Worksighted NXT Webinar: Top IT Security Threats Facing Michigan Businesses
There are hundreds of factors that impact an organization’s IT security threatscape. What should you pay attention to as we enter 2020? How do you keep your organization safe? In this live webinar filmed in January 2020, Adam and Jordan discuss the top threats and what you can do to protect your organization’s most valuable assets.
Adam Devereaux:
All right. Welcome everyone to another Worksighted NXT Webinar. My name is Adam Devereaux.
Jordan Briney:
Hey and I’m Jordan Briney, one of our remote support engineers here. Welcome to season two. 2020 brings a new year for us for our webinars. We figured new season, new year, worth a lot of new production they’re putting into it alongside with a lot of new cool topics that we hope to bring to you guys along the table.
Adam Devereaux:
Yeah, so we’re committed to a monthly schedule for these. We’ve gotten a lot of great feedback. We’re really looking for new ways to engage with the larger base and spread a lot of information. It’s really… there’s so much changing in IT. There’s so many things to try to keep up with, so we’re hoping to consolidate some of that and really get it in a more easy to follow and concise manner. If this is a format that you like, make sure to let us know and if you have any ideas for us, go ahead and send them our way.
Jordan Briney:
Yeah, and today’s webinar’s going to be a lot about, given the experience and knowledge that we’ve seen from our side of the things we would like to bring to you, kind of what we found to be the top three IT security threats that are facing Michigan businesses in 2020 today. Again, given from what we’ve seen in our industry and patterns that we’ve noticed from Michigan, we’ll see if we can pull stuff together.
Adam Devereaux:
Yeah, so like a lot of top 10 top three lists in this case, everybody has different opinions, but this is based off from what we’re experiencing and things that we really think you should think about, but we want to lay a little groundwork on that and talk about why IT security is changing. There is a couple of quick points. One is in regard to the fact that a lot of organizations are in kind of a hybrid cloud model now where you have a lot of your business information and that’s one of the things we’re going to continue to talk about is what you want to think about protecting.
Adam Devereaux:
A lot of times it’s your critical business information and systems, so people will try to exploit you, will try to ransom. There’s lots of ways that they will try to either use that information or lock that information down. We’ll go into that more, but that information is now in lots of different places and there’s kind of an older IT security model that a lot of us still think in and it’s still true to some degree, and it’s kind of like the walled garden, right? It’s when you have a trusted network of firewall perimeter. You can think of the diagram of an old school model is you’ve got your brick wall and then everything’s inside but once you were over that wall, then you are trusted, right? Once you’re inside the network, now you have access to just about everything.
Adam Devereaux:
Now that’s changing because a lot of the information is outside of that network and your user identities are in lots of different systems, lots of different cloud systems. The challenge there is how do we move to a model that protects us in that reality and what’s kind of developed by others, not by us is a concept called zero trust and that’s where you move from that walled garden that once you’re inside, now you’re a trusted member of the information space to lots of different devices, lots of different users, lots of different connections, lots of different systems that information is stored into it and moving it to where it’s more an awareness of lots of IT security signals.
Adam Devereaux:
It’s a system that constantly is looking at and verifying users. It’s more device based, so what devices are users accessing from and can we trust it? Do we have information on it? It’s looking a lot of different signals and inputs as to whether or not that access is a trusted access. It gets a little weedy but the point is we kind of have to change our mindset to some degree as we look at IT security and a big thing really comes down to that user identity and the business information management.
Jordan Briney:
Yep. As our industry becomes ever evolving, a lot of our applications will start moving outside of that wall. Again, this is where zero trust really needs to be in play. Sometimes, and we’ll touch base on this as the webinar goes along. Some things we have to protect from an application, from a server side, from a cloud side in order to make sure that we can get everything set the way they would like to. You want to go ahead and touch base and start getting a number three.
Adam Devereaux:
Yeah, let’s start with that.
Jordan Briney:
Okay. So number three, what we found here is to really be a pattern of generally speaking, outdated systems. One of the things is that people start finding ways to get into the walled garden as we are using the analogy by finding ways of systems, operating systems, software that are typically out of dates, unpatched and untouched here, is usually what we found out.
Adam Devereaux:
Yeah, and the reality there is that one of the reasons why we want to talk about this and why it’s relevant right now in particular is because of Windows 7 End of Life from Microsoft and Server 2008 and 2008 R2 End of Life. What that means is that Microsoft will no longer be producing patches, security updates for those operating systems for most users. Over time as security vulnerabilities are found, which they are constantly in all software, those won’t get fixed, and so it means that those devices are more vulnerable and more likely to get infected in ways that you can’t necessarily control through user behavior or through what you’re doing with that PC.
Adam Devereaux:
That’s a significant issue right now for a lot of enterprises. There’s a lot of Windows 7 devices out there still. There’s a lot of Windows 2008 R2 servers out there. It’s just important to note that this is a real problem and it is something that you have to figure out. We have to figure out how to address and make sure that we have a proactive replacement plan for those types of systems.
