Worksighted NXT Webinar | Cybersecurity Round Table: The Spooky, Scary and Unbelievable
To celebrate Halloween, we wanted to mix up our regularly scheduled webinar content and provide something festive. Is there any better way to ring in the spooky season than with some cybersecurity horror stories? Of course not!
Expect the unexpected with this discussion: some of these tales are scary, others are unbelievable, but all are true!
We have invited each of our cybersecurity experts at Worksighted to join us for a roundtable discussion providing some tales about cybersecurity mishaps, tricks hackers may pull, and treats we can provide to prevent security issues from arising in your place of business.
Through listening to these stories, you will learn how to protect your company from the many threats that exist across the cybersecurity landscape. We’ll be talking about zero trust, why it’s important to keep security in mind at all levels of your organization, and how it could impact big decisions you’re making in keeping your business safe and secure.
Our team is ready to be grilled, come prepared with your questions and concerns!
Let’s dig into this webinar, please reach out if you have any questions!
Rebecca Zaagman:
Hello everyone and welcome to another episode of Worksighted NXT. We’ve got some new friends here with us.
Chris Furner:
Hello everyone.
Rebecca Zaagman:
We’ve got, obviously Horseman, AKA Chris Furner. We’ve got our resident hacker, Ashley Townsend, and you may well know Adam Devereaux, AKA-
Adam Devereaux:
Secret agent man.
Rebecca Zaagman:
Secret agent James Bond.
Adam Devereaux:
I was trying to come up with a snappy security related James Bond pun, but I didn’t come up with anything, sorry.
Rebecca Zaagman:
Best of luck next year.
Adam Devereaux:
Yeah. Take these off now.
Rebecca Zaagman:
Awesome well today we will be chatting about all things cybersecurity, the unbelievable but true stories. Some that we have experienced first hand, others that you may have heard about in the news and yeah. Obviously we’re having a little bit of fun today. This is a real topic that we deal with every day here at Worksighted, so we wanted to bring just a little bit of levity to the conversation, but also bring a lot of great information for you today. We’re excited to dig in, but before we do that we definitely want to meet our guests. Chris, why don’t you, yeah, tell us a little bit about you, why you’re passionate about cybersecurity, and a favorite Halloween tradition, and least favorite Halloween candy?
Chris Furner:
All right, yeah. I am Chris Furner. I am Worksighted’s senior security engineer. I’ve worked in security at Worksighted for over two years. I’ve worked at Worksighted for almost seven years now, and I am passionate about security because I don’t want to see businesses getting taken advantage of, don’t want to see businesses fail because of security threats, security attacks. I don’t want to see people have problems because of security problems too, in your personal lives. My favorite Halloween tradition, I guess, is trick or treating, but then my least favorite Halloween candy is the candy corn.
Rebecca Zaagman:
Candy corn. That’s a very controversial candy.
Chris Furner:
Yeah. It’s no good.
Rebecca Zaagman:
Some people love it, some people hate it. I like it with the peanuts, you know. Not the circus peanuts, which I’ve never heard of, fun fact. All right, next up we have Ashley. Tell us a little bit about yourself and if you want to answer those fun questions.
Ashley Townsend:
All right, hi. My name is Ashley Townsend. I have been with Worksighted for three years now. I’ve been in a number of different positions, however my current role is security specialist team lead. I love cybersecurity because it’s just a challenge every day. The fact that we get to help protect businesses and people is amazing, but then also just the different things that we face every day. It really keeps it interesting and I have a lot of fun with it. My favorite Halloween tradition is probably dressing up my kids. I love to do that. Then my least favorite Halloween candy, or just candy in general, probably circus peanuts.
Rebecca Zaagman:
Full circle, all right. Cool and you are currently seeking a degree in cybersecurity, right?
Ashley Townsend:
I am. In May I will be graduating with my masters of science in information assurance and cybersecurity.
Rebecca Zaagman:
It’s just incredible, and I’m going to brag on her a little bit. She might blush, but Ashley is a mom of three. She literally runs marathons for fun. She knits, like could knit an entire house I’m pretty sure, and she works full time and is getting a masters degree. We’re so proud of you here at Worksighted Ashley. It’s been awesome to see you grow and yeah, excited to have you in the cybersecurity space for sure.
Adam Devereaux:
I’m pretty sure she’s going to keep going until you make her blush.
Rebecca Zaagman:
And also she’s a really good cook, and I don’t know.
Ashley Townsend:
I am not a good cook. My husband would-
Rebecca Zaagman:
Okay that was a lie.
Ashley Townsend:
… disagree with that.
Rebecca Zaagman:
Totally disagree. That’s what, we found her weakness everyone. She’s not a good cook.
Rebecca Zaagman:
Thanks for being here you guys. Adam, do you want to share anything?
Adam Devereaux:
You guys know me. I would say the reason I am passionate about cybersecurity is I enjoy spreading information and knowledge on things like teaching. There’s a lot of confusion around what this all means. There’s confusion as to what the real cause of these issues is, and we want to help prevent bad things from happening to our community that’s out there. That’s why we’re here today. My favorite Halloween tradition I would say is the campground I’ve been going to for years, they do this Fall Fest which is basically Halloween in September, and there’s now three weekends of trick or treating and decorating and haunted forest walks and all that kind of stuff, so my boys have really enjoyed that.
Rebecca Zaagman:
Yeah three weekends plus Halloween weekend of candy, that is-
Adam Devereaux:
We usually get Halloween at that point, it’s raining and yeah, we’re candied out.
Rebecca Zaagman:
That’s actually pretty smart. I would say my favorite tradition, so I grew up in Alaska and there’s almost always snow on the ground by Halloween, so we literally have to wear snowsuits underneath our costumes. I lived kind of on the top of a mountain, so we’d literally have to drive in between houses, or take a four wheeler, so a little different than some neighborhood trick or treating.
Adam Devereaux:
That’s how it is in Michigan sometimes too. Snow and four wheelers, snowmobiles maybe.
Chris Furner:
Snow starts in late July, is it?
