Episode 13 – Eric Jacksch Talks Security


Show Notes

00:37

Hey Rob Cairns CEO and Chief Creator of Amazing Ideas that Stunning Digital Marketing comm the travel agency that helps your marketing and web development needs soar and generates leads that convert to conversions for your business. Today’s episode, I’m with my good friend, Eric jackfish. Eric is based out of Ottawa, Ontario, Canada, and is a security expert in the computer security field. Today, we talk a little bit about what individuals can do to protect themselves at home, what businesses can do to protect themselves in their business. And sit back and relax and enjoy the ride in the conversation with Eric jackish. Everybody, Rob Cairns, here I am here with my friend Eric Jackish. And Eric is an online or a network security expert. And, you know, with all the advantageous of what’s been going on in the world, I thought we’d sit and talk security for a while and try and bring some people up to speed on what’s going on. How are you?

 

01:55

Good yourself, Rob?

 

01:57

doing really good. The security is kind of the Wild Wild West right now. Isn’t it a little bit?

 

02:04

Well, we’re getting there. Certainly there’s a there’s an awful lot going on.

 

02:09

Yeah, there’s just way too much going on. So. And Eric and I have known each other for a long time, a number of years. And I thought I’d get Eric to tell us a little bit about himself from what he does and what he’s doing and some of the cool projects he’s working on. Eric?

 

02:29

Alrighty, well, I’m a I’m a cybersecurity specialist. So for those of you who don’t know, me, I’ve spent about the last 25 years helping governments and businesses of all size protect themselves in a number of capacities from high level risk assessments covering entire entire organizations, down to testing, testing hardware and software.

 

02:52

Yeah, which is kind of cool field. And it’s always evolving. And that’s what people don’t realize security’s not a stagnant it’s like a moving target. So

 

03:03

what

 

03:04

is the biggest security challenge? You think today? Or?

 

03:08

Well, I guess I need to caveat the answer by saying that it depends on who you are and what business you’re in. In general, one of the biggest challenges that I see is, is that most product developers are continuing to emphasize features instead of security and privacy. And as consumers, we’ve we’ve traditionally been okay with that. It’s, it’s, it’s easy to point at developers and saying they’re not considering security. But developers and people who develop products, hopefully are developing what consumers want. And until consumers start demanding more in the way of security and privacy, there’s little incentive for for product developers to just shift their priorities. I think that’s one of the major, major areas that that is holding us back.

 

04:00

I would agree with you. I mean, it’s people seem concerned about the shiny new syndrome instead of fixing what they already have. And I think that’s a bit of an ongoing issue kind of in the marketplace. The slides the corporate side. And you know, a lot of people who listen and spend time online are home users. And always think home users do a really good job. And one of the things I hear a lot from home users is, do I need virus protection or malware protection on my computers? What do you think about that? Well,

 

04:36

again, it depends on your operating system. But I think it’s important to take a step back the the first line of defense that people have is their own behavior. So if you’re going online and you’re downloading software from sources you don’t recognize and you’re going to sketchy websites, and you’re you’re opening other email attachment that you get. There’s really Really no software out there that is going to protect you. They can help. But But if you choose to behave in that way, you’re going to have problems. Now, if you’re running a Windows computer, definitely you need antivirus software on it, because most of the malware out there is targeting the Windows platform. What you know, a question I get asked all the time, I’m sure you get this as well as well, which antivirus package should I buy? Well, if you’re behaving responsibly online, probably Windows Defender that you’ve already paid for with Windows, it’s probably adequate for most people. In fact, you know, some of the free antivirus software out there has been, has been more problematic than it’s worth, some of some of those packages have actually introduced serious security problems. So I tell the average person if you’re, you know, if you’re not in a high risk situation, keep your you know, keep your windows 10 machine up to date. And, and you know, and use Windows Defender that came with your computer Microsoft really deserves and, and, you know, I’ve not always been the, their, you know, I’ve not not always come down on Microsoft off side of this argument. But Microsoft has really done a good job in many ways, as of, of improving their defenses against malware, especially with Windows 10, and the latest versions of Windows 10. And how they’ve been evolving that if you’re running a Mac, it is true that Mac’s are intrinsically more malware resistant just because of some of the security features. However, if you want to download software to your Mac, and you know that your Mac is is careful enough to say, Hey, this is unrecognized publisher, if you decide you want to install it anyway. Well, then you’ve you’ve you’ve created that problem for yourself. So whether you need malware protection on a Mac, that depends how you use it. A lot of people don’t. And and they’re fine. On the other hand, there are you know, there are a couple good, good antivirus packages for for Mac’s. If you’re running Google Chrome probably don’t need to worry about it, they have a lot built in and then the Chromebooks are so easy to to reset back to factory defaults, log back in and get all your stuff back in a matter of in a matter of a couple minutes is probably not worth trying to load AV software on there if there was any available and there typically isn’t a long, long answer to a short question. But