Jordan Briney:
And it isn’t necessarily all just Windows 7 and 2008. You can have Windows 10 systems that have flaws and outbreaks in it as well, which is important to make sure that you keep a scheduled and a consistent… patch schedule, excuse me, to be able to put that all together here because we found that even in Windows 10 is a good example of it. Prior versions are no longer supported and those could lead to gaps and holes that could lead into bigger problems for us.
Adam Devereaux:
Right or other software.
Jordan Briney:
Yes.
Adam Devereaux:
And the other thing that we put in there was IOT, other network devices. This is exacerbated by the fact that our old security model, again, not walled garden, once you have an infected thing inside of the network, oftentimes you’re able to pivot and go on to larger and larger attacks. We see there’s been a lot of video cameras that had issues. There’s talk of printers and other devices that you may not think about from an updating the software standpoint or the way that you secure those devices from people accessing them but it can be a way to get into that a network where they can continue to exploit.
Jordan Briney:
Yeah, and especially being… it could even be things, to your point about printers and stuff. It could be something to maybe necessarily the software behind it but the firmware. Again, any hole that potentially is left open that is discovered, that’s the intent of patching. Is so that we’re able to put ourselves in positions to allow us to be able to prevent from getting into complicated situations or easy patch Windows or… excuse me, holes that we find along our circle here.
Adam Devereaux:
Yeah, so a good example of that is the SMB1 vulnerabilities that were discovered like in Windows XP a few years back. They were a major syst… organizations that were using Windows XP still and it allowed one compromised computer to go and infect all the rest of the computers that had that vulnerability unpatched that were Windows XP. Those are the kind of a cascading infections and problems that we want to try to avoid by making sure that our systems are supported up to date as much as possible, that there aren’t unsupported versions and that we have a way of getting those updates from manufacturers and if there are devices that we don’t really trust or they don’t need access to everything, then we want to try to minimize what they can get into, and so that’s where you start going into zero trust also means only the access that you need at any given time, right?
Adam Devereaux:
Don’t open it all up and you can think about this even from a user standpoint. They shouldn’t be able to get access to all files and folders. Let’s make sure that the permissions that they have are appropriate for what they need to do.
Jordan Briney:
Yep. Exactly. Now the part that we want to touch base on, just to finish this off here, is how in an outdated system environment, how do we properly protect this organization then, if we do find as we do assessments that maybe they are running other Windows 7 environments or firmware is out of date, what do we do to protect these organizations here?
Adam Devereaux:
Yeah. I think that brings us to number two, which is ransomware and malware, and if you have any questions, go ahead and put them in the chat and we’ll address those as we go along or at the end we’ll have some dedicated time for Q&A. Ransomware and malware, that’s been a big topic for a lot of years. It’s still an issue even though it’s changing and we wanted to talk about what’s going on with that.
Jordan Briney:
Yep.
Adam Devereaux:
So ransomware, one thing that I want to start with is what it is, right? And we can kind of draw a parallel to just normal real world crime, and in fact it often crosses over those thresholds in very serious ways, which it’s just basically extortion. It’s attackers, it’s somebody trying to use your business information against you or your customers and that comes in a variety of forms. In some instances it’s that they get in a foothold into your server environment, into your computer environment, and then they encrypt some of your data and then hope that you don’t have a way to quickly restore that.
Adam Devereaux:
Another thing that we see is where they try to get information like W-2’s and other information out, but typically ransomware is a way to extort you and is more narrowly defined to somehow locking down your systems or your information, and we’ve seen a lot of cases recently where companies have gone out of business. They’ve paid tens of millions of dollars to restore that data, and then there was recently a case where there was a doctor’s office that got hit and not only did they go after the doctor’s office for a ransom, but they started going after the patients as well, saying that we’re going to release your information if you don’t pay us money.
Jordan Briney:
Yeah, and to that point here. Another one that struck my memory when we were talking about ransomware, was regarding the incident at Richmond Community Schools where they spent, what was that nearly $10,000 in a week now… no, the ransomware was put in place for a ransom of $10,000 and they had to shut down their school for a week after Christmas break in order to put themselves in a better position for that. Stuff like this as it continues to become more sophisticated and as it continues to become a ramping threat, you can definitely see the numbers show that price tag is getting higher-
Adam Devereaux:
Right, that’s a key point. Yeah.
Jordan Briney:
…and that you see the complexity behind what they design behind it better.
Adam Devereaux:
I think the reason why that ransom typically is going up, and there’s a lot of research that goes into this, it’s important to understand that these are people that are behind these. These are organizations that are behind these. In many ways they’re making a living off from this. There’s an ever ongoing war between the organizations and people that are trying to protect you and try to protect your systems and the people that are trying to attack and exploit you. That’s not really an exaggeration at this point and there is a lot of reason why there are countries that actually tolerate or promote this, right? Because these are resources that are valuable to them to use in actual cyber warfare.