Rebecca Zaagman:
Late, actually yeah, yeah from the mountains, for sure. They call it termination dust, is the first snow you see on the top of the mountain, so… Anyways, so glad you guys are here. We’re excited to jump in. We have a ton to cover today. Our chat and Q&A is open, and we’d love to have your questions come in, any ideas or thoughts, if you want to tell us your least favorite Halloween candy. I forgot to say mine is definitely Twizzlers, any type of licorice, disgusting, not my jam. Can’t even think about it.
Adam Devereaux:
I just can’t even… I don’t know how I’m going to continue with doing-
Rebecca Zaagman:
Should I leave now, or…
Adam Devereaux:
I’ll just say those candy pumpkins, those, the candy corn but the pumpkins, those are even worse because they’re bigger and more.
Chris Furner:
It tastes like crayons.
Adam Devereaux:
Play-Doh and crayons mixed together.
Rebecca Zaagman:
Which I often eat and I definitely know the taste of, so glad we have that, you know. I’m a newer parent though, so probably you guys have actually tried it along the way. Awesome. Well let’s go ahead and jump in. Adam, you’ve got a story to share with us today.
Adam Devereaux:
Yeah and the lawyers make us say, the stories you’re going to hear today are fictional and do not represent actual individuals or events that have occurred. With that said, imagine it’s a dark and stormy night. Actually it was just the day, and it’s in a business environment. I mean maybe there was fog rolling down the corridor, but probably not. I want you to imagine though that you are a new accountant at a fairly large organization with multiple physical locations throughout the country, and you get an email from the CFO, and they’re urgently requesting your help to have a wire transfer sent to pay for some new equipment that you’re purchasing as a down payment. It has to be in, essentially, by the end of the day or else the purchase isn’t going to go through and they’re going to lose their spot in line. We have to get this equipment.
Adam Devereaux:
So you think, “That’s a little odd, but let me try to call them.” You try to call the CFO, no answer, and you know, continues to email you, “I need this right away. This is really urgent. This is going to be a huge problem if this doesn’t happen. I need you to send this wire transfer for $245,000 to this bank account.” You decide, “You know what? I got to do what I got to do,” right? You, the friendly accountant, help with the wire transfer and you help make sure that it goes through and the CFO is very appreciative and then they say, “Okay now we need another wire transfer for $410,000,” and at that point, uh oh, something might be wrong here.
Adam Devereaux:
What actually happened in this case was the CFO’s email got comprised. We say breached, hacked, the long and short of it is some bad guy, a criminal, figured out the CFO’s password, signed into his email account, was able to see his calender and knew when he was going to be going on leave and wouldn’t be available, readily by my phone. Sets up some email rules in his inbox to hide his activity, and then waits for the perfect moment and then sends these emails to the accountant. Those inbox rules means that even if the CFO was checking his email while he was off, it would be going into these nested sub-folders. He wouldn’t see it in the inbox. It would all be kind of this shadow email conversation that was going on unbeknownst to the CFO. And of course, the money was gone. It was to some bank accounts overseas and it’s just gone.
Adam Devereaux:
The key here is that this is one particular clear financial cost, but phishing this type of credential theft, where somebody’s impersonating somebody else, sometimes they’re impersonating somebody else by sending a fake email as pretending to be somebody. Sometimes they’re actually in somebody’s email and sending emails as them, but illegitimate emails. Chris, I’ll ask you. What would you do to prevent that from happening as an organization?
Chris Furner:
So the real easy way is to have anybody who can do wire transfers has predetermined policies on how to approve wire transfers, and no matter, no exceptions, no, “It’s an emergency,” no, “We have to do it right now,” always signed paperwork, or face to face verification, or code words to verify the person asking for it is the right person because these attackers will do that. They’ll say, “We need it right now, it’s an emergency. You’re going to get fired if you don’t do it,” and just stick to the policies. Make sure your employees are empowered to follow the policies no matter what somebody says to you.
Adam Devereaux:
Right. Otherwise what’ll happen is you will end up enforcing the policies after some major losses happen.
Chris Furner:
Yep, and then it’s firing time, or going out of business time.
Adam Devereaux:
Yeah in some cases. Aside from the fictionalized disclaimer at the beginning, some of these, so there was an ENT, this is public information, you can find news articles about it. There’s an ENT office in Grand Rapids that had ransom wire attack because somebody opened something and they clicked on some things they shouldn’t have and they went out of business. They’re closed now because of that happening, so it literally can be fatal to organizations. What about on the technical side? What would you recommend as technical protections to prevent that kind of thing from happening?
Chris Furner:
Keep attackers out of your accounts using MFA and your email accounts. Don’t let hackers get into your organization in the first place and they can’t see calendars, they can’t pretend to be the CFO, they can’t see your internal processes and procedures, your internal documents, that kind of stuff. They can’t get in.
Rebecca Zaagman:
So your advice is just, “DOn’t let them in,” obviously, “Don’t open the door.”
Chris Furner:
Use strong security protections to keep people out. MFA is a great way to keep attackers out. You can use email filtering to stop attackers from sending in malicious emails from the outside to try and start these kind of attacks.
Adam Devereaux:
The reality is, the vast majority of the time when somebody’s email gets compromised and somebody gets a user’s password and logs in as them, it’s because they clicked on something and entered their email address and password where they shouldn’t have, right?
Chris Furner:
Yeah. Some random person on the street asked you for your password and you give it to them. It happened online, but that’s what happened.
Adam Devereaux:
Yeah, but it looked legitimate.
Rebecca Zaagman:
So you said face to face, and I think this is really interesting. It’s like your boss is actually traveling, and there’s not the option to have a face to face. Does FaceTime work, or a phone call?
Chris Furner:
If you’re using the phone number you already have in your cell phone, maybe. All these things could be comprised like cellphones, or FaceTime, that kind of stuff, but it’s still more verification than just blindly accepting and email and just doing the wire transfer.
Rebecca Zaagman:
Right, but what you guys were talking about before is AI is getting so powerful that people can impersonate your voice, and the SnapChat filters or whatever, so powerful now that you could probably look like somebody pretty easily, right?