 

07:33

that’s it, that’s really good sound advice. I I know personally, the package, I recommend if it’s not the free package, and I agree with him, Windows defenders, great. But if somebody really wants to go out and buy something, I’m been kind of partial for a number of years having come out to the corporate environment. And be first say I don’t like my caffeine, I don’t like Norton, which are the two big corporate projects because, frankly, a resource intensive, the product that I tend to go with is the set product code or the states that you set not privy to, or they’re just because I find the resource allocation not as bad as some of the other corporate products.

 

08:14

Right? You know, I tend not to make specific recommendations or are a refresher, it’s a very general specific recommendations for specific products just because, you know, in the small business and corporate space, one of the differences is you want a via does some centralized reporting, so that you can track malware infections track, whether things are up to date, etc. The, you know, if you look at the field of antivirus, it has traditionally come from a signature, a signature model where they, you know, the products recognize recognize what’s what’s quote unquote, bad based on on a set of signatures that needs to be updated, pretty much constantly. Some of the vendors have introduced me, and you know, they say AI, we’ll talk more on the machine learning space, I’ve added some basic things there. And there’s some newer products, not necessarily saying they’re better, but there’s some newer and I think, a very promising products that are using strictly machine learning. For example, silence, which was recently bought by by blackberry have of all, BlackBerry, silence was the you know, was one of the first to go straight machine learning. And it also that product is extremely lightweight and not constantly downloading signatures. So it really depends on what your objective is, again, for home users that think they have a malware problem Malwarebytes often does a really good job of detecting in and around

 

09:49

the long time

 

09:50

forward to it. And they now have a product that does real time protection. So there’s a lot out there. But I always caution people that You know, they’re not putting on a suit of armor. And that even if they are using anti malware products, they still need to think about their behavior before they click, click on that link surf to that sketchy website or, or open open attachments to email that may not be trustworthy.

 

10:19

I agree with it. And then because my next question I, I have all the stuff and tools, but my data is not going to go anywhere. What’s your thought about backups and what people should do? And that whole that whole rabbit hole of Should I shouldn’t I should I spend the time, shouldn’t I?

 

10:41

Well, I guess it bends what you have on your computer. You know, on one end of the spectrum, when people use Chromebooks, which essentially store nothing on their computer, and it’s all it’s all in the cloud, in that case, they really have nothing to back up. On the other hand, a lot of people have, you know, have, you know, their extensive photo albums, family documents, business documents, etc. And they definitely need to be backing them up, especially with, you know, the the kind of malware and ransomware incidents that we’re seeing. It often turns out that a good backup particularly good off site, backup is really your final line of defense. In many scenarios, I often get the question, I think you’ve alluded to it a little bit of, you know, do I back back my data up locally? Or do I use a service. If you have the discipline to take backups regularly onto a USB drive, take them off site or store somewhere else, if you have that discipline to do that. It’s workable. In my experience, though, most people especially small business, people who perhaps are the most vulnerable, because they typically don’t have an IT department and they don’t have, you know, they don’t have a lot of time, they’re busy. My experience that those backups tend to be well intentioned, but kind of fall off and don’t happen. And for that reason, I recommend that most people use a cloud based backup service, there used to be a there still are several of them out there. And this particular place, there is really one service that stands out for for individuals and small business. And that’s backblaze. Some of the other services have have either gone away from an all you can eat model, or they’ve shifted just toward the the business. Business area backblaze is is screaming fast, it’s one of the services that will backup about as fast as your internet service will provide. It’s pretty low maintenance. And their cost is pretty reasonable. So that’s typically what I’m pointing my friends, neighbors and small business customers toward these days.

