UB Insider #29: How to Keep Your Company—and Yourself—Safe from Hackers
About this episode:
These days, being a victim of cyber attacks is a matter of if, not when—and considering how much sensitive information is transmitted online, that can be pretty damaging. But there are some basic steps every company (or individual) can do to keep from being a target. In this episode of UB Insider, Phil Richards, Chief Security Officer at LANDESK, has some tips for safer connectivity. Subscribe or download this episode on iTunes and Stitcher.
Lisa Christensen: Hello and welcome to UB Insider. I’m Lisa Christensen, online editor at Utah Business magazine. October is National Cyber Security Awareness Month, and with news about hacks on major companies becoming almost commonplace, it’s worth taking some time to see how secure you or your company is, especially considering how much data we have on our computers, our phones, or on our clouds.
Phil Richards is the Chief Security Officer at LANDESK and has more than twenty years of experience in senior positions within the industry. Thanks for coming in.
Phil Richards: Thanks, Lisa. It’s good to be here.
Lisa Christensen: So when we say cyber security, it’s a fairly broad term. What do you consider cyber security to be?
Phil Richards: Well, I guess I think cyber security is primarily about the protection of our online, connected life.
As you know, we use many Internet connected devices to handle our daily activities. We oftentimes look on Facebook, send messages to friends or make purchases on Amazon or hundreds of other activities. It’s possible that criminals will want to access this activity for their own purposes. Additionally, cyber security deals with the electronic devices that store our information, whether they’re online or not. And I guess cyber security is all about keeping that data safe as well. So there’s an online component to it and there’s also just a device component to it that stores so much of our daily life.
Lisa Christensen: So the online component being the information that you give websites and the offline component being the information that we have stored on the hard drives of our computers or on our phones?
Phil Richards: That’s right. Exactly.
Lisa Christensen: I’ve heard that in terms of websites being hacked, or attempted to be hacked, it’s not a matter of it, but when. Is that true? And what kinds of factors have contributed to this kind of high-risk environment.
Phil Richards: Well I think the reason why security experts say that it’s not a matter of if, but when, is because they want to underscore the reality that any computer system that is available over the Internet is vulnerable to something. Some systems are far more vulnerable than others, but the only truly secure system is one that isn’t connected to the outside world. Although, usually there is someone who can get into any system.
Most of the time, most systems that have good, basic security, the term from an IT perspective is “hardening,” are much more difficult to breach or get into. And there’s a lot of things that you can do to protect yourself or make yourself a less enticing target. Many companies employ systems to help them detect attacks while they’re happening. And these early detection systems can also help limit the extent of damage when an attacker strikes.
Lisa Christensen: So you mention making yourself less of an enticing target. What kinds of companies or organizations are more enticing targets just by virtue of what they do?
Phil Richards: Well, first of all, to be clear, cyber attacks can happen to anyone. Over the past 12-18 months, there are certain industries that have been hit much harder than others, particularly those industries have been things like health insurance, hotel chains, big box retailers and restaurant chains. They’ve all been hit much harder than they have in the past.
Banks and financial service companies have been interesting for an awful long time and, of course, they still get hit quite frequently. That’s because that’s where the money is. The interesting thing is that of all of the breaches that occurred in 2015, about 70% of them, the companies were actually notified by either the FBI or American Express or Visa that they had been attacked. So most of the time, these companies don’t realize that they’re being attacked until somebody else tells them that it’s happening.
Lisa Christensen: Why is that?
Phil Richards: Well, a couple of different things. First of all, the reason why the credit card companies know that it’s happening is because they are really invested in finding these patterns. They’ll see a lot of fraudulent charges. And one of the first things that they do is that they kind of back all of these credit cards up to some common purchases. They’ll find that there’s been a thousand fraudulent charges and all of them stayed at a particular hotel chain or something like that, previous.