Adam Devereaux:
Yeah so on the audio side certainly there are tools, and I’ve heard rumors now of those starting to be used in some of the personal scams that are out there, where somebody is calling somebody’s grandma and pretending to be in Mexico in jail and they need bail money or they’re going to go to jail. The ability for the very specific available tools that you can use right now to basically take about 30 seconds of somebody talking, and then be able to make that person say whatever you want, essentially. You can clone that voice. Voice cloning is readily available at this point. We’ve all heard about deep fake technology, and being able to-
Rebecca Zaagman:
What have we all heard of?
Adam Devereaux:
Deep fake, deep fakes.
Rebecca Zaagman:
There might be some people on the call that might not have heard of that.
Adam Devereaux:
It’s basically where you can take an existing video and you use AI video processing to change somebody’s face. Think of young Hans Solo, or young Lea in the Star Wars movies, or some of the things that they’re doing where they kind of make somebody else look-
Chris Furner:
Or an actor dies, and they finish the movie up with CGI of that actor.
Adam Devereaux:
But now they’ve got basically real-time systems that can do that. I don’t think there’s something readily available right now, but in terms of a cam filter to impersonate someone else, it’s not unforeseeable. Somebody out there probably has it. I think over the next couple years we’ll probably likely see that kind of system be available.
Rebecca Zaagman:
But because it’s a known phone number you said, like already in your contacts-
Adam Devereaux:
On a [band 00:14:53] there, right. Even if your account is compromised, and then you’re contacting me over, I don’t know, Zoom or Teams, that account might be compromised.
Rebecca Zaagman:
Oh interesting, yeah.
Chris Furner:
Or the attacker says, “Call me at this number to verify it.” “No. I’m not going to take your number. I’m going to use the number I already have.”
Rebecca Zaagman:
Not going to do that.
Adam Devereaux:
It’s the same advice is somebody from the IRS calls you, or your bank calls you, or whatever. What you’re supposed to do is say, “Okay what’s your name? What building or division are you with?” Then call a publicly published number for that organization and try to get ahold of them. Don’t call the number they give you, call the main number and then try to get transferred to that person again to verify that they are real.
Rebecca Zaagman:
So that was an example of a phishing attack, right? Somebody gets an email and they take action on that email, assuming that they knew the person that it was coming from, right?
Adam Devereaux:
Yeah and one thing I want to add to this is that we’re seeing, a lot of times people are like, “Well obviously you need to put MFA on a CFO’s account.” Well we’re seeing, that’s a very obvious high financial damage, but we’re seeing lots of real world examples where they didn’t have to get ahold of some VIP, VP, C-level person. They were able to get into just anyone in the organization’s email, and then because there is either sensitive information in their email, because what they’re doing now is they’re going through people’s historical email and they’re looking for invoices, any sort of personal or financial information, and in many cases they’re taking that and then they’re blackmailing the organizations and saying, “If you don’t pay us we’re going to release this information.” Even down to any employee, we’re seeing a lot of payroll scams now, right? You want to tell us a little bit about how payroll scams work?
Chris Furner:
Oh yeah, yeah. Maybe you work in HR, and you get an email from somebody’s Gmail account and it says, “I changed my bank. Can I get my direct deposit changed to be effective for the next pay period?” We see this be successful, and the HR person says, “Okay yeah. Can I get your account number?” And then they just change it. Then now the direct deposit is going to somebody’s, you can get bank accounts where the money comes in and you just suck it up the cash right away, or the gift cards or whatever and the money is gone. The same way with wire transfers, with direct deposit requests. Anybody who works in payroll or HR, make sure you’re doing face to face verification for payroll changes. Don’t accept changes that are outside your company’s procedure. You have paperwork, or a portal you do it in. Don’t let anybody go outside of that process because that’s where the attackers are going to thrive, is when you’ve now violated your own processes and procedures.
Rebecca Zaagman:
Right.
Adam Devereaux:
Yeah and you start to think about, even for an HR portal, is that protected with MFA, do users have good passwords to get into those? We’re starting to see business applications be something that’s attacked as well.
Chris Furner:
Yeah. If you can get into a payroll application you can do a lot of damage.
Rebecca Zaagman:
Yeah so the trends I’m hearing is MFA. Also, follow your procedures and your policies, right? Those are set up for a reason. Make sure they’re well known and hold people accountable to following them, so that will get you out of a lot of trouble.
Adam Devereaux:
One other thing that we’re doing right now is user verification. Do you find that to be critical as well?
Ashley Townsend:
Oh absolutely. You can’t stop what you don’t know, right? You have to be able to train your users effectively on what to look out for, and emails so that they can identify these things quickly.
Rebecca Zaagman:
Right, so immediately I see wire transfer and I’m like, “That’s a red flag,” right? I know as a user, even though I’m not a cybersecurity professional, that anything asking for money, anything asking for a gift card, anything that comes from a weird email address, or if something is spelled wrong, I am well-trained to be able to identify those, which is a great segue into your story Ashley. Yeah, tell us a little bit about, yeah, your story.
Ashley Townsend:
Yeah. I, as a cybersecurity professional here, and going to kind of throw myself under the bus a little bit, but that’s okay because we all have those moments. A couple months ago I was working a lot of hours, and I had actually worked all weekend. This is a real story, by the way.
Rebecca Zaagman:
It may be fake. It’s not fake.
Ashley Townsend:
And it’s about me, so it’s okay to say it’s a real story. I had received an email. I was walking into, on my day off, I was walking into TJ Max with my three children. We were going to do some shopping, so why I checked my email was beyond me, but I was pretty stressed out. I checked my email and I saw an email from HR, and it said that we needed to discuss my performance. In that moment I started getting a little bit more upset, and I did not click on the link, but I had screen shotted and sent it to somebody who could look at it and let me know, is this a real meeting. Come to find out it was one of those phishing test emails, but yeah. I think in that moment my emotional state was just that I was so worked up about what was going on in not only my life, but in work, and so I immediately, my brain just flew to, “This is a real email and HR really does want to discuss my performance.”
