There is no such thing as a safe place. Given all the recent occurrences of hacking and penetration in Yahoo, Experian and other tech giants, it’s high time we look at business cyber security as an increasingly urgent issue. Joseph Cheung talks about the issue and the broad-term challenges with cyber security. What information are you putting out there? Are you okay if a convict or some “prince” in Nigeria gets access to that information? Essentially you’re leaving little pieces of your personal puzzle out into cyberspace, whether it’s your personal puzzle or your company’s puzzle.
Together with Morgan Nolan, Joseph runs Toggle Industries, a company that educates companies to stay vigilant of threats, and to develop strong fundamental mindsets for data protection.
Watch the episode:
Listen to the podcast:
Business Cyber Security With Joseph Cheung
We’re doing something a little different. We’re going to have a special episode, given all the recent occurrences of hacking and penetration in Yahoo, Experian and so on. I’ve got Joseph Cheung and Morgan Nolan from Toggle Industries coming in to talk us about the issue and the challenge with cybersecurity, a broad term. Some of the things that you can do and basically, it’s going to be a wide ranging discussion and hopefully when we’re said and done, there are some things that you can pick up that you can do where you’re not the tallest person in the foxhole. With that being said, Joseph, Morgan, thanks for being on the show.
Thank you for having us.
We’ve had one event after another, from Deloitte getting hacked, NSA is getting hacked, Experian, which is on top of everybody’s mind, that’s half the population in the United States. From what you’re doing in your field and what you’re hearing from your customers, what are you hearing?
One of the biggest things that we hear from our clients is why is this happening? Why is nothing being done to solve these problems? A lot of times we see, especially with Experian, we’re all sick of hearing the fact that Yahoo has gotten hacked. We keep hearing that and we’re just so tired of it. A lot of our clients are asking us, “I know I have the service with you and thankfully nothing has happened to us thus far, but how can we help our colleagues in industry? How can we help our fellow neighbors in the ecosystem? How can we prevent those incidences from happening to our colleagues?”
We keep trying to tell them, “All you have to do is continue to be educational within your staff, educate your clients as well as to have a good fundamental mindset and honestly, be vigilant.” A lot of times the clients, they don’t realize that their personal cyber security is literally in their fingertips. If they choose to disclose X information or if they choose to sign up for Y service without looking at the potential repercussions and when I say repercussions, you’re registering for a newsletter, for recipes or you’re registering for what may be perceived as free ABC. It doesn’t matter.
You think that by giving out your @gmail, @yahoo, @whatever email account or by providing some nonsensical information, you think that it’s free to you, but in actuality, what are you sacrificing? A lot of the times we have these very frank conversations with our existing clients and for the mini seminars that we do. As a matter of fact, we have two coming up and we always ask those questions. “What information are you putting out there? Are you okay if the person in jail or anywhere else or some prince in Nigeria gets access to that information? Are you okay with that?”
Most people, they don’t think that someone is going to get access to their information. You always have to think of the most unsavory individual or the most unsavory organization getting access to the information that you’re willy-nilly putting out there. Is that information you really want out there? Essentially you’re leaving little pieces of your personal puzzle out there, whether it’s your personal puzzle or your company’s puzzle. Eventually, an organization, an entity, an individual, they’re going to cobble all these pieces together and have not necessarily a full picture, but they can use what they have to social engineer, reverse engineer and gain access to your sensitive documents. The way I always tell people is everything that you own in terms of your information, everything that your company does as well as how it does its business is sensitive information.
Morgan, you’re interfacing with your customers. What are you thinking about the Equifax and for the average person out there, how should they think about it and what should they do?
I believe we’re talking about the Equifax. I feel like sometimes in this world we’re sitting here going Yahoo, Experian, Equifax, it was all clouds in our minds here. Equifax, it’s a very unfortunate incident. The last statistic that I heard was 143 million Americans were compromised. That’s over 44% of our entire population and we’re running around 325 million right now. I heard, however, I believe it was yourself who stated it that it’s looking like it’s more around the 145.5 million mark now. It’s really unfortunate and we have to ask ourselves, these companies and for their specific situation, it’s a company that we didn’t elect necessarily to give them our information. We didn’t say, “I trust you with it. Take care of it for me.” No, it was given to them before we even had a say in it. Now, we’re sitting here with ourselves saying, “I’ve been hacked. My information’s gone.” It hasn’t necessarily been used yet but, “Where did I sign up for this? Why aren’t they taking care of my information?” It’s unfortunate.