So the credit card companies are obviously very vested in finding that information out, the same with the FBI. And the reality is, most companies don’t do an adequate job of detecting those kinds of breaches. And so they tend to depend on Visa or law enforcement to be able to find that out for them.
Lisa Christensen: That must be an incredible algorithm that lets Visa recognize that all of these people who are reporting fraudulent charges, or who they have detected fraudulent charges for, shopped at Target or wherever.
Phil Richards: You know, it really is. And as you’re probably aware, you’ll get a phone call from Visa or American Express every once in a while saying hey, we detected a fraudulent charge or a charge that doesn’t appear to be right on your credit card. And that’s part of that algorithm that you mentioned. Visa is on the hook to lose an awful lot of money to the bad guys, so they take that kind of seriously. They want to make sure that the charges are likely to go through.
Lisa Christensen: So going back to the idea of making yourself a less enticing target, and also what you mentioned about companies not doing an adequate job of detection, what are some basic things that companies or organizations can do to give themselves a little protection or mitigate their risk?
Phil Richards: You know, there are a lot of organizations that tell companies how they’re supposed to organize their information security and some of these organizations, the recommendations and requirements go into the thousands of pages. There’s an organization called the Center for Internet Security that has identified twenty controls. And these are based on industry best practices and things that actually work in the field. And they’ve prioritized those things so that the first five of these twenty tend to be the most important fundamental controls that a company can use to improve their own security.
The first two controls are all about getting an accurate inventory of your devices, knowing what’s on those devices from a data and a software perspective, and then being able to make sure that you’re applying timely patches to those devices. The reason why that’s important is that you really can’t protect devices, meaning computers and smartphones and things like that, you can’t protect devices unless you know that they’re there and you that have to protect them. So that’s one of the more fundamental activities, just getting an inventory and patching of your devices and your software. That’s the first two.
The third one is called end-point configuration management. What that means is being aware of and making conscious decisions about things like strong passwords, lockout times, login protocols and controlling what applications your users have access to. Number four is about carefully evaluating and granting administrative rights on your systems. You want to give people the access they need to do their jobs. But when fewer people have privileged access, the ability to change things in your system, you lower your own risk and you make your systems easier to defend.
Lisa Christensen: So that’s the reason why, for example, I’m not allowed to download the latest version of Flash on my office computer?
Phil Richards: Right, yeah. That’s kind of one of the unfortunate byproducts of limiting that kind of access. And it’s a tough balance. You’re trying to make sure that people have enough access so that they can get their job done, but at the same time, more access just means that when the bad guys get into your system, they might have the ability to do more damage.
Lisa Christensen: Okay.
Phil Richards: Then number five on this list is called vulnerability management. And vulnerability management is the process of identifying and fixing specific issues on your internet facing systems. Basically, the process is to run a scanner on your systems which identifies the ways that a cyber criminal could get in and then you fix whatever the scanner tells you.
These scanners are available, you can run them directly from the internet, you can purchase a scanner software that you can load onto hardware in your environment and then run it that way. Some of them are fairly inexpensive. You can do ad hoc scans for free, as a matter of fact. That’s a good way to understand what kinds of vulnerabilities you have in your environment and what you need to fix.
Lisa Christensen: So it seems like a lot of those measures that you can take are kind of looking at protection from a means of securing the greater part of your data and your system in the event that one of your devices or one of your people is a weaker link.
Phil Richards: Right. Just like everything, the adage that we’ve all heard that a chain is only as strong as its weakest link. In cyber security, it’s very much the same. We have to protect everywhere that a hacker or a bad guy might get into because the one thing that we don’t protect is guaranteed to be the place that they will find and they will get in. So you have to make sure that you’re protecting everything as well as you can.
The other thing that’s important to remember is that these defenses aren’t holistic. They don’t cover everything. So security works on this model of defense in depth. You apply layers of security. Because not one security protocol, one security thing isn’t going to fix everything. So you have to kind of layer everything around so that everything gets covered eventually.
