more expensive bitdefender and Trend Micro tend to be a lot more cost effective for us. The McAfee’s the semantics, they’re good tools, they’re good tools for very large organizations, we use McAfee in the in the Air Force, and we had millions, if not billions of dollars of contracts with them for that kind of stuff. And we you know, rolling out over, you know, a million endpoints is nothing to sneeze at, but those do tend to be very resource heavy. And if you are not going out and buying that fastest computer every time you get a new computer or your company or if you’re heavily dependent upon making those computers last long, then the resource hogs are gonna impede on your kind of hardware buying strategy. Another one that we don’t like, is Webroot.

 

26:43

So dislike Webroot. It’s

 

26:46

it’s consistently lambasted for it’s kind of low quality and that 30 to 40% I mentioned earlier is even lower for Webroot. It’s a lot of small managed service providers use it because it’s free to them. And it’s provided through their their MSP software providers, but we just had very difficult times with it, it’s not very good, it doesn’t have a whole lot of extra functionality. But msps that are focused solely on how much money they can make typically see that, you know, it’s a free offering, or it’s included with their tools. And so they see, well, I can charge you for antivirus and I’m not paying for it. So that’s just pure profit for me to look at the world, that way we look at it, you know, in a lot better of a way we want to be cost effective. But at the same time we want to deliver tools, processes, and you know, kind of things that makes sense for for the business rather than just looking at it from a spreadsheet and profit motive standpoint.

 

27:51

Yeah, so true. passwords, my most unfavorite topic of the world in the security space, we know. And you know, that a lot of breaches are because of weak passwords. People use stuff they shouldn’t use, they write passwords down, they throw them under the keyboard. I can recall years ago walking into the hospital data center and finding two system passwords underneath the keyboard and looking at one of the text services, guys. And so what the heck is this? And why? You know, we’ve all we’ve all seen it. Thoughts on passwords and things like password managers. Do you have any thoughts around that?

 

28:35

You just opened up a Pandora’s box there, buddy?

 

28:38

I know I did.

 

28:41

I’ve got I’ve got lots of thoughts there, you know. And we talked about those passwords into keyboards and things like that. Whenever I talk to people about passwords, you know, I have to explain to them that all these different, like, this whole ecosystem of passwords is this thing that’s been building up over decades. Yeah. And generally, password managers are a good thing people talk about, well, you’re putting all your eggs in one basket, it’s like, well, if you pick the right basket, it’s very well protected. And that’s a whole lot better than really that the other side of that is using the same password in every, every website and every login that you have, you’re just reusing that same password over and over and over. And I cannot count the number of times that I have seen reports of a breach or even people that I know who have had all sorts of systems or online, online sites compromised because they just kept reusing that same password over and over and over. The best thing about password managers is that you create one strong password or passphrase. I typically recommend a passphrase for your master password and that password manager and then you don’t have to remember any of the rest of those. You just need to create it very memorable passphrase to get in there, and then all your passwords are stored in there. I typically I’ll use my password manager to generate passwords for me and so do I. Yeah, I just read, I just reset a password this morning for bitdefender of all things. Because I, you know, was running up to the time that it was gonna expire. And all I did was hopping due to bit Warden generated my 50 character, long password of uppercase, lowercase numbers and special characters that was completely random, pasted it into bit defender updated the record in bit Warden, and I’m good to go. You know, I don’t have to worry about thinking of a password or anything like that. But, yeah, password managers are great. They have so much functionality in them so many, the biggest password issue that we see, like I mentioned is password reuse, where you’re just reusing these passwords over and over and over, which allows an attack called credential stuffing. And if you remember the Spotify note from about a month ago, or so where they said they had, you know, 300 350,000 accounts hacked through a credential stuffing attack, you know, basically taking advantage of people reusing passwords, and they had to have people reset their passwords, because they’re a part of that attack.