We’ve looked into it. I took a look myself. My family and myself have been subject to the data loss as they put it, or they “suspect” it has, whatever you want to call it. What we have to do, what we have to look into is how are we going to protect ourselves at this point? 44% of the people have lost their information. What is that going to do to us first off? What information have they taken? What can they do with that information? We also have to look into what we’re going to do to try to be able to protect ourselves. There’s no perfectly clear answer to that. You can freeze your credit score, that’s one thing that you can do. That’s one thing that I know a lot of clients have.
What the person would do is they would go to their credit reporting, TransUnion, whoever?
What you can do is you can either go through a service. You can go through Equifax itself if you want to trust them with that again, however, I will make one big stipulation about that. If you do use their free credit monitoring that they’re pushing out to people, you will end up waiving any rights that you have to claim any losses. If you want to make a claim against them, if your information is stolen, whatever the case is, if you use their free software, you are waiving all rights to that. That’s very fishy in my personal opinion.
I’ve heard there’s been a bit of an outcry about that. I don’t know where that’s going to end up at. If you take and block your credit report, in your understanding, what does that do for the person that just blocked it?
Essentially what that’s going to do is that’s a deterrent. It’s not a fix all, it’s not something that’s going to cause them to not be able to do anything with the information they have. All it will do is it will make it more difficult for them. Not being the tallest guy in the foxhole, that’s one of the ways you can do that. What it will do is it will supposedly freeze your credit score where it is. It will make it much more difficult to open any new accounts, more difficult to get any new loans.
More difficult to start a credit card, which is a lot of what people are afraid of right now is that somebody is going to open an account or someone’s going to open up a credit card and start charging like crazy. There’s going to go my credit score. That’s one of the things that you can do. Unfortunately, it’s not perfect. There are very few things in this world anymore that are perfect. Freezing your credit score can cause some amount of difficulty which can help you. That’s the big situation there.
The other thing that you can do is you can sign up for some credit monitoring, like your LifeLock. I know there’s quite a few of them out there that will assist you. Basically, what that does is it’ s very similar to being sick. You want to know that you’re sick as early as possible so you can do something about it. That’s what those services are doing for you. They’re saying, “Somebody is trying to use your information and we’ve picked up on it now right when it’s starting to happen so we can do something about it now,” instead of six months down the line, you find out that you’re responsible for $150,000 credit card bill for a credit card that you didn’t even open. The problem is, is you have to go to the United States Government. You have to go to the credit card company and say, “That wasn’t me,” and now you get to prove it. If you can’t prove it, “Congratulations, here’s your bill and good luck.”
Simple things to do, you can block your credit score, you can engage in outside monitoring service. You think about the environment that we’re swimming in and at this juncture, there’s not much we can do about what has happened. Our social security numbers are compromised. I can’t go file for a new one as far as I know. It’s not like a credit card that gets lost or stolen, you can’t change the number. Here we are. There are certain things that we can do. For the business owner, simple things that a normal small business owner can do to perhaps lower their risk profile?
One of the first things I would recommend people look into is taking a look at their DUNS numbers, if they have DUNS numbers. Not everyone has.
What’s a DUNS number?
A DUNS number is a Dun & Bradstreet Number. A lot of organizations who do business with the government, they require a D&B number. Equifax isn’t a corporate social security number organization. However, many individuals starting out their businesses, they fund their businesses using their personal SSNs as personal guarantors, PGs. Through that relationship, they now have a D&B number, which is also in some way, shape or form, tied in to their personal information. From that perspective, it’s incredibly important to not only look and monitor your personal Social Security Number, but also be proactive and look into and maybe even pay for report or request a report from Dun and Bradstreet to identify, “Have there been any inquiries onto my business profile?”