Adam Devereaux:
What we’re seeing is that we’ve gone from more of a shotgun ransomware approach to a more targeted ransomware approach. Both still exist, right? A shotgun approach is where I write an email that looks deceptive and some examples of that might be, it’s a job posting response. So it’s like here’s my resume and it’s a word document and you have to enable macros in order to see the content is what it looks like and then your computer gets infected. Another example would be where it’s coming from someone you know and it’s an email attachment, and this is typically where we see a lot of ransomware infections, is from email attachments.
Adam Devereaux:
You just send it out to a big group of people. You have a list of a hundred thousand email addresses you bought from online and you just send that out to everyone and it’s generic, doesn’t have any specific targeted information. So that’s what we call a shotgun approach, you just try to blast it out there and hopefully a few people will get it. The systems will happen automatically and immediately and then you get a few people to pay. The problem is that the amount of people that were paying was going down and they’ve started shifting to more sophisticated attacks where they’re researching individual companies and they’re trying to figure out a way that they can get that in there through the salespeople, through the finance users, whatever way they can get that in and in many cases they sit resident for a while so they don’t attack and start encrypting immediately.
Adam Devereaux:
They get their software into your computer systems and then they watch and monitor for a while and try to figure out how they can cause the most damage-
Jordan Briney:
Yeah, an analogy that has worked well for me in those situations is like… think about it like if you catch a bug or a virus that’s been going on, right? Sometimes it lies dormant for a while for you. You’re not really sure if you actually even have it in that instance but putting in key places and making sure that you’re there once it happens you know it’s going to happen. Lies dormant for a while until they find the time is right to be able to make that attack happen.
Adam Devereaux:
Right? If you think back to this shotgun approach, a problem was if you’re an attacker and you send out let’s say a million emails and you infect 500 people and 25 of those people end up paying a ransom, and let’s say you just asked for… what price do you set? Right? That’s kind of the challenge. Let’s say you ask for $1,000. Let’s say most of those people were home users and they were willing to pay to get their photos back, but two or three of them were businesses, and you could have asked for a lot more money, right? Because… and then that’s an opportunity loss as the attacker, it’s a bad business, right?
Adam Devereaux:
You didn’t need to know how much your customer’s willing to pay unfortunately, so that’s why they want to know who they got infected and try to figure out how much they can exploit for. Even to the point that I try to figure out what kind of insurance coverage you have, because they just need to ask for a little bit less than how much it’s going to cost you to recover, and what’s happening is more people are paying. This is kind of a controversial topic in the industry, but there’s almost like a feedback loop between it being a better lower cost decision and oftentimes cybersecurity insurance providers might recommend that you pay because it’s a quicker and maybe cheaper way to get back up and running, but that success further fuels more attacks and so they are asking way more money.
Adam Devereaux:
I mean we see ransom requests of $30,000, $50,000, $100,000 if they know what organization it is. It could go north of that very easily.
Jordan Briney:
Yeah. One thing I want to touch base on. I’m a stats guy so I kind of like to know some of these things here. One of the things that stuck for me was knowing this from the source from [PhishMe 00:15:09], which said that in 2019 ransomware from phishing emails had increased about 109% between then and 2017 which essentially is important to know because you know that that attack is growing in scale. It’s growing in sophistication, so you’ve got to a keep a watch for that kind of stuff for sure.
Adam Devereaux:
Which the issue there is oftentimes those become more targeted as well.
Jordan Briney:
Yeah.
Adam Devereaux:
They’re trying to find a way to make sure that the user sees it as something as relevant to them and likely to get them to actually click on it, which feeds directly into our number one threat.
Jordan Briney:
Yeah. The biggest thing that we ran into is definitely-
Adam Devereaux:
Drum roll.
Jordan Briney:
Yeah. Somebody that’s watching this just put a… get a drum roll going or something have somebody confused when they walk into your office. The biggest thing that we’ve seen is users. We like to say that we can build the biggest walls around everybody’s environment here, but at the end of the day, a lot of the biggest threats that we’ve seen come from users, whether it be lack of knowledge or a lack of capability or just that the environment wasn’t prepped for them enough and we left too many holes open in those instances.
Adam Devereaux:
Yeah. That continues to be the number one source of breaches that occur for organizations, is through user behavior and user actions. We all have bad days and as much as we want to try to protect the users from themselves, there’s no magic bullet. There’s no one thing that will fix everything but let’s talk a little bit about how they exploit your users or how you yourself may get exploited, and we see this on a constant basis and the term breach usually refers to once an attacker gets access inside your systems, and any small access oftentimes can escalate further because if they manage to log into one of your user’s email addresses, for example, and send an email as that user, then it’s very likely that they can get someone else inside the organization to do what they’re asking them to do.
Jordan Briney:
Yes. [crosstalk 00:17:06].
Adam Devereaux:
But sometimes it’s to install ransomware, sometimes it’s a very different sort of attack.
Jordan Briney:
Yep, and the big thing that we’ve seen from us on the support side of things is that once you click on that link, you provide those credentials information, that stuff can hit anywhere from sending email to 10 users to click on this PDF that does the same exact thing that that person fell for up to, we’ve seen nearly 1,200 emails just produced from somebody at this time. Luckily Office 365 has shown that they’re starting to catch these trends when people start mass sending a ton of these emails to be malicious and spamming but doesn’t obviously catch every single instance of this. Of course that threat expands as soon as they get access by one individual user, by one individual set.