 

12:52

I would agree with that. And it’s funny worth noting, there was a well known tech journalist in the States about eight years ago, and he took all his backups. And he had to break into his house, your problem is to two backup drives for sitting next to the computer. So when the thief swiped the laptop, he took the backup drives, and that kind of ended that discussion. So the point is that Eric was just making those if you’re going to do backups, you have to have an off site solution, as part of it fires happen, theft happens, floods happen, unfortunately, I don’t know about you, but I don’t think over the years I’ve ever lost an ounce data because of backups. Like, that’s just, I’ve had a hard drive scope, but I’ve never lost anything, have you.

 

13:37

But I’ve never lost anything important. But again, working working in this field and doing some, you know, I do some business continuity, disaster recovery planning for small business as well. So it, it’s, it’s always been something that that mindful, I’ve seen a lot of people lose a lot of data. Also, you know, related to that, if if we look at the whole area of ransomware, where we even see government agencies sometimes paying to get their data back. When that’s happening. Again, I don’t have inside knowledge any of those. But that screams lack of backups there. You know, if if you have a proper backup, and using a service like backblaze, which is constantly backing up your data, when you’re, when you’re connected, when you’re online, then, you know, if you were to run into ransomware The situation is very simple, you know, delete, delete everything on your hard drive, wipe your drive, reinstall the operating system and get your data from a backup. And one of the reasons again, I don’t make any money off them I have no business relationship other than as a customer with backblaze. But they will even courier you a career backup to you if you need to, to recover your data quickly. And that’s just a you know, that’s just a fantastic service

 

14:57

I chose so let’s move on a little bit to the world of smartphones. We all have them in our hand, is there any security issues with smartphones? Well, plenty.

 

15:09

And I think they, you know, the number one thing with smartphones is like any other computer, we have to realize that they’re not, you know, phones anymore, we say it’s my phone. But the reality is, we’re now carrying a computer in our pocket. Like any other computer, it needs to be kept up to date, the phone needs the operating system, the apps need to be kept up to date. And even though Google and Apple are both, you know, both doing a decent job, in many cases, to try to stop malware from from slipping through their official stores, it does happen. So like, like any other computer, we need to be cognizant of, of what we’re installing on it, how we’re using it. And and keep in mind that, you know, this, the the the the smartphone has progressed to be a lot more than a phone, we’re carrying a lot of information in our pocket. So we want to turn on the security features to require us to authenticate the device and and people just need it simply ask themselves that question. If I were to accidentally leave this in a taxi on a bus, if I were to drop it walk down the street, and somebody else picked it up? What would they be able to get into? And because that that is a scenario that that? You know, somebody faces on a on a daily basis?

 

16:23

Yep. So true. I’m now moving on to the corporate world a little bit. What is the biggest threat for corporations in today’s day and age?

 

16:34

Well, we have to be very general, the answer could in the biggest set for corporations. So looking at at a high level, what we’re seeing is two of the major thing though, of course, we’ve talked about business continuity a bit a little bit in disaster recovery, and, and what have you. And it’s important to realize that that people lose data and have their businesses damaged through through accidents and natural disasters, and as well as, as well as, as, you know, criminal behavior. But what we’re seeing is in most businesses are experiencing attempts to steal information and commit fraud. You know, and traditionally, we think of hacking and then that image of, of, you know, a pimple teenager sitting in their basement. Well, that’s not the reality today. reality today is it’s organized crime. There are organized fraud occurring, most businesses are getting emails, at some point emails to employees, it looked like they come from executives, they don’t asking for information, asking for wire transfers, requesting financial information. So all out fraud and, you know, the the, in, if we went back several decades, a lot of that was occurring by telephone. Now, it’s even easier for someone anywhere in the world to use to use email, instant messaging, SMS, and then what have you to contact employees and try to look like someone else. And of course, information theft, you know, depending what vertical you’re in, there are there are different risks. And some verticals have significantly elevated risk because of the information they hold. So, you know, if you’re in your business or in retail finance sectors, obviously, payment card information is something that’s highly sought after it’s being targeted, because it’s very easy for criminals to to monetize. Tech comm tech companies generally have to worry about both fraud as as I mentioned earlier, and intellectual property theft, and we’ve all I’m not gonna name any companies, but we’ve all heard the big stories about big Canadian companies being seriously damaged by intellectual property theft. And I think that remains a problem. And and again, I think, you know, particularly I’m talking to small business owners always emphasize that, yes, hacking is a problem. Phishing is a problem, fraud, the theft of information. And then those are real problems. But you know, somebody losing their laptop is a problem as well. You know, even with an encrypted hard drive. If the hard drive isn’t encrypted, the data may be stolen. If a hard drive is encrypted. While there’s no backup, you’ve now this lost all of your lost data, things get stolen. And, you know, we’re coming to springtime here in Ottawa, we had some flooding last year. We’ve got more snow here than we did last year. Hopefully we’re prepared to handle it. But you know, things like floods, electrical outages, and that can have a pretty significant impact. So we need to prepare for those those types of events as well.