Lisa Christensen: So are there any advanced things that I could do if I were say, in charge of a company that handled a lot of sensitive information? I mean, if I had a company that handled a lot of sensitive information I’m hopefully already doing these.
Phil Richards: Sure. Going back to those top twenty controls, as soon as you’ve implemented the first basic five controls, the rest of those top twenty controls offer more advanced protections. These include network controls, antivirus and antimalware, data loss prevention systems, there’s this, you can put together email gateways.
There are these products called SIM tools, which stands for, SIM is an acronym and it stands for security information and event management tools. That’s a long way of saying you want to make sure that you’re looking at all of the logs that get generated off of your computers and having a system that parses through your logs to find evidence of breach activity. Also, user training is incredibly important. And then there’s this whole set of activities called penetration testing activities. And that’s all about having a third party or a remote group actually try to hack your systems and finding out what they’re able to get into and what defenses need to be improved in your environment.
Lisa Christensen: Now, conversely, just talking about people individually, I’ve got a laptop, I’ve got a smartphone, you’ve got an iPad or another tablet, we keep a lot of information on those. And some of those controls that you mentioned don’t quite apply on a personal level. So what are some things that people can do individually on their personal devices to keep from getting hacked or otherwise attacked?
Phil Richards: Well one of the more important things that we can for our individual devices is to keep all of the software updated on those devices with the latest security patches. As an example, Microsoft comes out with a set of security patches every month on a day that they call Patch Tuesday. Patch Tuesday is the first Tuesday of every month.
So you want to make sure that your systems are configured so that they are receiving these automatic updates. And you can look on your system for automatic updates and just make sure that that’s enabled. That will take you quite far down the road of being much more secure because those patches are the things that the bad guys, the lack of those patches are the things that the bad guys exploit.
Another part of patching your system is this whole idea of getting rid of obsolete software. Obsolete software is software that is no longer supported by the vendor. For example, Microsoft no longer supports patches for Windows XP. So leaving programs or operating systems like that on your system leaves your system vulnerable.
Lisa Christensen: So if I had an old laptop that still ran XP I should probably not use it to surf the internet anymore?
Phil Richards: Yeah. So let me just illustrate that with a particular story or a point, I guess. There are, the top ten vulnerabilities account for 80% of the breaches. Now what that means is that there are ten specific types of exploits that account for 80% of the breaches last year. Of those ten, two of them were Microsoft Windows XP specific. So two of the best ways for bad guys to get into your system depend on the fact that you running Windows XP on your machine. So yes, it’s important to not use some of those older tools.
There’s a few other things that we can do for our individual machines that will help. One of the things is when it seems that your computer is compromised, if you’re worried about it being compromised you need to fight the urge to immediately check your accounts on that computer. It sounds kind of silly, but people get kind of panicky when they believe that their system has been compromised. So I’ve known several people who will say to me, well I was worried it was compromised so the first thing I did was log into my bank account and check it. You need to fight that urge, I suppose, is the best way to say it.
There are some things you can do when traveling, by the way, that will also help to keep yourself protected. Traveling is particularly dangerous. One thing to do is to avoid using computers at internet cafes or libraries or other public places, especially when you’re trying to log on to do banking or something else or email while you’re traveling. Another thing you can do to protect yourself while you’re traveling is to practice good email hygiene. What that means is you’d want to try to stay away from clicking on links in your emails and things like that.
You’re probably aware of this kind of rampant type of malware called ransomware that’s going around. Almost exclusively, ransomware is delivered through email. So if someone sends you an email that looks the slightest bit fishy or off or something like that, you certainly don’t want to click on that. You don’t want to open those links. You don’t want to click on the fluffy kitty videos or anything like that from those emails. A better practice is to look at the email link and then open your browser and then type in the place where you’re supposed to go, if you’re confident that the link is going to be secure. That way you can’t be redirected somewhere else.
Some other things that you can do, make sure that you have good antivirus and antimalware software on your systems. Windows Defender is free for most of Windows installations. And there’s other inexpensive or free services that are available.