Rebecca Zaagman:
Right and after working all weekend, being so tired, trying to take care of your kids, at the end of your rope, and you’re like, “Uh this too?” Right?
Ashley Townsend:
Yeah but we all have… I think it’s really important to bring that up because we all have moments like that at work where the stress gets high no matter what field you work in. You could get that email from what is believed to be a CFO threatening, and you’re already stressed and at the end of your rope, and what you see is real. Thankful for my training and my education, that I did not click on anything or provide my credentials into anything, but I think that some things we can take away from the experience is if you’re already stressed out about work and you have a day off, don’t check your emails. Also, if you’re at work and even stressed out, you need to take a moment away and not look at those emails. That’s a very good thing to do too.
Adam Devereaux:
You have to be in the right state of mind.
Ashley Townsend:
Yeah.
Rebecca Zaagman:
Yeah, take a pause.
Adam Devereaux:
Which I think, you know there’s a reason why they use that kind of aggressive, they’re trying to shortcut your brain to produce kind of a fear response, or a stress response to get you to do what they’re asking you to do.
Chris Furner:
Yeah. These hackers always use emotion to try and get you to shortcut around your critical thinking skills. You get these phone calls where your social security number has been suspended, or, “There’s a warrant out for your arrest and if you don’t pay us right now we’re going to come and arrest you,” and it’s like, “Oh my gosh, I don’t want to get arrested.” You don’t think about the fact that people don’t call you to warn you that you’re going to get arrested.
Rebecca Zaagman:
Right? Yeah and I think, so Sydney on our training team calls it an [Imigdala 00:22:04] hijack. She loves the psychology behind this. You’ve got an emotional brain and a logical brain, and what happens when you’re stressed or you’re afraid or you’re worried that you’re going to disappoint someone is your emotional brain kicks in and overtakes your logical brain. One of the best things that you can do when you’re going through your emails or whatever is to just take a moment. Before you take any action, think about it for five seconds, or make sure that you’re in the right brain space when you are looking at emails. I think it’s interesting. One of the more successful phishing emails that we’ve had is one about the dress code changing.
Ashley Townsend:
Yes.
Rebecca Zaagman:
Right? People are-
Adam Devereaux:
Mad.
Rebecca Zaagman:
… very concerned that I couldn’t wear jeans on Tuesday, you know? But it’s something that evokes an emotional response, right? Even though it wasn’t, “Do a wire transfer for $100,000,” it was something that was, it meant something to someone, because our culture is very important and if you’re going to make me do something I don’t want to do, or yeah. I think that emotional piece of it is very interesting. We think about the technological, that’s not right, the technology piece of it, and how it actually works and functions, but there is a big psychology piece to it too.
Adam Devereaux:
Yeah absolutely because this is really just fraud. They’re trying to con people. They’re trying to trick. It’s classic crimes. It’s classic criminal things that have been going on for thousands of years, right? It’s not like it’s new just because it’s computers. It’s really not… We say it’s cyber crime and all this other stuff, but it’s kind of ridiculous in a way because okay it’s using computers but do we call, if somebody does a fraud, a con job over the phone, do we call that, “It’s a telephone hacking job,” right? I mean it’s like no, it’s just the tools that we use to communicate now, and the bad guys, the criminals, are trying to use these platforms to reach people and con them.
Rebecca Zaagman:
Right like person wearing a mask robbing a bank is definitely a criminal, but we don’t necessarily see cyber criminals in that same way. Is that kind of what you’re saying?
Adam Devereaux:
Right. Yes, yeah.
Rebecca Zaagman:
Yeah, yeah, as actual criminals who do bad things.
Adam Devereaux:
We like blame the technology, right? It’s like, “Oh if it’s a cybersecurity issue, we’ve got to apply some patch or fix or it’s some nerd’s issue that they didn’t do things right,” that’s the real issue. When it’s like no, most of the problems that are occurring right now in this country, in this state, are people related, right?
Chris Furner:
You got people making mistakes or bad security design.
Adam Devereaux:
Right.
Chris Furner:
Just because they’re designed to be easy to compromise by tricking users.
Adam Devereaux:
Yep, yep. If you think about it, email may not be the best place for critical communication like that. Maybe really important things like that shouldn’t come through email, and if you have that kind of policy as a company, you see that with banks and others. “We will never do this.” What, as a company, can you say to everyone, every employee, “We will never do this, and if you get something telling you that’s what’s happening, you can ignore it and know that it’s false and invalid.”
Chris Furner:
Even if you work in finance or accounting in a company, you can put it in your email signature for all your finance employees. “We will never communicate bank account changes over email.”
Adam Devereaux:
Yeah.
Chris Furner:
So like that, because that’s a common thing. An attacker will email your customer to say, “We’ve got a new bank. Pay your invoice to this new bank account.” Let it go.
Rebecca Zaagman:
Fascinating. Cool, well next up Chris. You have a story for us around the importance of getting your end users involved in cybersecurity right?
Chris Furner:
Yeah, absolutely. Kind of a scary story here. Imagine that you have done a lot of things to invest in security, and you’ve implemented a lot of new technology controls to try and secure your company, but your users don’t know what you’re doing or why, so when they are blocked from accessing a link in an email, or trying to open an attachment and they can’t, they don’t know why you’re blocking things so they find a way to get around it. Instead of all your technology controls keeping your business safer, your users think that it’s a barrier to them getting their job done, so then they find a way around it because if the user doesn’t know why you’re blocking things, they just see it as an obstacle to their getting their job done, and not a tool you’re using to protect your company.
Chris Furner:
We’ve seen this happen in the real world. We see users transferring company data, or maybe not company data but maybe company emails or attachments that were blocked to their personal email or their personal computer so they can open them, because all of our technology control are on their personal devices. Then they open, maybe they open a link that is supposed to be a document that they need to open, but that link is actually a phishing link. Now they open that phishing link on their personal account, or on their personal computer-
Rebecca Zaagman:
But it’s still on their work computer.