Jordan Briney:
Phishing emails grow more complex and we continue to see. It could be anything from designing a link that looks like it says Microsoft Online, but then online has an [inaudible 00:18:04], it could be as simple as just doing a completely vague site, but it looks totally like the Office 365 login. There’s a ton of other possibilities that fall in line with this kind of stuff.
Adam Devereaux:
Yeah. Let’s talk a little bit about spoofing versus phishing versus spear phishing or like actually compromised accounts and what happens from that point. How would you define spoofing?
Jordan Briney:
I would define spoofing in a way that says, hey… let’s use an example. Let’s say I wanted to send an email to somebody at our marketing team and make it look like it was from you. I’m spoofing to make it look like it’s coming from adamdevereaux@worksighted.com, but I don’t have access that domain so maybe I do like [workcited 00:18:50] and then I just like put just a T there or something. Then I send an email to our marketing department and say, “Oh I need access.” Or-
Adam Devereaux:
Can you click on there.
Jordan Briney:
“Hey can you log into this real quickly here I’m having trouble accessing something.”
Adam Devereaux:
Right.
Jordan Briney:
I make it look like it came from you, so then-
Adam Devereaux:
It doesn’t actually come from me, but it looks like it comes from me.
Jordan Briney:
Exactly.
Adam Devereaux:
That’s spoofing. Right?
Jordan Briney:
Yep.
Adam Devereaux:
I agree with that. I think that’s one of the best ways to put it. People often ask like how does this get through? How did they send an email as so-and-so? And often times it comes from people… or is addressed as or looks like it’s coming from a CEO, a president, a CFO or somebody like that.
Jordan Briney:
Exactly.
Adam Devereaux:
The problem is, it’s actually not coming from that user when it’s spoofing, it looks like it is.
Jordan Briney:
Exactly.
Adam Devereaux:
…and there maybe subtle differences and there’s tools that you can use, which was one of the things that we talked about that you can use to try to protect yourself is there are tool sets that can try to catch those emails that are coming from the outside and trying to look like they’re coming from the inside but sometimes it also looks like it’s coming from somebody that you may know externally as well, but that’s a big difference between when they actually do have access to somebody’s email and they are sending it as that person. It’s not always true that an email attack is a fake email. Sometimes it is a legitimate email.
Jordan Briney:
Exactly, and that’s where using the example I provided earlier where if somebody starts by… let’s just use a silly example and say that I did click on a link and-
Adam Devereaux:
So silly.
Jordan Briney:
…and logged in with my user account. Well now they have access to that stuff.
Adam Devereaux:
Right.
Jordan Briney:
So now they can send those emails as part of me. That in a sense it’s still technically spoofing, but they actually have my account and it looks like it actually was an email that I still sent.
Adam Devereaux:
Yeah. Your account is breached at that point and so [crosstalk 00:20:36].
Jordan Briney:
Exactly.
Adam Devereaux:
And all they need to do that typically for modern email systems is to know your email address and your password.
Jordan Briney:
Yep.
Adam Devereaux:
Which also gets to another way that users behavior can be an issue for organizations. There’s been a lot of breaches that have occurred because people reuse the password. Using the same password for your business identity, for your business email that you use for other personal services, everybody knows it’s not a good idea, but yet people still do it because we all have to remember so many passwords and what can happen is that service gets hacked and the passwords get released along with the email addresses associated with it.
Jordan Briney:
It’s important to remember that this isn’t just like all of the CEO is the biggest target of it. I mean albeit, maybe you’ll see more spam emails come from there, but even John Doe from the janitorial closet can still have a compromised email account that potentially could be utilized in a nefarious way. It’s one door that allows us the opportunity to put somebody in our wall per se.
Adam Devereaux:
We talked about spoofing tools specifically like ATP for Office 365. There’s third party services that try to lock those down. For once somebody has logged in as someone or protecting users from poor passwords is a couple of ways that you can protect yourself we want to talk about. One would be making sure that your users are using secure passwords. That does not mean changing frequently at this point, that’s no longer recommended because pushing people to change their password frequently actually usually makes them have less secure passwords and it really hasn’t been shown to increase security at all but what is better is unique longer passwords that have sufficient complexity.
Adam Devereaux:
We do have like a pass phrase recommendation would be that rather than have it be like a jumble of numbers and characters, longer, even if it doesn’t have as many custom characters actually represents a more secure cryptographic hash as well. Once it’s encrypted, it’s still a very complex encryption and we have a passphrase generator on our website that you can use as an example, a couple of words together oftentimes that’s easy to remember.