 

19:39

And I think the other thing we need to be aware of a little bit is the whole aspect of what’s called social re engineering. There was a really good book written by the legendary hacker Kevin Mitnick, he’s for those who don’t know, he’s the one who actually hacked the FBI website A number of years ago, went to jail, and it’s now The FBI speaker security consultant, but, you know, typical in this industry often. And he wrote a book called The Art of deception. And the book talks about the social impact on hacking and not not everything is just a computer hack. It’s that email, that’s deceptive. That guy walking in and walks his way through a password and somebody gives it up, or some guy who works his way into a computer room. And I, you know, the more I see, the more I, you know, I suspect, I think people have learned the same stuff that’s happening over and over again.

 

20:36

Yeah, I mean, I’ll be the first to admit, I’m not a big, a big fan of criminals who turned into security professionals, I’m not a big, I’m not a big fan. You know, if you if you do read some of the some of the information on on Kevin Mitnick, he certainly has expertise in the area of social engineering. And that is something that, you know, people do need to be very aware of is that that is alive well, and, and we’re actually seeing an improvement, you know, showing improvement on behalf of the social engineer, so they’re getting better at it. And, you know, it was only a couple years ago, we kind of would laugh, a lot of those emails, these emails would come in, and, you know, they’d be a little far fetched and the English would be horribly awkward and, you know, or an email even saying it was from the CEO, but spelling the CEOs name wrong. And, and we would see those emails and kind of chuckle about about about it. Well, it’s not so funny anymore, because those folks have gotten much, much better at it, it is, you know, the these criminals are more organized, I, I’m hesitant to use the word organized crime, because then someone’s gonna ask me what this organized crime would look like. But they are getting much better, much more slick. And, and organizations are being targeted. And what I mean by that is, is member, you know, employees receive emails that look like they come from someone else, maybe the email address is slightly different, but it looks like they come from someone else in the company, that would have a legitimate information or legitimate reason to ask for certain information or certain actions. The the English is good. In some cases, they, you know, we see evidence of the criminals even trying to use the writing style of the, you know, of the person that they’re saying things on, we see crossover between into text messages. So, you know, employee, suddenly, we’ve gone from a scenario where employees are getting almost a laughable attempt at, you know, an email impersonation, to now they’re actually getting text messages and emails that look quite convincing. So we need to, you know, be much better at spotting them. And, and, and help employees to understand that threat and do a lot more in the area of, you know, security awareness training.

 

23:07

Oh, I would agree with that. And what is the, you know, when we talk about, we’ve talked a lot about what Corporation should do, what’s the one thing that most big corporations really don’t do? Is there anything that kind of stands out in your mouth? Yeah, again, it’s

 

23:23

difficult to generalize, because different companies have different strengths and weaknesses just to different people do. One of the trends that I see is that the message that security is everyone’s job is not being delivered. And, you know, when you only look at large companies, you may look at them to go, if you’re a small business owner, you say, oh, they’ve got a big security team. Well, it doesn’t matter how big your security team is, if they’re always playing catch up to the rest of the business, or if they’re operating in a silo, your security program isn’t going to be effective. So security teams or even if you have one security, security consultant or individuals that need to be positioned better as as advisors to the business, and ultimately everyone in the business needs to accept responsibility for security. You know, this area give you an example. And people often like concrete example. It’s particularly evident in large businesses when it comes to patching systems and and remediating security vulnerabilities. And, on one hand, you have a security team that’s kind of sitting in a silo, if they happen to they’re probably the ones that own the vulnerability scanner and they’re doing the scanning and producing reports and saying here, all the issues need to be addressed, but they don’t have actual access to the systems and you know, that needs to be need to be patched and for for a multitude of very good reasons. They’re not the right people to do it. On the other hand, the IT teams are busy, overworked and they don’t feel that they’re responsible for security. So you end up with a situation where executives are expecting security to protect them. Well. All I know. Key teams, or some other part of the business, I’m not trying to pick on it in this example, where they don’t keep systems up to date properly configured. And in that situation that in the business has, as has little hope of, of success. So what needs to change is, and, you know, we hear about a, I’m sure you’ve heard this mean, as well, there’s a shortage of security people are there that, and part of the reason I think there is a, a, you know, an apparent shortage of security people as we don’t know how to use them correctly yet. What we need to be doing is, you know, if you’re the business owner of a system, guess what you when you’re responsible for the security of that system, if you’re assigned to a laptop, and a telephone, by your company, you know, you’re responsible for the security of those, and and what a security security groups role needs to be as, you know, provide advice, provide guidance, provide the right tools, and provide the right you know, the right training and help help shape the cybersecurity program. But until, until that, until it gets to the point that, that everyone, everyone clearly understands the business that security is their responsibility, as well, it’s really going to be hard for for businesses, particularly for the larger businesses, to, to, to make to make a lot of progress in that area. While on the on the other hand, it’s it’s a lot of interesting, a lot of smaller businesses get it, even the smaller businesses that don’t have a full time security person, they get it, they know that the person is responsible. And they know that that you know, the system administrator that’s running a system is responsible keeping up to date. So in some ways that that message is is working better in small business than it is for for larger business.