Chris Furner:
… then they’ve entered their company log in, in that phishing link, and now they’ve still got phished because all the tools we put in place, they got it around it because they didn’t know that, “Oh when something gets blocked, talk to IT or talk to Worksighted because then we can check it out and say, “Oh good thing you asked because that was a phishing link.” That’s the important end result of this technology is to not just build a bunch of walls, but tell your users why you’re building the walls and why they shouldn’t climb around them, climb over them, climb under them, break through them, because the users will find a way to get their job done. If they don’t know that these tools are there to protect them, they think the tools are there to get, make their job harder.
Adam Devereaux:
We’ve seen, that actually sparks to mind, I think I remember seeing specific cases that a user, employee was really frustrated because they got this email and there’s a link in it but they couldn’t go to it, right, it wasn’t working, the website was blocked. Well it was being blocked by security tools because it was a fraud website, and it was going to try to get them to do something they shouldn’t do, but they were actually kind of pissed off about it. “I got this email. I can’t click on this link. I need to be able to go to this website,” and it’s like, “Nope the whole thing is a fraud. You shouldn’t be doing.” Right?
Chris Furner:
Well I’ve seen the ones where they get that and they can’t open the link, and then they forward the link to somebody else, and the other person, maybe there was a tool failure or whatever. The other person tries to open the link and they could open the link, and then they get phished, or they email the entire department and say, “Hey does anybody know what this link is? Can you check it out?” Then everybody opens it and gets phished.
Adam Devereaux:
Well it’s a perfect example of what are security tools, the reality is they’re all limited because we need to be able to get into these systems, right, so perfect security is everything is locked down and you can’t get into anything, right?
Rebecca Zaagman:
But no one can actually do their work.
Adam Devereaux:
Nobody can do their work, yep. Let’s say I have, we’re using Umbrella to protect. It’s a DNS level protection, right. If I click on that link as a user on my work laptop and I’ve got the Umbrella system working on that, and Umbrella says, “Whoa you can’t look up that website. We know this is a bad website. It’s on our list of bad websites. We’re going to block you from going to that.” Okay well I’m going to open my iPad and open it on my iPad. Umbrella isn’t applying here, right, because I’m at home and I can go to that link and now it pops up this website and it asks me for my Office 365 log in, and I punch in my username and password and I get through, right? People need to be mindful of what those tools are, and it gets back to user education. We need to make sure that they’re part of this journey because it’s not the computers being safe, it’s the people being safe using the computers.
Chris Furner:
The people, the users are, at the end of the day, that’s the best protection that you can invest in. All the tools can cut out a lot of this stuff but at the end of the day, if the users aren’t invested in security, not trained in security, they will let you down. Make them your ultimate security tool, not the quote stupid user that always going to screw everything up. Make your users the hero at the end of the day.
Adam Devereaux:
Yeah and I think telling these stories is part of that as well, making sure people understand this can happen to you. Everyone in your organization needs to know. It’s a little bit like assuming that cars are perfectly safe and we’re all just going to drive and there’s never any chance of an accident, right? Most of us are going to get in accidents at some point in our life. It’s just part of the statistics. Most organizations are going to have some sort of cybersecurity incident over the course of that organization’s life, so how do you assume that’s going to happen and prepare for it and train people and try to mitigate damage and make sure you’ve got protection and also insurance, and abilities to respond, like having a good partner to help with that.
Chris Furner:
Yeah. You wear the seatbelt, you buy the insurance, turn on the headlights, use your wipers, you fill the tires, and you get driver education.
Adam Devereaux:
Yeah.
Chris Furner:
Kind of like across the board.
Adam Devereaux:
Yeah. I know that my air bags, the seat belts, all those things, those are there because I’m probably going to get in a crash at some point, and I might not be able to control that.
Chris Furner:
It’s going to hurt but it’s going to make things not be worse.
Adam Devereaux:
Right, and they’re not going to stop. That’s the interesting analogy here, is that a lot of security tools are like seat belts and air bags and everything else. They’re there for when something bad happens and they’re not going to necessarily stop a hack from happening, or going to stop a crash from happening. It’ll still happen, but now we’re going to be safer, right? It’s tough because sometimes some hacks, there’s a very publicly known one, are the legitimate, somebody finds exploits in software and they get into a website, or they get into some system because of a software vulnerability or something along those lines. That does happen. It’s just not the majority of the risk to most organizations out there right now.
Rebecca Zaagman:
Yeah. That was a lot. Those were our cybersecurity horror stories. Like I said, feel free to pop any questions that came up as we kind of talked through those stories. Our goal here is not to be fear mongering. We had a little bit of a lighter tone today, but it is scary, it is real. We have to be aware of it, and you need a great cybersecurity partner. What we wanted to do is kind of just take a couple minutes to talk about security essentials, which is our managed service offering security.
Rebecca Zaagman:
I kind of wanted to start with the history of security here at Worksighted. I know three years ago we didn’t even have a cybersecurity team, right, but a lot has changed in the past few years. We now have a dedicated team of three, almost four people. We’ve got the security essentials, which is an add-on to our criteria on managed services. It’s a required add-on, but that can come alongside our managed services to really provide a great service for our customers. Ashley, maybe I’ll start with you. You kind of handle the after the fact, so somebody does happen to get into a situation where they’ve been hacked or breached, can you tell me-
Adam Devereaux:
Or suspect they are.
Rebecca Zaagman:
Or suspect they are, yeah. Kind of talk to me about your day to day, what that looks like for you.
Ashley Townsend:
Yeah, so day to day really what we’re doing is going through emails that are reported by use of the phish alert button, or the Worksighted awareness phish button-
Rebecca Zaagman:
A phish button.
Ashley Townsend:
It’s a phish button.
Rebecca Zaagman:
Yeah, a phish button.
Chris Furner:
Or just people who just forward an email saying, “Hey this looks weird, what is it?”
Adam Devereaux:
Yeah exactly.