Jordan Briney:
Yeah, and the nice part about… To your point, pass phrases to me are a lot easier to remember and the fact that they’re more secure really puts us in a better position for that. So yeah, check out if you’re not really sure or not really creative and want to create your own passphrases. We have a really, really nice generator on our website that you can utilize at any point in time to just put yourself together for that. But yeah, I agree. It’s tough to necessarily tell a user, well, okay, you’re going to change passwords every single month because that’s when people start growing disgruntled and essentially it’s not actually as effective as maybe waiting that retention period a bit longer and designing a better passphrase solution in place of that.
Adam Devereaux:
And specifically Microsoft and NIST recommend that you do not set passwords to auto expire at this point. In fact, in many security reviews that are current with those recommendations, they actually will ding you if you have frequent password resets required. It’s interesting, it’s kind of something where that’s where you… there’s almost like this crazy story of how that became just accepted the security knowledge and that’s something, it’s a good example of how we have to be careful about what we trust and believe will protect us. So-
Jordan Briney:
The one on our screen at the moment is a good example of a good pass phrase. Maybe a little bit longer than most times.
Adam Devereaux:
May be a little longer. You could take.
Jordan Briney:
But that is a proof of concept though. These are things that that technically being is more secure than just writing an eight character password with a few dollar signs and hat symbols and everything into it.
Adam Devereaux:
Exactly.
Jordan Briney:
The thing that I think would be important to touch base, we’ve talked a lot about email phishing, but there’s more beyond the scope of what kind of phishing can really fall in play here. I’d like for us to kind of touch base a little bit more on the phone side of things. Talk about the kind of text and phone phishing.
Adam Devereaux:
All right, so that’s where we get into social engineering, which is an element of all phishing and there’s so many different words out there, right? vishing, spear phishing, whaling. There’s so many… people try to come up with a trendy name to describe it, but more often than not, it’s a person trying to fool you or your users in some way and they could be doing that over the phone or by text. We’ve seen cases where that is almost the easiest to fall for. Ultimately you kind of need to know a little bit about what you’re trying to do in the organization, but that can often be a way for them to get key pieces of information or for them to log into something. They may impersonate your bank, suppliers.
Adam Devereaux:
There’s lots of ways that even with… when we look at financial systems, one way that vishing is often used, which is the voice phishing is trying to set up ACH or change ACH information, right? This is where oftentimes you have to have policies as an organization to protect you because you just need to make sure that for wire transfers, ACH changes things like that, those have to go through some sort of approval and validation process.
Jordan Briney:
Yes, and one of the things that stuck out to me a lot, and I know it’s kind of a silly example because most of us here kind of have the claim to [inaudible 00:25:56] that we’re totally not fall for these, but when you get called by “Microsoft” and it’s some guy on the phone saying he’s from Microsoft and there’s a virus on your computer, that in of itself is considered voice phishing at that case. They’re trying to find a way to get into your machine and potentially do things like commit ransomware, steal passwords and credentials.
Adam Devereaux:
Lock down your computer.
Jordan Briney:
Lock down your computer, force them to pay that back. We’ve seen cases like that before, so that in of itself, as silly as it seems and totally unbelievable-
Adam Devereaux:
What happens… sure, yeah.
Jordan Briney:
In the right circumstance, sometimes they make them crazy enough that if someone falls for it, they know that they’re in the clear because they’ve probably got the easier target per se.
Adam Devereaux:
Well, and a key thing to note of the way that social engineering comes into play here is oftentimes they try to create a sense of urgency that it’s coming from authority and they try to kind of exploit people’s willingness to help, right? I need your help with this quick. I need you to do this. This is really urgent because this came up and they try to create this urgency and this reason for you to kind of shut down some of the parts of your brain that would say, “Hey, wait a minute. This doesn’t seem quite right.”
Jordan Briney:
Like for example, one of the ones that we’ve seen frequently is someone will send an email and it might be from like a higher up, like let’s say the CEO or somebody that’s management of your company. They spoof to look like that person and say, “Hey, this is important. I need you to like go get gift cards.” Gift cards are kind of a big thing, or I need you to do a favor, is a lot of what we’ve seen around here.
Adam Devereaux:
Well, yeah and we’ve seen seasonal attacks, so it’s based around a health enrollment season. They’ll ask for W-2 information. We’ve seen it and there’s real world examples where organizations here in Michigan have fallen for email spoofs or email once a key person’s been compromised that they’re trying to get a wire transfer to happen and it has. Losses in the six figures-
Jordan Briney:
Oh yeah.
Adam Devereaux:
…in many cases, and so we do have some Tech Riffs out there, because it really the key point here is what can you do about user behavior and there are ways that you can try to make them more wary. Right? So that’s the goal, is we want to make our users more wise to the ways of the world. Right?
Jordan Briney:
Exactly.
Adam Devereaux:
And so we have some tech or some Tech Riff videos on our YouTube channel that you could check out that talk about how phishing works. The psychology of it and what are some tools and platforms that you can use to try to train users to not be gullible essentially.
Jordan Briney:
Exactly.