 

31:27

I know. I’m a Spotify user and thing, I got swept up in AD and my spider fi password was a random password. So yeah,

 

31:36

yeah, yeah, I didn’t, I, I read the article. I never heard a thing from Spotify. Because, you know, mine wasn’t attempted, I guess, because I don’t have any passwords out there that are easily noticed to reuse passwords. But I went and I went through my passwords years ago, in a previous password manager that I was using called LastPass. And went through and use those internal tools to figure out which passwords that I had that were just reused. And I went and changed them all. And so now pretty much unless you know there’s a very few passwords that I actually have to remember. But for the most part, I don’t have to remember them because they’re in there in my my bit word and Password Manager. And so I don’t need them to be the same. So I can remember them, I don’t need them to be short, so I can remember them. I don’t need them to be memorable. But you know, create those long passwords using the random password generator where you can’t create the passwords. Or you can’t use random passwords where you have to remember them create long passphrases where you just take you know, four or five random words and kind of smash them together. Or something that’s very unique to yourself, you know, a sentence, I usually use the example that my nephew, my 10 year old nephew, will eat guacamole with a spoon. And so I use the example of you know, my nephew James eats guacamole with a spoon. Yeah, and most modern platforms will take that long of a password. Nobody’s gonna guess that. Yeah, you know, accept the fact that I just told you, but

 

33:18

yeah, I get I get where you’re coming from. I mean, I’ve, I, I’m at the point in our household. And for my business, I’m a LastPass fan. But choose one. I mean, they all they all do a good job, I actually have the family plan. And the reason I do is because if my wife needs access to something or something happens to me, then she can get at stuff. And they’ve actually built in tools to say, okay, something happens to me and I don’t content, I don’t log in within x period, they’ll actually send somebody you designate your information if you if you set it up that way. So they’ve actually got that in their database. And one reason why I like them is, as far as I know, they’ve never successfully been infiltrated, that I know of, they had a scare about a year ago. And then they came back and said, oh, by the way, it was a false one. So they’re, they’re pretty, pretty tough in that space. And and in some ways one password so is several the big password managers, I think you just have to choose one right? So

 

34:28

as long as there as long as you’re going with a well known one, and it’s you know, you can do some some research on it. But But LastPass is one that I’ll throw out people will well you know, the the putting your eggs in one basket argument. And I’m like, there’s there’s plenty of code audits for these folks. They’ve been attacked before. There’s one guy especially with LastPass there’s a guy at Google Tavis ormandy. Yeah. And he’s works on Google Project Zero and he loves to hammer at LastPass He’ll do something and he’s working on this, you know, as a Google employee, and he will, will, you know, find a flaw or something, and he goes through and does responsible disclosure to, to log me in the owners of LastPass. And, and they will fix it, and they’ll come back down and they’ll make a big, a big PR thing of it’s like, hey, look, we’ve got this great security researcher that found an issue reported it to us, we fixed it, you’re that much more secure now. Because we you know, we have these people you know, that are that are looking out for your security. But you know, things like LastPass bit Warden has gone through numerous, numerous code reviews, bit wardens code is open source as well. So anybody can go out and look at the code, you know, look and see what those you know, kind of what sort of audits what sort of tests that they go through for these cloud based platforms. And there’s, I mean, there’s like you said, there’s a ton of them out there, you just got to go and look and read up on them and kind of look for those sort of Consumer Reports kind of comparison articles about which one, you know, does this thing better than the other what they offer and that kind of thing, because, you know, they like LastPass, I used it for a while when we within my company, my other working business partner, and I will have to share some passwords back and forth, even though I don’t like sharing passwords like that. But there are some services where we only get one account, and we have to, we have to share that account. And we do the exact same thing you do with your wife, we do that within bitwarden. We just say hey, look, this needs to be shared, we’ll share it under the solid OneDrive technologies folder. Yeah. And then either of us have access to it if one of us gets hit by a bus or wins the lottery and moves to Fiji,

 

36:57

which you wish but

 

37:00

well, I had a I had long ago, I used to when I would get up and talk to folks, especially when I was doing security testing for the government, I would get up and on every test and talk about all the flaws we found. And I used to say, Well, what happens when you get hit by a bus? And you don’t have anything documented? And one of the folks in the in the out briefing came to me says what does it have to be hit by a bus? You know, why can we just won the lottery and you know, immediately quit our government job moved to Fiji. So we just kind of throw both of those in there. Now, you know? Yeah.