Ashley Townsend:
Yeah so day to day we will go through those and see if there’s anything that needs to be blocked, or guidance that we can give to the user when those are reported. Some other things that we continue to do, kind of on the proactive, reactive side, is go through open DNS, so what Adam was talking about earlier, if the user believes that they need a site unblocked, we’ll go through and review and kind of make a decision on if we can unblock that site or not.
Rebecca Zaagman:
I really need Netflix. It’s for work purposes. I really need it.
Ashley Townsend:
Well that’s up to your company, Becca, but We Transfer, that’s one where we’re pretty much a stickler on.
Chris Furner:
But that’s a good point. There’s a big difference between time wasters, and unproductive things-
Adam Devereaux:
That’s a security risk, right.
Chris Furner:
… and security risks. We really leave it up to the company to decide how to police their users on time waster stuff, because there’s a big difference there and it’s impossible to control every time waster website out there.
Rebecca Zaagman:
Right absolutely, cool. Chris how about you, do you want to talk a little bit about what security has looked like over the past few years? You were our first dedicated cybersecurity professional, so yeah.
Chris Furner:
Yeah. Yeah we saw, over the past couple of years, really this explosion in email breaches, and maybe four or five years ago we didn’t see emails getting attacked or getting breached. In this cloud shift, where everybody’s been moving to Office 365, or in some smaller aspect, Google, or G-suite services, it really makes the attack, the number of ways you have to attack a lot smaller, because almost every business is now Office 365, or on G-suite, and the shift to cloud has really caused that, so we see a lot more attackers that were trying to get into people’s cloud email accounts. We started to build this response model around responding to breached emailed accounts, securing them, gathering evidence.
Chris Furner:
Then when we realized that this is happening, this is growing, we needed to build a proactive model, to bring protections to our customers to stop the attacks from happening, because attacks are getting expensive. The data breaches in many cases leave you open to legal liability, so we are building a program that says, “Before you get breached, let’s do,” you said security essentials, the essentials. “Let’s do the things that every business should be doing to secure your business against the most common threats out there,” and email-based threats are like 90% of all the threats of all the threats out there, so if we can keep somebody’s email secure, we can shut down almost everything that happens out there for that customer. There are some big, multinational companies that they have different threat models than our customers do, so we’re building packages that fit the needs of our customers.
Rebecca Zaagman:
That’s awesome, so your day to day, do you still do risk reviews for clients? So new clients come in and say, “Where are my blind spots?”
Chris Furner:
Yeah.
Rebecca Zaagman:
That’s something that you can do?
Chris Furner:
Yeah, so with security essentials we plug in a relatively templated security model, but then we also look at their individual situation, look to see where their threats may lie. Yeah we do assessments to see before and after security implementation to show, “You are more secure now. These are the common threats that we’ve covered with these controls.” Then we also do one-off security consultations, either on a short-term basis or on a long-term basis, to help customers address. Maybe they have more specific concerns, maybe they have compliance or regulatory reasons that they need to have higher security. Not just technology, but in many cases that process and procedures to secure your business, secure your data, and so we’re doing some of that now too to help our customers address whatever their requirements may be. Like I said, regulatory compliance, a lot of insurers now say, “You need to go above and beyond the minimum for insurance,” now.
Rebecca Zaagman:
Right.
Adam Devereaux:
Yeah that’s a big change we’re seeing in the marketplace is the insurance companies have really gotten serious about cybersecurity coverage, and they’re kicking people out and they’re putting really pretty strict requirements in place for you to be able to have it. Something I want to add to that, really, is in terms of your question about the security development. If we look back at the last four or five years, you know I remember when anti-virus was kind of it, right? Maybe email filtering, a basic email filtering system. End points are still a concern, although Umbrella, Open DNS was a big aid in preventing ransomware. We saw a massive decline once that was deployed in the client environment, so that was a huge value.
Adam Devereaux:
We took all of these different things that we started to see value and need for, but there’s cost to these things too, right? Cost both in terms of the tools and resources themselves, cost to the people to be able to manage those. We’ve significantly grown our capabilities around security and ensuring that the right security essentials are in place for every organization, and we’ve built that around some publicly published frameworks, like the [NST 00:37:30] framework. A lot of it’s built around protecting, identifying, responding, so it’s the idea there is we need to put the right preventative measures in place.
Adam Devereaux:
Going back to the car analogy, it’s like having good tires, driving defensively, not, maintaining your car, making sure that it’s going to run and your brakes work and everything else, that’s the kind of stuff that’s really the essentials. You don’t even have to start thinking about some of these other higher things if you don’t have the basics in place.
Rebecca Zaagman:
What’s important here is there is no silver bullet, that’s what we say, right? There’s not one thing that’s going to protect you 100%, but what’s great about Security Essentials is that you get this team of experts that are supporting and protecting your organization. Regardless if you work with us, or if you’ve got internal IT, you need to make sure that you have someone that is dedicated to security, and that these discussions are happening at every level of the organization, every big, hardware, software decision, building decision, that cybersecurity is kept in mind. We call that a cybersecurity first culture, so making sure these conversations are happening at most of your leadership meetings. What are we doing to keep our company safe? Do people know about this? Are we doing quarterly, or at least yearly training for our end users? Are new employees getting trained in cybersecurity? We’ve got these two people. We’ve got Cody who does a lot more around projects for security.
Adam Devereaux:
The implementation of those security, yeah.
Rebecca Zaagman:
Implementation, yep. Then we also have a training team. Sydney, Megan, and Alana do a lot of our security awareness training for end users. If any of this sounds interesting, if you’re not signed up for it yet, please get in contact with your account manager. We’d love to talk to you about this. We think it’s so important. We’d rather not have to deal with remediation, right, or recovery, rather help you upfront. It’s better for your business, and yeah. We’re here for you in that. Anything else to add about Security Essentials?
Chris Furner:
You said about not having to deal with remediation incident. The cybersecurity incidents are harmful to businesses. It stops your growth because it wastes your time. It wastes your time in the business, that you can’t focus on your forward moving, or business goals, and you’re dumping money into a cybersecurity incident. It’s money well spent in my opinion to invest in security now versus invest in cleaning up an incident down the road.