Adam Devereaux:
User awareness training is a key feature, a key reason why you… that you can try to protect your environment but that being said, as wary as you can make your users, everybody has a bad day where we’re stressed, we’re tired, we’re dealing with a bunch of other things and we just click and do something without thinking about it. In some cases it’s, they’re trying to exploit a very specific vector, like an email that when it comes up on your phone, it’s really hard to tell that it’s not legitimate. There’s ways that they try to make it, so even somebody who’s smart is going to fall for it.
Jordan Briney:
Yeah. This is a good time to kind of talk about how we can properly protect users, because again, we can make users masters degrees and understanding how phishing can work, but there is still going to be those one or two rare occurrences. Let’s start with how we should properly protect an organization. What can be some tools and some utilization methods we can use to help users in this circumstance?
Adam Devereaux:
Right. Let’s say that an attacker has one of your user’s passwords and email address, whether they clicked on a link in an email and it popped up and asked them for it and they put in, or they were reusing a password or however that happened. One of the best ways that you can protect yourself, one of the only ways that’s really the most effective tool is using multi-factor authentication.
Jordan Briney:
Yes.
Adam Devereaux:
If they had your password and they were trying to log in as you, if you didn’t have MFA, that’s generally all they need to get access to your email address, but if you do have multi-factor authentication turned on, they’re missing another piece of information. They’re missing another key thing that has to be there for that person to log into your email.
Jordan Briney:
Yeah, and especially in this environment right now. As we’ve noticed, common tendencies, nine times out of 10 they very likely will not account for somebody having a multi-factor authentication. When you see those fake Microsoft links or you see those fake links that pop up here, most of the time they don’t account for multi-factor authentication, which at that point you’re practically in the clear because, yeah, maybe your account was compromised, but they can’t necessarily execute the damage they want to put behind the account here.
Adam Devereaux:
Yeah, I would say generally it’s almost generally impossible to get on multi-factor authentication. There are a few unique edge cases where they try to spoof the MFA page or something along those lines, but those are very sophisticated attacks for the vast, vast majority of organizations out there. If you have an MFA system in place, and in fact they’re getting much more advanced and the future looks like it’s going to be password lists in a way too, so your users don’t even have passwords to get into these systems.
Adam Devereaux:
Multi-factor is one of our strongest recommendations to protect your business information from outside attackers and it takes a lot of different forms. It could be that multi-factor sends a push to your phone and you approve it through your phone. Everybody’s using it these days for like your bank accounts where you’d have to put in an SMS code or you get some sort of verification that you have to prove of to validate that computer but the challenge there is it can be difficult. It can cost money. So how do we make sure that we get the best value out of that? And that’s where we go back to that business identity and kind of the future of cloud security is where you’re really putting effort into securing your user’s business identity but then you’re using that business identity to log into the other applications and systems that your users need to access.
Adam Devereaux:
Rather than having 10 different MFA codes and this complex login issue, you have one login very secure. You’re using advanced systems that monitor all the login attempts and looking at all the information and then you’re using that to get into the other apps and information repositories.
Jordan Briney:
Yep, and of course as we start wrapping up here for our webinar, one of the big things is that if you ever have any additional questions beyond what we covered today, feel free to bring these up with your sales rep. Feel free to bring these up with your account executives here. Just start that conversation to put you guys in better optimal situations if you feel like, “Oh, are we covered for this particular thing? Should we start having that conversation if we haven’t already had it or maybe we did have that conversation and maybe this is kind of our last push to put us in there.” Those are important details to know cause having a secure baseline helps keep your company running at the best of its capabilities.
Adam Devereaux:
It’s really… it’s an ongoing journey. It’s an ongoing conversation. Security threats change. The tools that we use to protect they’re going to change as well so it’s really important as an organization to have a security mindset and be thinking about these things because it’s too easy to act like a teenager and think, “Well, that’s never going to happen to me.” I mean there’s so many examples right here even in West Michigan, there is an, I believe was [ENT 00:33:17] office in Battle Creek that closed their doors after they got hit by ransomware.
Adam Devereaux:
There’s so many organizations that have gotten exploited through phishing attacks and in many cases you’re never going to hear about it. If they don’t think that the information was compromised a lot of organizations may never go public with the attacks that they’ve experienced and so by some estimates, this is a multibillion dollar industry in terms of what attackers are getting and that just keeps fueling more and more attacks. There’s a lot we could say and we could really dove a lot deeper into anything, but we are really at the end of the main points we wanted to make and talk about what questions you guys may have.
Adam Devereaux:
We do have a few security partners specifically, so we’re excited is really also trying to work on our security approach and mindset. We are not a dedicated security firm in that we do only security and only assessments but trying to bring a practical operational IT mindset and understanding what are key things that you can do to protect yourself and there are other resources that and other companies that are doing fantastic job with that as well that we can help work with but these are some specific tools that we use or we recommend to help make sure that your environment is secure.
Jordan Briney:
Yeah, definitely. As we start wrapping up here, of course we’re ready to hear a couple of questions from you guys on something that we can touch base from today’s webinar to wrap things up and-
Adam Devereaux:
We have Rebecca here. We didn’t introduce her at the beginning. I forgot about that. Rebecca is on our marketing team and she is kind of the brains behind everything that’s going on.