I don’t disagree with what you said. On the personal end, if your information was stolen, you’re between a rock and a hard place at the moment. If you go ahead and you take a look into those free credit monitoring, if you keep track of your own credits score and what’s being opened up in your name, so on and so forth, that will help. What I recommend for your business is looking into organizations who provide some cyber security education, whether or not it’s ours, whether or not it’s a different one, whether or not you’re looking it up on your own. Granted the cyber security companies are going to know a little bit more than what you’re going to be able to find and be able to tell you fact from fiction.
It’s worth it for your organization to get trained on cyber security. I’m going to give you a story. It’s based off of many true stories. The names and everything are changed. You have Jill from payroll and Jill gets this interesting email from her CEO. His name is Mark. Mark says, “Jill, I want all of your records. I need it for this report. I need it now. I need it done. Send it to me.” Jill’s thinking, “This is weird. I’ve never had Mark asked me for this before, but he seems pretty anxious to get it. I better send it there or I’m going to be under hot water.” Jill packages it up for him, sends it over. She picks up the phone, calls Mark and says, “Mark, did you get the payroll information? I just sent it over.”
Mark goes, “What are you talking about? I didn’t ask for payroll information.” Its little things like that, making the call before versus after, trying to spot this email, figuring it out. This is weird. I need to look into this before I send out this information because it’s a simple thing that can happen. You want to protect your job, you want to make sure you’re being efficient, you want to make sure you’re doing the best you can. Let’s say our company has 150 employees, “I’m responsible for every single one of their information. I’m responsible for the information of the clients. I’m responsible for the distributors, so on and so forth. I need to make sure I’m doing my due diligence to protect them.” Maybe your boss is going to be irritated, but at the end of the day if you tell them, “I was making sure that I’m keeping everybody in this organization safe and keeping our name clean.” No boss can be too angry at you for that.If your information was stolen, you're between a rock and a hard place at the moment. Click To Tweet
You have basically some policy or procedure for personally identifiable information. If you’re going to send it to the boss, you encrypt it.
In that specific case, if it looks weird, if it’s something that’s not normal, call your boss first. Say, “I just want to confirm this is you before I send this off.” In that case, a hacker had broken in either to the server itself and used the email or had created an email that mimics Mark’s. It looks almost the exact same who sent out the email and she sent it off because it looked like his. What I would do is I would make that phone call and say, “Mark, are you looking for this? This is weird. You don’t normally ask for this information. I just want to make sure.”
It’s the old see something, say something that we hear so much about nowadays. Rudimentary things, they tell you to have this antivirus or that antivirus or this cleaning software or this software installed on your computer. To our chagrin, we find that some of that’s compromised or affected to some extent. At a minimum, for the average business owner, what do they do? There’s one particular software that I won’t name that apparently is now been recommended not to use because it’s supposed to be affiliated with some foreign government.
Essentially, what I’ll tell you is we tell all of our clients. It’s brand new, even people who just come in to consult with us. No solution is 100% impenetrable. No solution is 100% perfect. The one way that you can make sure that that solution is being used to the best of its abilities is by making sure that your employees are using it to the best of their abilities as well. Going through getting that corporate cyber security education, going through having a consultation done, we do consultations for free. We’ll go and take a look at your business, see where your risks are, see how your business is being run and give you even just, “This is what you should do.” Call it a company handbook if you will. We’ll help you write that.
Where you’ll go through and say, “This is the practice that we need to do in this certain situation. This is the type of thing we need to look for. This is what we need to go through before we send off all of our employees’ information.” Education can be immensely effective in protecting your clients, your companies and your personal information, just being educated about it. That’s what I always recommend is that you go through, you have a consultation done, and you get some corporate cyber security education. It’s not cheap. You’re going to go to any organization and they’re going to want to make some money off of it. It’s a business.
It’s expensive or lose your data for several days. Be unable to function in your business for a few days. What’s the cost to you as a business owner if you take and have a breach in your customers’ data goes out the door?