 

26:52

Yeah, I would agree with him. And let’s move on to the topic of web security. And this is like fish meat near and dear to your heart. Oh, is it effort. And for those who don’t know, I do 99% of my web design in WordPress, which is open source, the base core. And we hear all the time things like WordPress is not secure, this system is not secure. And kind of web security is a lot like the rest of the world where it’s more, you know, 33% of the world using WordPress, so that makes it a target. That’s the first problem. And what’s the biggest issue in work in web security? Is it just people not keeping software up to date or supporting them?

 

27:40

Well, I think it’s a bigger problem. First of all, realizing web web is a very broad area, right? And encompasses a whole whole lot of technologies, a whole lot of systems, a whole lot of use cases. In general, we do a very poor job of architecting web applications to resist attack. Now, I don’t mean that I’m not talking about the web designer who’s building something to sit on top of WordPress, I’m talking more than architectural level. For example, you know, PHP LAMP stack, commonly found all on the same machine. And, and, you know, we very commonly look at, there’s this multitude of security flaws we see in web apps. And if you look at, you know, just the CVS, as you’re issued, you’ll see problem with web app after web app after web app. It is tempting to to, you know, to blame the developer who made the mistake, but when you see the same types of mistakes occurring over and over again, in different products in different areas. What it suggests to me is there that there are two problems and that as an industry, there are two things we’re not learning at all from from the past. The first is that there again, are there these common design mistakes that keep keep being made over and over again. And we need to we need to address that. And, you know, I like to think of cars. You know, if there was some sequence of buttons, you could push in your car that made it crash, nobody would find it acceptable just to say we’ll teach people not to push the buttons and those ways we’d be questioning why those buttons are there and why they work that way in the first place. The second related issue is just the the whole architecture of how we’re designing these web application frameworks and you have things like like WordPress, which have great inertia. I mean, they’re big it’s almost a you know, if you if there’s a reason you don’t want to use WordPress people are looking at and going well, why? Because you know, nothing uses WordPress. And I don’t want to sound like I’m picking on WordPress, I’ve written about it when I’m talking about about security architecture as as well. It WordPress is both an amazing success story. And an example of a really Poor security architecture. And unlike any other product, it depends what you’re using it for. So, you know, if you’re using WordPress for your company website, and it’s you know, there’s no personal information on there, there’s there’s no payment card information. Presumably you can backup and restore it pretty quickly. If there’s a problem, then maybe it’s the right tool. I mean, I use WordPress as well. So I’m not trying to give anyone the impression. That is terrible. I use WordPress as well. One of the advantages is because it’s so common security problems tend to be found and fixed.

 

30:37

District No.

 

30:38

So they tend to be found they tend to tend to be fixed and and that, but you know, it the problem happens when we have a business that wants to take something a word out, or, you know, something like WordPress, and then well, let’s just layer this kind of private area on it, and we’ll put some private information there, or are you let’s let’s, Oh, we got this great plugin that turns it into into e commerce. And then that, you know, that really emphasizes and brings brings to the forefront, the fact that that this application was not designed for that purpose. And, and it. So I guess, you know, without going on too long on this, and to get off my soapbox for a minute, we need to start adopting more attack resistant architectures and better, better design patterns, so that we can, you know, we need to make hacking web apps a lot, a lot harder, and a lot, a lot less frequent.