 

37:36

That’s a really good discussion. And I think the key is just to do something, and and please don’t leave your passwords beside your computer, it’s safer. So let’s go to backups. Because that’s the key. We talked a little bit about earlier, I’m a big fan of a three to one backup strategy. First of all, I’m also a big fan of off site backups, I should tell you, I own two Synology NAS servers, one at home and one off site. They think Synology has got some cool little software to actually sync to NAS servers and keep them in sync. So that works really well. That’s overkill for a lot of people. But I also know his story. There was a well known tech journalist about two years ago, his name I shall not mention, he had his computer stolen out of his house. And guess where the backup drive was sitting on top of the CPU, computer bang. So not only did the computer go the backups when his writing went, what’s a good way for a small business to do backups, if they’re not going to spend a lot of money, which they probably should, but

 

38:47

I mean, that’s that’s just what you did, you do need to spend some money on that. And unless you have multiple sites, then you’re gonna probably go with the cloud based backup platform, we’ve got, you know, we use two different distinct backup platforms that are company and one of them is a you know, we’ll we kind of built that on our own. And it’s a less expensive one for the end user, but it requires them to have somebody like us to do the work but require that they buy a small server, or we can create a virtual machine within their environment, and that’s their backup server on site. And then that backs up to a server in our office. So it’s off site for them. We have another kind of vendor that we use, I guess not kind of vendor but vendor that we use. That does a similar setup, but they’ve got a lot more features in there. If you get anything but their lowest tier platform, they send a network attached storage very similar to your Synology. You you end up buying that And that sits on your, in your office somewhere, and then you backup to their cloud platform. And the good part about that is if you need to, you know, if something happens, and you’ve got to recreate that server, you can do it practically instantaneously in the cloud. And as part of that service they give you, I think it’s 30 days of cloud operations. So you know, if, if heaven forbid, your building burns down, you can regenerate that server, in their cloud infrastructure, and you can set up an office somewhere else, or you can be working remotely or whatever, it just takes a little bit of it work to get everybody, you know, tuned away from your now burned down office server to that cloud based server. So it really takes a lot of that fear and uncertainty out of disaster recovery. But, to go back to what you were talking about, about the tech journalist, that, you know, having that backup drive, you know, a little local external drive is probably the worst way even backup, you know, for all sorts of reasons, the those little drives are not always that sturdy. If you’re banging them around and moving them around a lot, they don’t have that long of a use usage life, if you know, you do have to carry that around with you, and your computer gets stolen while your backup discussed stolen as well. So now you’re kind of sLl for everything. And if you keep it plugged into your computer, that’s not a real good solution to prevent ransomware because that’s a map to drive. You know, it’s just like your C drive, it’ll be your D drive at that point, or whatever. And the ransomware is gonna see that just like any other drive, and it’s going to encrypt that as well. So effectively, it’s not even a backup to to prevent ransomware there. So you really need to have something like, like one of those cloud based backups, whether it’s something like, you know, you have a server, and it’s really built around an office network, or if you have something where you are, you know, installing an agent on your workstation, or each of your workstations if you’re really really small and you don’t have office infrastructure, you know, that’s probably the better way to go where you’re backing up to like a spideroak or a a Carbonite or something like that. So you have access to that if you do lose your computer or your computer crashes all you have to do is get a new computer and go restore your files

 

42:33

and I actually just know from experience Carbonite not that’s the others aren’t good solutions is a really good solution. I I had a diabetic crush 12 years ago, and up naspo for three weeks came out at the hospital. Turn my desktop on at the time at home. And all I heard were the words chunk, chunk, chunk the hard drive died I went to the local tea shop pick up a new hard drive put our drive in did a restart. I mean and and choose one that works well for you. That’s the key. For interesting Carbonite is now Canadian owned, and they were sold for over a billion dollars to a Waterloo Ontario from so there’s everything. Pardon?