Jordan Briney:
She’s the one who clicks all of the buttons. [crosstalk 00:34:52].
Rebecca Zaagman:
Hello everyone. Thanks for being here. Some of you have asked if we are going to send out the slides and a recording of the meeting. Yes, absolutely. I’ve got all your emails from registration and I will be sending those out. Feel free to ask questions in that little Q&A box. I don’t think I’ve seen any yet so feel free to pop in there.
Adam Devereaux:
Yeah and apologies for the technical difficulties. We were going good through rehearsal this morning and then the live event platform we were using ran into a technical difficulties seems at their end, so we had to make a last minute switch but we thank you for kind of putting through that and getting here with us today anyway.
Jordan Briney:
Yeah, definitely and it was definitely enjoyable to engage in a conversation about security because like we alluded to before, this is an ever changing landscape and things that we may even bring up. Like we could jokingly say that we could do another webinar about this next year and have three entirely different concepts potentially.
Adam Devereaux:
Yep. Interesting.
Jordan Briney:
So definitely is that.
Rebecca Zaagman:
All right. We do have some questions coming in. [Wendy 00:35:54] asks, are there examples, websites or other options for sending to users to test phishing attacks and educate them?
Adam Devereaux:
Yes, and in fact we are currently probably switching some ways that we or tools that we use for that as well. There’s really more than one provider. KnowBe4 is a fantastic provider that’s out there but the key thing is if you use a phish test or security awareness tool, then it’s really important to make sure that it’s actively managed and that somebody is really championing that and in some cases we run into problems where it doesn’t really have the authority behind it.
Adam Devereaux:
It takes really an organizational buy-in to make sure that the managers, the HR, everyone else is kind of onboard with this being something that’s really important and a key part of your curriculum as an organization because if you, for example, are sending out these training links that people need to register for and login and take that training and they’re just like, I don’t have time for it. What are you going to do at that point as an organization? You need to make sure that that’s something that you really have a strategy behind and the whole organization buys into.
Jordan Briney:
Yeah, and even engaging in important meeting to discuss some of the common traits that you’ve noticed here or provide some examples. Have that communication internally with your team. Put everybody on board. Those are also general first-party stuff that you can do and then we have some third party stuff like one of our things right now is KnowBe4 and we’re still deploying that out to clients at this time to go through some user training as examples here, but as it’s constantly evolving here, it’s always recommended that engaging in those conversations with your personnel are important as well because sometimes telling your marketing person that security is definitely important, they’re not going to listen to you at the first time. Giving them some proven examples might help vindicate why exactly this should happen.
Rebecca Zaagman:
I’m not sure why you’re dogging on marketing so much. I’m taking personal offense to that.
Jordan Briney:
I don’t think I have anything to say about it.
Adam Devereaux:
It was just circumstantial [crosstalk 00:38:01].
Jordan Briney:
Just a general example.
Adam Devereaux:
Exactly.
Rebecca Zaagman:
We’ve got another question from Mark. Any Mac specific attacks your team has heard about.
Adam Devereaux:
When you look at exploits, the Mac environment typically has been a smaller vector, but there certainly have been some malware viruses that have had success in the Mac world. Apple typically is fairly active with that. I think that as far as like phishing, oftentimes they’re not going to necessarily know that you’re accessing from a Mac, so they’re more to exploit the services that your users are using. A good example of that is if you’re using Google Apps or using Office 365. A lot of the phishing emails that get sent out try to look like some sort of official Google App or Office 365 login or email address and whether you are in Outlook on the Mac, Outlook on the PC, I’ll look on the web for example, it could look really convincing and fool you.
Adam Devereaux:
When we talk about the different sectors of these security concerns that we have, phishing isn’t as much PC or Mac specific. When we go back to ransomware and malware, there are specific PC or Mac variants. I would say the general adage that there’s less viruses tends to still be true in the Mac world but there have been some notable exceptions in the last couple of years.
Jordan Briney:
Yeah, and that’s just kind of touching on what we talked about before with outdated systems. I mean, you can still keep your system out of date and yeah, Apple does keep a pretty proactive listing of how they manage their security, that doesn’t mean that you still don’t have [Joe Schmo 00:39:40] who hasn’t upgraded their system in three years or something as an example and that… there was a key security flaw that they found and they’ve never patched since that.
Adam Devereaux:
Well, and Macs typically have a longer life. People will use them for a longer period of time, but you really have to be careful if you’re using an older operating system. If your Mac is no longer able to upgrade to the newest Mac OS, that can be a concern but really this reminds me of something that I wanted to talk about a little bit before too, which is in regards to disaster recovery. There’s a NIST framework that’s called, which NIST is a governmental body that really is involved in security. That they call identify, protect, detect, respond and recover and this is kind of a general framework for how you can think about what area these different tools fall in and do you have protections in each of those areas.