 

31:39

Now, I agree. And I agree with your soapbox. I mean, one of the problems, if you, you know, just going back to the WordPress ecosystem, is if you ever see a problem in WordPress, often the same problem comes up with Joomla, and Drupal. Because what people forget is it’s the same PHP, it’s the same MySQL interface. And often the problems are architecture based Not, not the system itself. And the other thing, you know, interestingly enough, I had personally never gone through a hack on a WordPress site, on any site I’ve managed in five years, until last October. And what happened was, the all discussion is WordPress, for those who don’t know, work on the system of plugins, which are basically called modules to do functions. And, you know, the talk always is use pay plugins that everybody you know, where they’re coming from, use free plugins that have been vetted. And there was this wonderful plugin called GDPR. And, which is the European privacy regulations. And the plugin got hacked, and this plugin had over 2 million installs at the time. And to be fair, most of the web hosting companies got wind of it knew what was out there, cut it off. But unfortunately, guys like me who are with well known hosting companies still got hit. So the point is, it can happen even if you do all the right things.

 

33:11

It it can and part of that is because of the the the architecture, again, I don’t want to pick on just WordPress, there’s there’s a whole bunch of apps out there that that that work this way. So you have a web server, the web server is right at the edge, right? It’s communicating with your end user, that web server has the credentials to do anything at once on the database. So now you have the you know, the database credentials essentially pushed out right to the right to the edge of the network. And you’re installed it, you know, those credentials reside within the web server directory. So we’re relying on on proper web server configuration, not to just hand over those credentials and to execute them as PHP instead. And then we add to that the fact that as we add modules to, to, you know, WordPress, or or anything like WordPress, as you mentioned, we’re actually adding executable code that, you know, varies in quality. Some of it may be the best code ever written, some of it may not be. So it’s really at any given time. With that type of architecture, you are literally one you’re one hack away from or you’re one you’re one mistake away one coding mistake away from a compromise. And that’s why I mentioned you know, in the concept of, of intrusion resistant architectures where need to move beyond that paradigm where you’re just wondering, if you think about your car, there’s a reason there’s more than one, one, not holding each wheel on, it is anticipated that one of those may fail. If you look at you know, physical safety systems, always, almost always the assumption that that that a single component might fail. And we need to think about in about architecting applications a little more of the same way.

 

35:05

I would agree with them. So I want to move into how do you if you can use a platform like WordPress and yeah, you can pick on it all you want that’s I’m good with that and or Joomla, or Drupal or any of that, how should people go about protecting their web presence? If they can? And then the, besides protecting your web presence? How much is the web hosting for those people who are going out and buying hosting, and it’s something that we stress in our business and our agency is to choose your web host very carefully. Because they’re really part of your security solution? What do you what do you think about those?

 

35:43

So, you know, for the end consumer, or businesses purchasing these, obviously, you want to try to pick reputable products and keep them up to date. Right, those are, those are two of the major components we’ve mentioned earlier. Another key message is backups, you need to have a backup your site, and the back of the site needs needs to be inaccessible from the site itself. So you know, you don’t want to be placed yourself in a position where somebody is able to compromise your site and let your backups while they’re there they are use credentials that are found on the site, delete the backup, so that, you know, that’s the the basic, what can you do. And as you’ve also mentioned, picking a hosting provider is important. You know, again, if you’re just going to if you’re going to use free open source software, and a low cost hosting provider, for very simple website, for a small business that can quickly be cut recovered from a backup, well, maybe, maybe that’s okay. And I understand that, that, you know, some small businesses have are under under, you know, incredible budget pressure, and they need to keep these costs down. But, you know, like in many other areas of business, you you get what you pay for. And when you’re dealing with a hosting provider, you’re, you’re, you know, you or a cloud provider of any sort, you’re really dealing with a shared security model, if they are running the hardware and the operating system software, in this particular case, if you’re displaying hosting service, you’re relying on them to keep that secure. And if that, you know, if they’re not holding up to that end of the end of the bargain, or the job, if they’re not ensuring the security of those systems, then it’s very difficult to end up with a with a secure result. And, and really, if you’re crossing the line from a simple website into personal information, payment card transactions, etc, you need to consider every element of the service. And also, realistically, consider whether or not you have the skills in house, or you need some outside expertise to protect yourself. And it’s, you know, it’s very frustrating in the security field, often run across businesses that are in in a bit of a crisis. And if they had made a small investment upfront, to to, you know, have someone with the with the right IP or the right security skills, review their plans, and then help them make some the decisions upfront, it probably would have allowed them to avoid, avoid the pain they’re in just like, you know that it often makes sense to have your lawyer review contract, before you sign it, that little bit of money up, they save up front could come back to could have could have been the cheapest insurance that you you could have had along the course of that other job