 

43:22

Everything isn’t Waterloo.

 

43:24

Isn’t that that is true. So they but it’s like choose one? Right? It’s It’s okay. And make sure your backups work? Um, the good news in the security? And is this wonderful Adobe product called flash has disappeared. Yeah, no, I find flashes. What as the time of this recording is three days away, or some three days away. This January 1, flash has gone. In theory not supported by Adobe, which means there will be no more security updates. Chrome is had all kinds of announcements in your browser that are not supporting flash anymore as at the end of the year. So is age. So it’s Firefox because they’re all chromium based now. flashes time ago. Party.

 

44:15

Firefox isn’t chromium base.

 

44:17

No, sorry. You’re wrong offers. chromium based Yeah, Firefox, but they’re all dropping flash support. So folks, if you’re running flash, let’s get rid of it now, please.

 

44:29

I should have gotten rid of it about five years ago. But yeah, yeah, we we see this a lot with with, especially with small businesses and you know, different little niche pieces of software will will require that and they just don’t update and it takes forever for them to update it. And I’m just waiting for the next couple of weeks. Fortunately, I’m out of the office teaching most of that time. So my business partner and our engineers will be handling that but well, there’s going to be a lot of complaints From our clients who didn’t listen to any of our warnings or came on only in the last few months, we’ve been broadcasting that as well through our newsletter, their social engineering, or their social, social media and everything. So it can’t have come soon enough. I think that’s been Adobe Flash has been the bane of the security world for a decade, more than a decade now.

 

45:22

Yeah, I I’m tired of it. And frankly, flashlights are sold to that’s the other problem. Like, let’s get it out there.

 

45:30

It was written for a different time when we didn’t have html5 and all the fancy front end stuff. And now we do have that and it’s time to move on from, from flash to html5.

 

45:40

Yep. So true. html5 should have been shifted long time ago. No question. And then the last subject, last two things I wanted to touch on is let’s have a little discussion around two FA or two factor authentication, because I think that’s important. And I think, to our face a good idea, but personally, I am not a big fan of cell phone two factor authentication because of sim jacking or sim spoofing. I think that’s a big concern. I personally go to what’s called an Uber key see, you know, a newbie key is so I go to a secure,

 

46:21

I’ve got one sitting over there

 

46:22

I go, I go the one I’ve got my wife train going the one I’ve even got working on training my 76 year old mother ongoing, the one what’s your thought on? Or any other solution? is Google is Aki or some solution like that? What’s your thought on using the cell phone for to Fa?

 