Adam Devereaux:
Identify is where you want to identify what you need to protect and identify threats. Protect is where you protect via various systems that have active protection and respond and recover, and the key thing I just wanted to talk about was the recover part. Whether you’re a personal home user or you’re a business, you need to make sure that you have a backup and disaster recovery strategy in place and I’ll just say based on the timeframe that we have right now, the most important thing is to make sure that you have a disaster recovery strategy that takes into consideration the types of threats that are out there. Make sure that the disaster recovery system and plan itself is protected from those and that it’s tested and you know that you’re able to recover in a timeframe that you have documented, because there’s always a cost. There’s almost always information loss when you talk about recovery, whether it’s a day or a couple of days.
Adam Devereaux:
There’s a cost to that, and that’s something that’s better to map that out and understand upfront what recovering from a major disaster looks like than to find out in the midst of a major disaster.
Jordan Briney:
Yeah, the way I’ve thought about this with people before is if you find out it costs you $2,000 to prevent a $10,000 attack, would you not want to invest into that kind of infrastructure?
Adam Devereaux:
Yeah, I would ramp that up, right? If it costs you 20,000 or $200,000 to protect you from million dollar or $10 million cost.
Jordan Briney:
Exactly.
Adam Devereaux:
And that’s not really an exaggeration because typically the impact of a major problem is always more expensive than what you think upfront. It’s always more difficult to recover. It always takes longer to recover. Most organizations would go, “I think… we could be back up in a day.”
Jordan Briney:
Right.
Adam Devereaux:
And so often the reality is three, four, five days to try to get back up to full operational state.
Jordan Briney:
And what’s your net revenue in that day? Someone will be-
Adam Devereaux:
In fact your reputation can be incalculable in some cases. Yeah. That’s a main point that I forgot to talk about before, but we want to continuously stress. Disaster recovery because a disaster can include security breaches as well.
Jordan Briney:
Yep.
Rebecca Zaagman:
We did have a question on, I think you guys touched on this, but on the controversial topic of paying ransomware, especially with the growth of the extortion component to leak data in which then others data is more at risk and now breach notification law comes into play. That’s a really big question, we only have a few minutes. What’s your one minute response to that?
Jordan Briney:
I would say a summarized version of is is that the intent is that you want to avoid paying that ransom as best as possible, but sometimes businesses will make the assessment and say, well, if I spend $50,000 now to get my, well allegedly get my data back, maybe that’s the better solution. That’s again, touching base on the proactive versus reactive side of things.
Adam Devereaux:
Right.
Jordan Briney:
Creating those disaster recovery strategies implementations is how you’ve save yourself from needing to spend that $50,000 that’s needed for that disaster recovery. Putting yourself in a position that at the very least, you’re going to be able to make recoveries and get yourself back as quick as possible. It’s going to be a better focus.
Adam Devereaux:
Know that you can recover, know what it’s going to cost you to recover and how long it’s going to take. Don’t put yourself in a position where you could have to pay the ransom, but the reality is in the business world and the larger the business is typically this is more likely true, what’s the primary decision maker justification. It comes down to money, right? If it’s cheaper to pay the ransom, you know that a lot of businesses are going to end up doing that and that’s the reality that we’re seeing. It is controversial because there are some reports coming out that are seeing that is almost like a cycle where because insurance companies are oftentimes recommending that the ransom be paid, then that’s driving more attacks.
Adam Devereaux:
I think the research is not necessarily conclusive, but the reality is that there are many cases that individual actions, selfish actions are right for the person, but bad for the overall kind of economy or global business world and this is another example of that.
Jordan Briney:
Exactly. You have any other questions? All right, well we thank everybody for-
Adam Devereaux:
Well, we’ve got a few things here.
Jordan Briney:
Ah, yes, thank you.
Adam Devereaux:
Next webinar, we’re going to be doing February 27th and we’re going to be talking about cloud storage. We don’t have our official title yet, but we’re going to talk about what’s happening with cloud storage right now. Cloud file storage, kind of the pros and cons, what it really works well for or what areas perhaps there are still challenges, and then we’re also having a live security event on March 5th at Terra square, which is in Hudsonville.
Jordan Briney:
Yep.
Adam Devereaux:
And that it will be a security event as well. Again, we’re going to be looking at monthly for these webinars. After the 27th we’ll always let ahead of time what the next date is going to be and we thank you for joining us.
Jordan Briney:
Yeah, and just one little note before we run away to. If you guys feel like you want us to address the specific topic, a discussion that would be worthwhile in a webinar, feel free to contact us or contact-
Adam Devereaux:
And how should they contact us, Rebecca?
Jordan Briney:
Well, that is a perfect question.
Rebecca Zaagman:
You’ll see on the screen my email, becca@Worksighted.com is the best way to do that. I’ll also follow up an email with the recording with the slides as well as a link for suggesting topics for future webinars.
Jordan Briney:
Perfect.
Adam Devereaux:
All right. Great. Take care everyone.
Rebecca Zaagman:
Thanks everyone.
Worksighted Team
We are a team of over-enthusiastic people, ready to help our clients utilize technology to spur growth! We love technology and come to work every day eager to solve problems and find ways to impact our clients.