Adam Devereaux:
It’s a little bit like the car analogy, right, where we say okay there’s things that you do, like good tires and maintaining your brakes and driving defensively and all that stuff, to prevent an accident. Then there’s things that you can do like having a safe car, making sure it has air bags and wearing your seat belt and things like that to help survive the crash. Then there’s, “I have health insurance. I have people, medical professionals that I trust. I have other means to survive that thing that’s happening,” but it’s going to be disruptive, right? If I’m on my way to work and I get in a car accident, my day is pretty messed up and who knows how much longer, right? It can be life altering, and that’s what we see with security incidents, are often life altering for individuals or for organizations.
Adam Devereaux:
One thing I wanted to note too, you’re absolutely right that the ability to log into these collaboration and email platforms is a huge enabler here, but recently with the exchange vulnerabilities, we saw evidence and real-world examples of where you hosting your own services is often not an alternative, or not an improvement. It makes things worse in many ways, because a lot of the newer security tools and capabilities are built around these cloud platforms too.
Chris Furner:
Yep, yeah absolutely.
Rebecca Zaagman:
And with all of that, we do have some exciting news. We’ve got a new partner that’s going to be offered as part of Security Essentials, and this is the first announcement of it guys. This is a big deal. Yeah, it’s called Huntress, like a hunter, but a Huntress, which is awesome. Chris, do you want to tell us a little bit about it?
Chris Furner:
Yeah, so Huntress is a new tool that we’re going to be start offering, and Huntress is what’s called a threat hunting product. Huntress is really kind of an extension into how we do business in security, in that it’s a very flexible tool that can be used to look for threats in your environment, things that anti-virus is going to overlook. We do, of course, invest in industry-leading anti-virus product, and Huntress is then an extension on top of that to look for threats in your environment, looking for things that anti-virus might miss because it isn’t a file. Maybe it’s a misuse of a legitimate tool in an organization, like Adam mentioned Exchange. Huntress was at the forefront of detecting the Microsoft Exchange vulnerabilities this year, and detecting that these are being used in your environment to attack you-
Adam Devereaux:
And putting blocks in place.
Chris Furner:
Yep, yep. It’s big on detection, but it’s also big on doing things like host isolation, so if a threat is detected on an endpoint, Huntress is there to cut the endpoint off, stop the damage to your network.
Rebecca Zaagman:
So if something happens to get into your network, Huntress is literally going to hunt it down.
Chris Furner:
Kind of, yeah.
Rebecca Zaagman:
Yeah.
Adam Devereaux:
It’s part of layered security here, right? Yeah.
Rebecca Zaagman:
Yeah.
Chris Furner:
And Huntress is backed by real people. They are researching the things that are found on the endpoints, and they’re classifying them as either known good, known suspect, known bad, or unknown, and then they research it, and then they put it in one of those buckets. They find a new thing and it’s known bad, now they say, “Okay you’ve got a known bad thing,” and now we go to all our other customers and say, “We found this new, unique thing. You have it now too.” Kind of this building intelligence, building knowledge thing.
Rebecca Zaagman:
I love that there’s real life people, because sometimes it just seems like everything is so, I don’t know, not tangible, but these are real people and their job is to help.
Adam Devereaux:
That’s part of the reason why we partnered with them, in a lot of ways it’s kind of like an organization to employ really smart cybersecurity researchers and professionals and that’s something that we already saw tangible benefits from that platform, and we wanted to continue with that partnership to work with people like that and make sure that there’s additional tools in place that we see value from.
Rebecca Zaagman:
Yeah. You were telling a story, there was a vulnerability and the client didn’t know about it for months, they didn’t think they were affected, and then you put Huntress on it and basically it was like, “Yep and somebody has access to your server.”
Chris Furner:
Yep. They didn’t know how they got ransomware, and we dropped Huntress on, and Huntress, within an hour said, “This server, this exchange server has a vulnerability on it. These hackers were in it. We can see these hackers were in the server moving around. This is how you got ransomware.”
Rebecca Zaagman:
Gosh, yeah.
Chris Furner:
It’s better to put those things in place ahead of time so they can say, “Oh attacker is hitting the server, let’s shut it down right now,” before they get in there, drop the ransomware and make a big mess of everything.
Rebecca Zaagman:
Interesting, yeah. I didn’t realize a bug or a hacker or something could kind of be living in your system for months before you detected it.
Chris Furner:
Yeah they want to get in and found out what’s the valuable thing inside your organization that they can take and hold ransom, hold hostage, threaten to blackmail you with it, that kind of stuff. Blackmail is the big thing now. Ransomware is kind of the extra kicker. If they can blackmail you and say, “We’re going to release all of your company information to the public,” that’s where you can pay the big money to stop that kind of stuff.
Adam Devereaux:
Yeah there’s another publicly available story about a plastic surgeon office that got hit by ransomware. They had all this storage of patient records, and they went after the practice but then they started going after the patients and saying, “We’re going to publish your pictures and information that they took if you don’t pay us money.”
Chris Furner:
Their before and after pictures. The doctor’s office said, “We don’t care. You’re not going to do anything.” They went to the patients, celebrities, and said, “Hey we’ve got these pictures. Your doctor’s office didn’t care. They didn’t pay us anything. You pay us.”
Rebecca Zaagman:
And nobody wants to be outted for some plastic surgery, am I right?
Chris Furner:
And I’m sure they got their money.
Rebecca Zaagman:
Yeah, right. Interesting. Well awesome. So we’ve talked about the importance of Security Essentials, having a cybersecurity team on your side. Let me tell you, these guys are the best of the best. You want them on your side. And a little preview of Huntress. I think that’s about it, unless anybody has some questions coming in. I don’t see any.
Adam Devereaux:
Something to note too is that we mentioned really good endpoint protection, so we actually switched out our antivirus, but really enhanced endpoint protection platform this year as well, to 701, because we found, Chris did a lot of research on different available options out there, and ultimately we found that there was a superior alternative to what we were using before and brought that to our whole client base, because that’s kind of that continual development of the security tools.