Have you ever seen a really nice car out there, a Ferrari or something? Think about four of those. I say that jokingly, but it is incredibly expensive depending on what organization you’re in. Let’s say you’re a doctor’s office and you lose your patient files and they can prove that it came from you. You just violated HIPAA right there. What we’ve seen on average is each breach of each individual internet of things, and object in your office, let’s say your personal computer, your secretary’s computer, your iPhone. Your secretary’s iPhone, maybe you have three employees who also have computers. We’re looking at about eight devices right there. It has been estimated that the average cost per device is $250,000 for a business. If you have eight right there, you lost $2 million.
Just in the practical terms, the reputational damage.
That does play into the quarter million. It’s reputational loss, loss of business, lawsuits, fines by the government, it goes up and above. The problem is, you say, “I lost $250,000 because of my lost reputation, how long is it going to take you to get that back?”
You look at that and the business owner or the individual looking at this going, “I can’t bring the phone in the office. Don’t communicate, don’t text,” basically, all the stuff that you see all day.
I don’t want to scare anybody, but unfortunately I’m going to give you the 100% honest truth. There is nothing we can do at this point to limit or to not be on the internet. We could go live in the mountains. I never had technology. You were born in that information has been processed by the hospital, which then got processed by another company, so on and so forth. Irregardless of what you think of the guy, President Trump came out and stated that cyber security and cybercrime is the number one growing threat in the United States. You can think the worst of him, you can think the best of them, but the point is, he’s got access to more information than any of us should have and he’s identifying that as being our biggest threat and I 100% believe it.
You watched the old World War II stuff and all the signs they used to have posted. Remember, “Loose lips sink ships,” and all of that and the call to arms. Colorado Springs is a hotbed of cyber security, maybe everywhere else is too. I think about that whole call to action and I begin to wonder if all of this is a catalyst for that approach. We’ve been lulled to a sense of security, internets comfortable, and it’s accessible. A lot of the softwares made it really simple to use. You think about the data at your fingertips. You’re watching TV and you get your smartphone and go, “How old is Clint Eastwood right now?” You can punch it up and see. I want to watch this movie with so and so and you can pull it up. I don’t think people have a full appreciation of their footprint.
It has never been easier than today to go out and tell everybody everything about your life. You took a look at twenty years back and you weren’t telling people what you had for breakfast on some random website and hoping that everybody who looked at it had best intentions for you. You didn’t go out and divulge such information about your life. Nowadays, it is easy to go out and state whatever it is I want to state and have an audience or viewers to see it. It’s awful.
I want to jump in there. As we’re talking about all this proverbial freedom of information, I encourage your audience to go onto a website called Pipl.com. Type in your name, type in where you lived or anywhere that you lived and I encourage you to see what information you find about yourself. I think Pipl.com is a great launch pad for information. I say that very loosely because in the field of cyber security there’s also a subcategory that many people don’t think about. That that would be the field of cyber forensics, is identifying the old saying, “Who done it?” We have various clients.
Our most recent one, an individual stole information from X, Y, Z organization. We are able to go in and look at the extracted files and I in definitively find who did it, how they did it, and when they did it. Based off that information, we were able to extract a name and just to see how smart this individual was, we went onto Pipl.com. We typed in their name and there’s this guy’s mug shot, date of birth, relatives, activity on social media. That’s all fine and dandy. Honestly, that information that we found on Pipl.com, cherry on top of the pie.
We are able to go through the internet as we have it now, is constantly extracting data from your daily life. Morgan, I think you made a great point that not even ten years ago, if we were posting little Kodak instant photos of our breakfast in our office cubicles, we probably would have been labeled as an insane person. Now, not only are we posting those images but not many people realize this, every time you snap a picture, whether it is with your Android, iPhone, Windows device, BlackBerry, it doesn’t matter.