46:45

Yeah, so if you’re talking about the cell phone as in text messages, I’m absolutely with you. And so are most other people in the security world, because of you know, not just send jacking, but the underlying phone system signaling system seven is is just a it’s a mess, and they’re not going to fix it. So you know, at least, you know, here in the US, it’s always going to be vulnerable, probably candidate two, because you guys are so tied in with, you know, we’re so tied in together we are Yeah, with what we do. That is that’s never going to get fit. So that’s one of the biggest things when I’m talking about two factor authentication. I talked about those three options. You either have, you know, an SMS text message, do you have a phone app? Or do you have a physical device and pretty much in my presentations, it says bad next to SMS text messages. You know, there’s there’s to kind of get going if you’re, if you’re registering a person and an application or something, it’s not terrible. But for regular two factor authentication, definitely don’t use that. If you have any options, and another, you know, don’t pick that as your first option from a an application that you have definitely get that I use authy. So I’m a big fan of that, that works very well. There’s a lot of tie ins to that, where that will be less conspicuous than having to actually type in a six digit number. If you are a heavy Google user or a heavy Microsoft user, each of those companies has their own authenticators, Google Authenticator or Microsoft authenticator, which are even more slick when you’re using those tools. Like when I log into a client, I have one client, where I’ve got a global administrator account on their on their Microsoft Office 365 account. And I’ve got the Microsoft authenticator app on my phone. And whenever I log into my account, it just pops up and says, Hey, somebody’s trying to log in as you is this you, and I click accept, and it just lets me go through, it logs in logs me into the office 365 account. So it’s just as easy as having that hardware token that plugs into your USB. But you know, those are great, too. I’ve got one plugged into a USB C port right now, because I’m doing some work for the my education client is you know, very key on the security stuff as well. Since we’re actually teaching cybersecurity, it’s probably a good idea to practice what you preach. But we’re all tied in with with UB keys there are actually that’s an option. And I’ve chosen that option. And they use that option considerably within their offices as well. But you know, kind of that’s my my ecosystem for that. There’s other ones if you work in a large corporation, they might give you a different kind of token that pops the numbers up every 30 seconds or so. If you’ve been around big corporations for a while. That’s fairly common. You know, I had one of them is I had one minor before that. When I was in the military, we had we had our ID cards with With a chip in them, we call them common access cards. The Civilian federal government calls them piv cards, personal identity, verification, I think or something. But they’re just they’re the same card, it’s just got a chip in it, you plugged into a specialized reader, and go to town. So there’s lots of options for small businesses, you’ve really got two good options. And that’s that phone app, or that’s that yubikey, or some kind of, like Phyto, u2f, compliant. USB key, or even, they’re doing Near Field Communication ones as well. Or you can just kind of put it up to your Android or your Apple phone. It recognizes it.

 

50:49

Yeah, those are really cool. I know, I know, my mom is still working as a real estate agent. And the Toronto real estate board actually has an app that runs on an Android or an iPhone that generates a key every x number of seconds. And if you don’t, in the old days, they used to carry a physical device, and now they’ve just gone to an app. So you know, it’s an even for her, as she says, it’s easy to use, it’s not hard, I think quite cheap, get in that space and start using it, I made the decision to go to New buceo A long time ago, and it’s, you know, I just feel better, right? It’s, it’s secure. So that’s it,

 

51:30

and adds that extra, that extra factor of authentication. I mean, if you’ve got it on your computer, there’s, you know, this isn’t an all or nothing, security is not an all or nothing thing, you pick things and you do things that reduce your risk, but don’t inhibit you from being able to do your, you know, daily activities, we push that slider farther to the secure side, and in our company, because we are responsible for data and systems for many, many clients. So we tend to two factor we tend to do to FA on everything. And so it does get a little annoying to us. And we have to remind ourselves that, you know, we’ve trained ourselves just to have to go pack in a six digit number on every application we use. But when working with clients, we often think about, okay, so what is a business owner, you know, maybe a nine year old lawyer, you know, can we get them, you know, onto these kind of things, and a lot of cases, it’s it’s not an age thing, it’s a you know, it’s an understanding, it’s an incident, I guess, a an intelligence of the problem, kind of thing. And we’ll we’ll we’ll be able to get some people, you know, who you would think well, they’re, they’re too old to be, you know, doing something like this, they just want to, you know, sit down in front of a computer and start typing Well, no, those tend to be the people who are more aware and want less problems to happen, you know, some of these younger folks that you know, just want to pick up their phone and look at it and have, you know, face identification or something typically have a little bit more difficult time with these applications that you don’t have that capability to do it with, but you do you know, when we go into businesses, I will always recommend that every administrative level account has that some sort of two factor authentication turned on. And then for the executive level, folks in that company, I will heavily recommend it. And in some cases, they take that recommendation, and in other cases they don’t. But you know, those people who are going to be targeted the most, and they’re most visible in that company are the ones that whose pictures are on the web page and who are out doing, you know, the the the glad handing and the marketing, you know, kind of as the face of the company, they’re going to be more of a target, then you know, that person who is at the reception desk or that person who is, you know, handling a help desk or taking client calls or something

 