 

38:43

I would agree with. And I would also advise anybody listening to kind of do your homework time, I’m not going to call the note by name, but most people can figure it there’s a well known web host conglomerate decided to start employing a product called sidewalk. And there were many, many customers out there. And these weren’t just WordPress sites, these are all kinds of sites that never had a security vulnerability. Until this company in place they are considered by the way, see install sidebar call your problems will go away. And we’ll charge you a couple 100 bucks a year on top of what you’re paying. And it turned out that this particular company got called out in many forms for actually creating false positives to sell their security software. And that’s just not a no no. So you got to do your homework and be very careful. I would also suggest if anybody’s thinking about getting into creating a website, jump online, read some forums. There’s discussions of the five or 10 hosts that everybody every developer likes are pretty well the same no matter who you talk to kinds of things. They’re You know,

 

39:53

they’re, I don’t I’m not familiar with that particular product, but I have run across similar issues. With other security plugins for or for products such as WordPress, and third party security plugins, I’m not I’m not poking at that WordPress here. And I’ve run into issues with with false positives. And it just so happens that the company who publishes a plugin is very happy to help help you with that, that alleged problem their product is found. If you pay them, so it’s certainly somewhere to get, get some advice and, and then understand what’s what’s going on. And don’t don’t trust, you know, don’t don’t trust that pop up on your screen or that, that, you know, free scanning product for your site. Don’t trust that as gospel and from security matters.

 

40:54

I would agree with that. And the other thing is, again, on your website is to keep regular backups, because, frankly, that’s can be your best Avenue. And I would go so far being in the website game, as long as I’ve been in it is to say, Don’t trust your host to keep those backups do it yourself or get somebody to do it for you. Because there was actually a well known web host in Australia called Melbourne it about six or seven years ago, they were hacked, and their backup server was also hacked at the same time. And this was an organized attempt, it wasn’t the script, Kitty. And the end result was they lost their backup server. And I think the number was somewhere around 300,000 impacted websites. And that’s, you know, so what I’m suggesting is, make sure backups are part of your strategy, but keep your own as well.

 

41:49

And more, more generally, you know, moving kind of up into another hosting Maven, any cloud provider, I urge people to ensure that they have backups outside of their cloud, front end count, whether you’re using as your or using AWS, or whether using a hosting provider, just your web host have a backup somewhere else. Because there have been a number of scenarios where an account has been hacked. Now there wasn’t a server that was hacked, it was in fact, the accountant, the hosting provider was hacked. And, and then that may very well have been in many cases, the, you know, the fault of the customer. But it’s not much more consolation afterwards, when you find that your account has been hacked, and you it may be your fault, but you’ve you’ve lost all of your data and all of your backups. And the other issue, particularly when you’re dealing with the smaller, low cost hosting firms is you don’t really know for a fact that they’re going to be around next month or next year. And so you really want a backup of of your, of your site, your software of your data somewhere that that you can see where you can, you know, that you can control or in the hands of another provider, so that you’re able to, you’re able to recover if there is a you know, a major, major impact that your provider.

 

43:12

Now I agree with that and to take that one more, not only have that backup in your hand. But having tried to do a restore of that backup to a test domain or some other place to prove that the backups actually working. Because I’ve seen way too many occurrences in this business over the years where somebody did a backup, they never tried to restore process, and they tried to restore and restore didn’t work. And that’s not a good thing either.

 

43:40

Absolutely. Testing backups. It was all more common when we used to backup a lot to magnetic media, because of the failure rates. But But testing backups, and even even if you’re using something like you know, one of the mentioned other product name already mentioned once, but if you’re using an online backup service, at least so often, at least log in and make sure some of the files that you’ve recently created are there, and that it’s working as advertised.