You snap a picture, it’s geo-tagged. In layman’s terms, what that means is it tags your GPS location as to where you took it, what time and when you post it and if an unsavory individual, organization, entity, it doesn’t matter who, they get their hands on that, they can look into that image and identify when was this picture taken? Where was this picture taken? People always think, “It’s so innocent,” and it goes back to the conversation that we had, Bob saying, “I really don’t care if my friends have this information.” Who do your friends know? Do you know all of your friends’ friends? Do you know all of their friends?
In the military, when I was going through my background checks and everything and some of my colleague’s background checks, we had to write down five names and then they go through and they find five of those friends. Every five they find five more and from there they find five more of those five friends. You have to consider what information you’re putting out there. How many degrees of separation do you have from the next individual and more importantly, how many degrees of separation do you truly want between you and the person who wants to do you or your business harm?
It used to be six degrees, not anymore. There was a discussion from a guy named Niall Ferguson on Bloomberg. He was talking about distributed networks and talked about before Google, before Facebook, distributed networks were more like the government, hierarchal and it was pretty defined. Now, you can pretty much develop your own distributed network. If you think about Facebook and groups, it’s changed the behavior and the folks that developed those apps probably said, “The world’s a nice place. People won’t do nefarious things with this data.”
Either that or they’re saying, “Can you imagine how much money I could make after I sell all this information?”
The reality is, there are people out with another agenda. We talked about for the business owner putting in some protocol. My suspicion is it would probably have to be reinforced periodically. I would imagine quarterly. In the years of Mad Magazine, it’s Spy versus Spy. One would do one thing and then they would amend, adjust and counterstrike. It is ongoing. For you guys in the ongoing space, if you are working with a smaller business and you come in to them and say, “We’ll offer our services to give you a profile.” The initial consultation or whatever is no expense, if I understood correctly.
That is correct.
What could a twenty-person business expect in the way of an expense if they engaged a company like yours to come through and try to keep them out of the ditch?
I’m going to let Morgan take the finance question but before we get to that point in regards to that, I want to talk more so of the procedure that goes into a twenty-man organization. We’ll take a look at their existing security policies. Their personnel policy, their data use policies, if it exists. If it doesn’t exist, we take a holistic approach to their organization. What kind compliances do they have within their organization? Are they a medical industry? Are they HIPAA compliant? You are subjected to the FTC, the Federal Trade Commission, and you have compliances that ensure that you have X, Y, Z protections for your client data, your Social Security, any other personally identifiable information.
If they’re a baker, they don’t care as much, but they still have some PCI. PCI is the credit card processor. They have their own specific level of compliances that must be in place. We can spend hours talking about those, but essentially, we want to go through and be proactive. We as an organization, we are one of 4%in the entire country of cyber security companies who take a proactive approach. A lot of times, other organizations, they are break fix. What that means is they only work with organizations after a breach, after an incident has occurred. Fortunately, for the cyber security company, unfortunately for the victim, it is incredibly expensive. Every once in a while, by the nature of our industry, we do get organizations who come to us panicking. “This happened to us,” or “We were referred to you. We got hacked six, seven weeks ago or a month ago, or we just got hacked. What can we do now? How can we make sure this doesn’t happen again?”
Let’s say you’re operating your systems, what’s an inclination that you’ve been hacked? You may not ever know.
At the end of this last quarter, we have access to various SIEM and EDR solutions. A SIEM is a Systems Incident Event Manager and an EDR is an Endpoint Detection and Response Platform. What all that means in layman’s terms is we take a historical view of your network. You have twenty people in your organization. Twenty people roughly translates into about 60 endpoints. It’s interesting because every person has two and a half pieces of internet connected devices. I don’t quite know how we got the half, but it’s two and a half. I round up, so we have around 60 endpoints.
We take 60 to 90 days’ worth of information and we identify, “Person A talks to this website and person B talks to person C. Persons A is in one department, B and C is another department.” After we take that information, we also monitor all of their electronic communications, all of their access, what are they doing on a day-to-day basis. Through the combination of the EDR and the SIEM, it allows ourselves and our engineers sitting in the SOC, Security Operations Center, to take a look and identify, “Person B is all of a sudden talking to person A and is emailing and the subject lines are outside of person B’s purview and person A is being nonresponsive.”