54:01

true. And while you mentioned that it brings to me one other thought you were talking about access. And we haven’t really talked about this, but if you’re a company, like seriously, don’t give everybody for one access, don’t give everybody administrative access. So I’ll give you an example. I’ve got a friend of mine, who runs a jewelry store, and their software choices QuickBooks, and they have a POS 100 from PC, they use the shrink wrap not to cloud base. And one of the things I preached on when you put to pls and was we need to set this up so that it only has access to the POS, not all the accounting back end. And he’s like why that’s such a pain. And I said no, because why do you need your part timer, playing around with your accounting like you really got to streamlining as access and whether it’s websites, whether it’s a piece of software, whether it’s any of that it’s streamlined and tailored. Oh What people need? I know it’s work, but it’s the best thing you can do.

 

55:04

Yeah, oh, yeah, we run into that a lot with, with software that things that needs administrative credentials. One of the worst offenders of just bad security is healthcare software, you know, we always care, it’s terrible. We talked about that all the time. And I kind of had this, you know, kind of comic picture in my head of, you know, somebody wringing their hands, why can’t we solve the cybersecurity problem, but at the same time, they don’t want to spend a little bit more money to make sure that their software is updated, they don’t want to put any effort to one of, you know, 100 things that will help them do this, they don’t want to change how they’re operating. They just want to keep on and that, you know, very insecure method of doing stuff. But they’ll continue to wring their hands and ask, why can’t we fix the problem? It’s like, well, we can’t fix the problem, because you not because anything, we’re you know, we’re here, I’m working with clients making recommendations on do how do we do this, how do we do this, we’ll do everything we can in the background, without, you know, affecting how you do business, but at some point, you’ve got to pony up and do some work too, because the attackers know that people like us are in the background, doing all the little, you know, closing all the little doors,

 

56:15

patch

 

56:16

on little holes, putting locks in the gates and all this kind of stuff. And, you know, they’re trying to find new ways to come in. So they found new those big, burly front door that they can bust in through which is, you know, users, or password reuse, or, you know, something like that. And they’ll, you know, they take advantage of those as much as they possibly can.

 

56:36

And it was so true.

 

56:38

It’s so hard to get them to do that. But, you know, we we fight with that regularly, and we’ll have clients ask us isn’t just make everybody a local admin? We’re like, No, we will put in the effort not to make everybody a local madman who exactly needs a software to run? And is it you know, so regular, that we have to create an exception so that they are a local admin? Or is this something that one of our engineers can connect in and say, accept and type in a password, you know, on a weekly or monthly basis? And so we put a lot of effort into that. It’s like, Look, we’re not doing this just because we want to maintain control over your systems. We’re doing this so that you’re not putting your foot in your mouth at some point.

 

57:18

Yeah, I know, when I do websites set up and security for website clients, I’m really, the standard answer is give everybody had been right. And I just stand there and say, No. So what do you really need? It’s a it’s a great discussion. So the last topic I want to talk about is little Johnny goes to Starbucks. And he decides to take his laptop with him. And he connects to the free Starbucks Wi Fi, you know, where this conversations going. And then he puts all those passwords in and somebody is running a sniffer and picks up all those passwords. I actually did this in the Starbucks one day to prove a point to somebody walked up and said, by the way, here’s all your passwords. And the topic is around VPN, or virtual private networks. should people be using VPN?

 

58:09

Yeah, I’ve got your free Starbucks Wi Fi right here. Yeah. This is I’ve got a little tool in my hand, called a Wi Fi pineapple. And you know, some people, some of your listeners may have heard about it, but it’s a tool specifically for testing those kind of Wi Fi and Wi Fi user weaknesses. But yeah, absolutely. That’s one of the things that, you know, kind of the two aspects there are, I will tell people never ever use a Wi Fi network, unless they trust it unless they go somewhere and they know where it’s from, and they validated. Who who is managing that. So don’t just go and plop down in that coffee shop for the first time connect up to whatever Wi Fi is open and start doing your business. There are plenty of ways to to to take your information to even you know, get more than that, and potentially, you know, gain some control over your computer that way, so, you know, unless you go up and you ask that, that barista or that you know that that restaurant server or something, what their Wi Fi is, and there’s a placard on that front desk that says our Wi Fi is this, I would never ever use that. And even when you do know what that Wi Fi is, and you know that you’re using that from that specific coffee place. Then I would make sure that you have some kind of VPN connection there. And this is, you know, you can have a VPN connection back to an office. So if you do work for a company that has an established office network, you can use that VPN, you probably need to at that point to do some of your work or You can use one of these kind of internet VPN where you’re not really connecting back to a network, you’re just connecting out of the network that you’re in securely. And there are tons of those out there. Personally, I use proton VPN. But I that’s because I use protonmail. For