Another one that I do periodically, about once a year is I will change my credit card numbers. So I will call the phone number on the back of my credit card and report that my credit card is suspected of having been breached. And they will cancel that credit card and within a few days I will get a new number, a new credit card, a reissue with a new number. What that does is when, since there have been so many breaches recently of retail organizations, if you travel a lot it’s highly likely that your credit card information has already been captured by some nefarious people. A quick and easy way to make sure that that credit card number is of no value is to just cancel and make sure that that number isn’t useful. What they steal is the actual numbers. So by changing the number, the old number is invalid and it doesn’t do anything for them anymore.
Lisa Christensen: And you mentioned that those are tips that you can use while traveling, but it sounds like a lot of them would also apply for just everyday use.
Phil Richards: Regular good hygiene, absolutely. There’s a few things you can do also, to protect yourself. I know that I personally get concerned when I’m in a hotel and I pull out my computer and I’m logging onto the hotel’s Wi-Fi network. That kind of makes me nervous. There are a few things people can do to kind of insulate or secure their systems from that.
One of the things that I do is use a travel Wi-Fi access point. There are several of these on the market. It’s a little box. I personally use one that’s called a Hootoo TripMate. That sells for about $30. Hootoo also sells a different version that’s $17 on Amazon. This device makes it much more difficult for a would-be attacker to access your computer. The best they can do is they can access your Wi-Fi adapter. It’s basically a replay of the hotel’s Wi-Fi. So you’re not actually joining the hotel’s Wi-Fi. Your little device is joining the hotel’s Wi-Fi and you’re joining the device’s Wi-Fi. And that second level of indirection means that other people in the hotel can’t see your computer.
Another thing you can do in a hotel is use what’s known as a VPN service. VPN stands for Virtual Private Network and it encrypts all of your internet traffic from your computer outward. Many companies have VPN as a part of their internal security. So if you’re logged in for work, you might already have a VPN that is being used. If you’re traveling for fun however, and you’re not connected to work, you can subscribe to a public VPN service for about $7 a month. This is used to encrypt your traffic so that noisy network neighbors can no longer see what you’re doing.
Lisa Christensen: Okay. What is something that many people misunderstand about the world of cyber security?
Phil Richards: Well, I think that too many people buy into the idea that since you cannot protect yourself 100% from hackers, that there’s no reason to do anything. Or since it’s too complicated or too expensive to protect yourself. This is just plain wrong. You may not be able to defend yourself 100%, but you can certainly affect the impact, frequency and damage an attacker can cause to you by implementing some safeguards. For businesses, not protecting your systems puts your customers’ data at risk, it puts your own intellectual property at risk and you’re not being responsible to your customers and shareholders. So even though you can’t really protect yourself 100% with any one strategy, by layering a few strategies at a relatively low cost, you can do a better job of being responsible to your customers and your shareholders.
Lisa Christensen: So you can’t protect yourself 100%, but you can make them earn it?
Phil Richards: You know, there’s an old story about two guys that were running away from a bear. One guy says, I can’t outrun this bear. The other guy says, well I don’t have to outrun the bear, I just have to outrun you. To some degree in the cyber security world, that’s kind of true. Criminals look for targets of opportunity. If you become a more difficult target, you’re less likely to be bothered. It’s certainly not a guarantee, but it’s the law of averages. And you can apply the law of averages in your favor, I guess.
Lisa Christensen: Okay. Well thanks so much for coming in Phil.
Phil Richards: Well thank you, Lisa, for talking with me. I’ve enjoyed it.
Lisa Christensen: I would also like to thank Mike Sasich for production help. Let us know what you thought of today’s episode by emailing us at firstname.lastname@example.org or reaching out to us on Facebook, Twitter or Instagram at @utahbusiness. You can also subscribe to our podcast and catch up on old episodes on iTunes and Stitcher. Thanks for listening.