 

44:10

Yeah, that’s good advice. So now that we’ve talked a little bit about around let’s kind of look at the World Geography a little bit. And one of the concerns I know many people have had is is it the Russians causing all this havoc? Is it the Chinese causing all this havoc? And you know, we know the issues in the States, I don’t even want to go down that rabbit hole. And we know the issues, certainly with the Chinese, especially with companies like Lenovo, who’s been implicated with malware and for those who don’t know when it was about 49% owned by the Chinese government. So it’s we’re seeing that right off the top. It’s also worth mentioning well Novus, one of the biggest providers of PCs to healthcare providers in Ontario. So that’s worth talking about, and Huawei and the news with them being in the forefront there. security issue? Is it the Chinese? Is it the Koreans? Is it the Russians? Where the biggest strength coming from?

 

45:07

Well, that that’s a really good question. A lot of it depends on who you are and what business you’re in. So, you know, we read a lot about China, we read a lot about Russia, they are only two of many countries that are involved in cyber warfare. And I think, you know, I don’t think anyone is naive enough to say that, you know, China and Russia are bad, everyone else good. That’s just, you know, that would that just that would be nothing more than propaganda. So there are a lot of countries are involved in this. And, you know, there’s, there’s a number of things you’ve touched on. So one is, is there any particular country that concerns me more than others? Not Not really, I’m certainly if you’re in certain lines of work or have certain specific concerns, you’re more likely to see competitors in different countries that may be targeting you. But, you know, there, there are a number of countries in the world, that where it is just become quite obvious over time that the US government assets to help their you know, they’re major, major industries. As the individual average Canadian, probably should be more concerned about criminals that are after phishing malware or ransomware. And, and the The reason I say that is, again, the game for these criminals is to make money. Yeah, when we look at, when we look at, you know, state sponsored actions, they tend to be more around intelligence gathering and around intellectual property, as opposed to the type of things that that individual, you know, individual average Canadian should, should worry about our American or citizen if for your international, international listeners. Um, so, you know, I’m in day to day basis, I’m more worried about criminals who want to get malware on my system, and students steal information that I am any particular any particular government, obviously, if you’re in, in certain industries, if you work in the defense industry, if you work in some of those others, then you you know, you have you have different, different different concerns.

 

47:20

And I would, I would even take that one further and say, I’d even be concerned about receiving a phone call of somebody claiming they’re from Microsoft and saying, you know, we we see exe errors on your PC, well, guess what, every error log on a Windows PC has errors. And so and then they say to you, and by the way, please give us your credit card number, and we’ll gladly fix these errors, and we’ll remote to your PC. And what people don’t realize is when they remote to your PC knology comm no credit card number, which they can charge with, they want to, they’ve probably installed a piece of malware, which gives them backdoor access to your computer and the vicious cycle continues. So I think that’s right.

 

48:03

Exactly fraud to do fraud. And that’s, that’s a good good example of our social engineering fraud and malware all come together into the same into the same scam. And as you mentioned, I will I will note that, that globally, you know, the larger issue mentioned with with with my impacting Some manufacturers, is, you know, supply chain, supply chain security, it is becoming more of a more of a concern. I think it’s more of a concern for for large business, then it is but you know, we do need to recognize that a large, very large percentage of our, of our hardware is being built, built overseas. And, you know, it’s hard to avoid I don’t think I’ve yet run across a, a computer made in Canada or that is completely made and made in the United States. So that’s part of the, you know, the the landscape that we live in. We certainly hope that some of the major manufacturers that we know love and trust are doing their best to secure their supply chain and are monitoring what’s what’s going on in their production facilities. But now, it’s something to keep in the back of our minds, especially if we’re, you know, if we’re in an industry where we’re dealing with highly sensitive information. Yeah. So true. Eric, thanks

 

49:35

a lot for your time today. It’s been a great informative chat. And if somebody wants to get ahold of you, once they use your services has the best way to get ahold The

 

49:46

best way to return right now would be to surf over to a security shelf.com as one word or two words combined to one security shelf.com and if you use the contact form there, your message will reach me

 

50:00

Eric’s really knowledgeable and don’t be afraid and thanks again. Have a great day.

 

50:06

You too. Take care.

 

50:07

Thanks. Bye. Thank you for listening to the STM interview show. This Podcast is a production of stunning digital marketing comm agency that can help you with your web design, or press security and digital marketing needs. Please subscribe to this podcast. This podcast can be found on Stitcher Radio, Spotify, Google podcasts, Apple podcasts and more. Please don’t miss the next edition. This podcast comes out every Thursday for your listening enjoyment. Until next time, please keep your feet on the ground and keep reaching for the stars. And we’ll talk to y’all soon. Have a great week everybody. Bye for now.


Similar Posts

Leave a Reply