 

1:00:19

the security reasons.

 

1:00:20

Yeah, for my mail. Yeah. And there are plenty of other ones out there. There’s a lot that get lambasted because people want to use them as kind of, you know, they think they’re going off the grid. And so they use that because the VPN provider says, We don’t log anything. And it turns out, well, the VPN provider did log things. For most people, all you really want to do is get out of this potentially insecure network in a secure way. So most of these are going to work but I would still say go out and research look for look for reviews of these platforms, look for user reviews, things like that, for look for reviews, and respected publications, of course, and see what those look like. Another solution to and I’ll recommend this kind of equally long lines, a VPN is just take a hotspot. You know, if you’ve got if you’ve got almost any phone these days, you have the ability to turn your phone into a hotspot. And you know if you can do that, and if that’s something that’s within your budget, then that removes your need to deal with, you know, trying to determine if that VPN is secure, or or the sector that that Wi Fi is, you know, not, you know, a scammer with a Wi Fi pineapple. And go through that whole rigmarole you can just walk in, plop down, connect up to your known good Wi Fi hotspot, and go to town doing your work or do whatever you want to do.

 

1:01:51

Yeah, I am I have a data plan on my phone that Rogers in Canada now offers 150 gigabyte data plan, believe it or not, and I have one and people laugh at me and say why it’s because I refuse to use a public VPN. So that means no coffee shops, no hotels, no restaurants, no nothing. And and that saves a lot of issues when it comes to sniffing passwords and things like that. So

 

1:02:22

I typically will prefer my Agha through my iPhone, I think I have like a 15 gig or something. So it’s not a lot, but I don’t need it that much. Yeah. And I will use that as a primary means unless I’m going into a place that I absolutely no. You know, like one of my known coffee shops around here or a client office or something like that.

 

1:02:47

Yeah. Yeah. And Chris, thanks for joining me today. Thanks for all your wisdom and your tips. If somebody wants to get a hold the house the best way.

 

1:02:57

Best way would be email since I tend to be in and out a lot. And that’s Chris at SW tech partners.com.

 

1:03:06

And you have a really good newsletter that people should drop on over and sign up for it’s it’s invaluable. What’s the URL for the newsletter?

 

1:03:18

It’s our webpage is SW tech partners comm I’m not sure if we have are on the page yet, we’ve been talking about that, you should just want to drop me an email, I’ll add you to the list. But we published at the beginning of every month, try to really focus on what small business owners and decision makers can use, that are knowledge that they can that they need to know from the security arena that’s not in mainstream news. So something that didn’t quite make it in mainstream news, but it’s still important enough to to alert them to

 

1:03:56

know thank you very much Chris for a time and Happy New Year and have a great day as well. A very special thank you to Christopher Wright for joining me on this podcast. I hope you enjoyed the security chat and he found it very insightful and helpful. If you want to get in touch with me, please email me VIP at studying digital marketing comm or go to my website studying digital marketing comm and drop me a note. I can be found on all major social platforms Twitter at Rob Cairns Facebook, Instagram, and even more. So look me up and let’s have a chat. This podcast is dedicated to my late father Bruce Cairns, and my wife, Jill Mclean-Cairns. I love you both very much. Keep your feet on the ground and keep reaching for the stars and make your business succeed. Bye for now.


Get Your Free Podcast