Good for person A because if Person A is finance and person B and C is in HR, why is HR all of a sudden talking to finance with exception to, “We need to offer this individual this much.” That’s a normal conversation. If all of a sudden they’re trying to say, “I need ten times more information than I’ve ever had.” Our engineers are going to take a look at it and say, “That’s interesting. Maybe we should have a conversation with the supervisor, Person D.” “Person D, what’s going on with person B? Have they been put on notice lately? By the way, we also noticed that Person B has been going to Glassdoor.com, and Monster.com. Are they looking to jump ship? Why are they all of a sudden talking to person A? Are they trying to do something malicious?”Education can be immensely effective in protecting your clients, your companies and your personal information. Click To Tweet
When you think about that as an employee of a business, you feel a little bit Orwellian. As a business owner, maybe that’s an employment contract somewhere where you have that capability.
There is no such thing as an expectation of privacy in a workplace. There’s none. Individuals you go into workplace, you are paid a salary or if you’re an hourly individual, you get paid some financial compensation for the work you’re performing there and as per your employment agreement, maybe there is a clause that states, “Anything you do here is technically if you have IP, it belongs to the company, anything you do can be monitored and is subjected to criminal prosecution if you do something illegal.
If I may, I appreciate what you asked though with the employees view, what’s going on? You don’t trust me? You don’t trust that I’m going to be doing what I’m doing? What a lot of these software that we put in place, the SIEM, the EDRs, etc., what they’ll do is they’ll not only look for protection for the company. Yes, this person is acting weird. It’s strange. I don’t understand it. Yes, over 20% of the reported cybercrimes in 2015 were malicious from internal. They meant to do it, but it also protects you because we have certain software that will take a look and say, “Person B is doing something weird. We need to flag him or watching them.”
We also take a look and say, “We noticed that person B was visiting this website, and all of a sudden this website’s doing some weird activity on their computer and it looks like something’s been installed on their computer.” Person B’s computers being used to do the attack, but that doesn’t mean that person B is the one in charge of it. We have things not only to protect the employee, but also to protect the organization, to protect the views and purviews of people, to make sure that everything is doing what it’s supposed to be. You’re not getting blamed for something you’re not doing, but also that you’re not doing something malicious to the company.
Bob, in terms of the price point, we as an organization, we’re based here in the Springs. We do a ton of business in Denver.
It is much less expensive to start preventing and protecting your information now than it is for you to come and have us fix it later when something’s happened. We’ve had had clients who said, “You’re right. I should have listened to you then. It’s unfortunate.” It’s hard to give you an exact number. I’ll tell you that, but I’ll give you a range. You say it’s twenty-man shop, we have packages that start around the $1,000 to $1,500 a month mark if you want proactive monthly support. There are other options that you have. You don’t have to have us on monthly, but $1,500 is a good mark.
What I’ll say is every single organization is different and we never build this cookie cutter solution for you. We’re going to customize every single solution for you. What that will do for you is it will give you a personalized plan. Whether or not you’re in manufacturing, who now has to deal with DFAR and NIST compliance and that’s messed up a lot of manufacturing companies for the government or the bakery. Obviously, there’s going to be a bit of a price jump there because one has to deal with your cyber security compliance with the government.
The problem is if you don’t do it and you get found out that you’re not doing it and say that you are, you’re not going to be able to work with the government for quite some time. That could be your biggest customer. It can be a bit of a thing to bite off and chew, but I will tell you that we are one of the most reasonable organizations in the Springs. We’re not charging $50,000 to $150,000 for a penetration test, which honestly is not uncommon within our industry. That’s just to tell you that there’s a problem, that’s not a fix.
For the guys that don’t know what a penetration test is.
First of all, there are two forms of tests that are most commonly run. The penetration tests as well as the network vulnerability assessment, an NVA. A penetration test is a very black and white look into the existing infrastructure. We sign a battery of legal documents basically giving us the right to simulate an attack on your network. There are four kinds of penetration tests, an external, internal, physical and social engineered attack. An external penetration test is us sitting in our lab and trying to break into your infrastructure. We can be sitting in the comfort of our home or a malicious entity could be sitting in their basement or could be sitting in China trying to break into your servers, your database, that’s an external attack. An internal attack is me, anyone else or a malicious entity walking into the target’s office and sitting down or even sitting outside the target and pointing a radar dish or some wireless transceiver at the building and trying to break in that way.