Rebecca Zaagman:
And being willing to be agile too, and right, being able to meet the new threats that are coming up. I think that’s pretty important too.
Adam Devereaux:
Yeah absolutely.
Chris Furner:
Yep, yep and so that certainly was a big piece of our layered approach to security. It’s the endpoint protection, and yeah, we’re really happy to be able to bring best in class tools to both our internal security Worksighted, and to our customers.
Adam Devereaux:
Yeah it’s interesting. It’s a little bit like, if you look at, with both users and with systems, it’s everything kind of has to stay going right for nothing bad to happen, right? It’s like when you think about, talking about your story about being stressed, it’s like we tend to think of ourselves on our best days and be like, “I’d never fall for something like that,” but I mean there’s been times I’ve walked into another room and then I’m like, “Why did I walk in this room?” Maybe I’m just getting old, but do we think about ourselves on our worst days, and then getting something like that.
Chris Furner:
That’s what the attackers are looking for. Attackers need to be right once. You don’t have to be right every time. Their attacks are basically free, so they just keep trying until they find somebody that’s in an emotionally vulnerable state, and then-
Adam Devereaux:
Exploit it.
Chris Furner:
Yep, they win.
Rebecca Zaagman:
That’s very rude. It’s very rude.
Adam Devereaux:
It’s why we don’t just focus on one thing, right. We’re still talking about endpoint protection and software because endpoints are really, really critical, but even though we know phishing attacks are, or email-based attacks are one of the most popular or common right now, we have to shore up the defenses at every part of it, essentially.
Ashley Townsend:
Well I think one of the favorite things that I’ve ever been told, or I guess I read this, was that you don’t have to be smart to attack, you have to be smart to defend. That’s where this comes in, with needing to know all of the new threats, and what is going on in the world. We have to be smart in those things so that we know how to defend, but for an attacker they can go look up a script online and it could work, for free you know?
Adam Devereaux:
Yeah it’s the classic asymmetrical warfare issue, right? If you look at guerrilla warfare and nations, histories have changed because of the cost of doing war for one party versus another, right? If it’s significantly lower cost to attack than it is to try to defend, that’s a pitched battle, and so that’s the challenge that we have right now. We’re trying to figure out how do we be efficient and bring the right protections to organizations.
Chris Furner:
And that’s what we’re doing every day. We’re looking for what’s coming, what’s next, what’s big now, and trying to adapt our customer’s security posture to address those things because what was happening last year isn’t what’s happening now, and what’s happening now isn’t going to happen to us next year, and so that’s the continual approach in security. That’s what we’re doing, is to look for what’s coming, and we see weird new things that we’re not accounting for, and we’re finding a way to account for.
Adam Devereaux:
Exactly.
Rebecca Zaagman:
Yeah and reality is, a lot of people who are running businesses don’t have time to do the research that you guys are doing, and stay up to date, and so that’s the importance of having cybersecurity partners that we do that for you.
Adam Devereaux:
Don’t assume you’re protected.
Rebecca Zaagman:
These guys are passionate about it. We did just have a question come in. Is there a software Worksighted can recommend end users to use on phones as well as company-owned workstations?
Chris Furner:
I guess that question kind of leads into I guess are you asking about how to secure people’s phones that have company data on them? And there are some really cool new stuff that we can do with Microsoft 365 and Assure and Intune to segment the company data from the personal data device. You don’t have to worry so much about the company-issued phone. You can move in the more of the bring your own device model, where then we can say, “All right, we can have the company data and the personal data on this device,” but let’s say we want to callback the company data, we want to wipe the company data. We can wipe the company data without blowing away my kid’s pictures, that kind of stuff. It’s not really software, it’s more of a leveraging the features that Microsoft has built into their platforms to make it less of a concern about the device because we’re just focusing on the data and the apps that we hold that company data in, like using the Outlook app, or using OneDrive, SharePoint, that kind of stuff. You kind of silo the data inside those applications and don’t let users get the data out of those. Just interact with the data inside the applications.
Adam Devereaux:
Yeah and you can enforce it, make sure that it’s encrypted, you can make that you have to put in a passcode, or use Face ID or something to get into those applications. The other thing with mobile devices is they are a different sort of platform because there’s more control from the OS manufacturers, right? For iOS in particular, you can’t just run whatever application on there. It doesn’t mean that there have never been security vulnerabilities on mobile devices, but that’s why it’s really important to make sure that people are using non-modified mobile devices, right?
Chris Furner:
No breaks, no root, none of that stuff, yep.
Adam Devereaux:
Yeah, and that’s what you can do with those policies as well, is you can say, “This app won’t even run,” you could have installed it and then made modifications to your mobile device, but now it won’t run because we detected that it’s been jail broken or something along those lines. It is a little different with mobile devices versus a PC or Mac because you can’t just run whatever arbitrary program, and so they’re generally safer from viruses, although there have been some instances, but notably most of those are because some sort of malicious app got into the app store, right?
Chris Furner:
Yep, yep. That’s one of the criticisms of Apple, is actually one of the things that makes me feel better about them, because Apple is very strict about the code in the apps in the Apple app store. There is much easier ways in Android to get unapproved apps in than Apple, but there are, Android is going really hard too at security to fix some of that, and make their platform more secure too.
Adam Devereaux:
Yep, yep.
Rebecca Zaagman:
Awesome.
Adam Devereaux:
Great.
Rebecca Zaagman:
Cool.
Adam Devereaux:
Well thanks everyone for joining us on this spooky cybersecurity conversation. Hopefully we didn’t scare you too bad.
Rebecca Zaagman:
Yeah, thanks for joining and like I said, if you have any questions about anything we talked about today, about Security Essentials or about Huntress, please out to your account manager, or you can email me, Becca@Worksighted.com. Yeah we’ll see you next month. Take care.
Worksighted Team
We are a team of over-enthusiastic people, ready to help our clients utilize technology to spur growth! We love technology and come to work every day eager to solve problems and find ways to impact our clients.