The third one was the physical attack, is me coming in actually in the building, plugging in something, whether it’s a flash drive or whatever other device, breaking and having physical access to your devices. Maybe I masquerade as a technician or some data center tech. I sift the RFID card access. In large organizations you have badges, They give you access into certain areas. You sift that information off of another badge and you masquerade as that individual. You gain access to a server room or a data center and you plug in, that would be a physical attack. The last one is a social engineered attack. Like I said, we’ve been talking about this all throughout the session, the information that you put out there. Pipl.com. There are all these resources. The reason I’m mentioning Pipl is because it’s immediately accessible.
We as an organization, we use a lot of other tools, to include Kali Linux to the Metasploit package. We use a litany of different tools but in regards to anyone using, Pipl.com is a great one. You can go online and you can even do a who is lookup on certain addresses, for example, ABC.com or Whatever.com. You can go into a WhoIs Lookup and identify who the registrar is, their email address, their phone number, their address, all that information and then you can take that information, turn around and say, “I know Rob, who was your technical administrator. I’m a really good friend of his. I lost his number. He told me he was going to set up whatever or he was going to give me something. Would you please be so kind as to give me his information? I really don’t want him to yell at me.” People feel bad. People will do what you asked. You’d be surprised at the level of social engineering. For some of our clients, we do conduct those four kinds of testing and we don’t tell them which ones we do. They just sign those battery legal documents and then we’ll say, “We will chat in a month, two months and we’ll have a report for you.”
In a roundabout way, that is incredibly true. It’s a horrifying way of social engineering, but that in a nutshell is a penetration test. A network vulnerability assessment is much more superficial. We look at your existing infrastructure and not looking in your files, your data center, anything, we walk in and with the tools in our pockets, our laptops and our cell phones. What can we see? How do we see it? What do we find based off of that? One of the biggest things is we walk in and we’ll find an unsecured wireless network. “Mr. Customer, is this your wireless network?” “We want to give our clients free Wi-Fi.” “Awesome.” Have you considered the repercussions of that that might bring onto your organization?“ “Our customers really want free Wi-Fi.” “Have you considered putting a password and most of the time we do see organizations that have password protected wireless, but that password is usually the password to the internal admin network.
If I may, it depends on what permissions you’re giving these clients as well because if you don’t have your guest Wi-Fi set up well, you could be giving your client’s permission to look at your documents and you don’t even know it.
From a legal perspective, if in any interval comes across a data center or some information that did not require a password, it’s free game. If you, the business owner gave access to the individual then, it is free game. Let me take a step back, some of our interns, we train them on identifying the signs of VLAN hopping, Virtual Local Area Network hopping, going from one network and hopping over to another network and gaining access to something . In order for them to recognize it, we train them. We teach them how to do that. We also have another battery of legal documents that say that if you do this, you go to jail and all the goodness that comes with that. We explain to them how easy it is or how possible it is to gain access to a “guest network.”
First of all, see who else is in this environment? When I log onto this wireless network, is it just my device or is it your device? Is the accountant waiting in the lobby waiting to be seen and this accountant is logging onto their bank account? Who else is there? Take the bread crumbs that you have in front of you and use it to your advantage. Those tests results in the conversations we have.“Mr. Customer, we appreciate the fact that you want to give your clients free Wi-Fi.” Depending on their industry, we have that conversation, “Is it necessary?” The customers you lose, is it truly worth you risking $250,000 a pop per compromised device? From there, we even say, “If you really have to have wireless, do you want Portnox or do you want a solution that is going to deter an individual from getting into your network?” As Morgan has very aptly put, there is no such thing as a 100% secure network. It doesn’t exist. Any individual who tells you otherwise, any antivirus platform who says will absolutely protect your system, they are full of it.
Everybody evolves, things change.
I forget the exact statistic, but the amount of new hacks and vulnerabilities, it’s astronomical.
There’s a website that shows all that’s going on, I’ve seen it.
The thing is, is that website probably reports what’s captured. The 100,000 that you gave, that’s what they find. There are stuff that goes unnoticed.
We’ve talked a bit about what businesses can do. One thing we didn’t talk about and we should have in the beginning is how do people reach out to you that are interested and want to at least start a conversation?
A great place to start is to take a look at our website. It’s ToggleIND.com. Another great way is to reach out to myself and I’ll give you my direct business line. It’s 719-301-9988. That’s a great way to start talking to us. Some great things to start at is looking at that network vulnerability assessment, looking at talking about cyber security education because the network vulnerability assessment that you were talking about is the best way to see exactly where you might be having some issues.
I just wanted to add one more thing. We actually have a cyber hotline. Organizations that are currently or presently undergoing a cyber security incident, we highly encourage them to reach out to Cyber@ToggleIND.com. This way it comes out to me, it comes out to one of my security engineers and we can respond to it immediately as well.
The intent of this episode was to go out and to talk about the issue at hand. We watch TV at night and you go, “There was this big thing,” and people is like, “It’s never going to happen to me.” The reality, years ago somebody told me there are two types of people, those that have been hacked and those that are going to be hacked. That pretty much covers the 50-50 thing we were talking about before. I think about it and maybe you don’t have the latest and greatest software installed, but if you’re not as easy a target as the guy next to you, maybe they’ll move on. In parting here, advice or guidance you guys might offer.
Regarding the big Equifax attack, go ahead and go on Google, type in Equifax, make sure you go to their specific website. Go in there and take a look. It’s posted right on their front page. Have I been hacked? You click on that. You fill in your information to find out if you have. That’s the first thing to become aware of it. Definitely go ahead and I would recommend getting some credit monitoring service because of the fact that sure it’s going to cost you some money, but it’s going to cost you a lot more and more headache if you don’t do it. That’s what I recommend.
Another big thing, do not use free public Wi-Fi. It is awful. It is the worst. I don’t know how much more I can say, but unfortunately we’ve had engineers, we’ve had people come to us and tell us about the free Wi-Fi scares that they’ve had. One of the biggest one, DIA, going up to Denver International Airport and getting on their free Wi-Fi. If you’re going to get on free Wi-Fi, don’t do anything on there that you would not be 100% comfortable with somebody seeing every single thing you do on it. Some situations, you will download stuff onto your computer and you wouldn’t even know it. Then they’ll be watching it afterwards too. That’s a big one. Don’t use public Wi-Fi.There is no such thing as a 100% secure network. It doesn't exist. Click To Tweet
For the guys that work at Starbucks, they’re toast.
I have a really funny story about that. My parents, they just returned from being overseas. They were in predominantly Asian countries. Before they left, I said, “Have a good time.”Halfway through their trip I said, “By the way, I imagine you have bills that need to be paid. Is that correct? At some point in time?” “We forgot about that.” “That’s fine. Let me set you up with a secure VPN.” As an organization, we are a Cisco Meraki certified vendors. Cisco Meraki is a mid to pseudo large organization network scalable infrastructure. They do security appliances, switches and access points. We as an organization, we recommend Cisco Meraki products. We have the ability to install them. We are not an MSP, we are not Managed Service Providers, nor do we have any intention of becoming MSPs. We are MSSPs, Managed Security Service or more likely MCSP, Managed Cyber Security Service Providers.
Basically, what we’re saying is we’re not your IT people.
We are not IT folks. We have the ability to do it if the need arises, but more likely than not, we will probably recommend you out to work with your internal IT or work with a third party vendor.
We can work with almost any IT provider. That’s something that’s great about us is we are not going to say, “You have to work with these people.” We’re going to take a look at what you have and we’re going to work with it.
We are not here to embarrass your IT provider. We’re not here to get anyone fired. If anything, we’re here to make t them look better. If we can have a very frank conversation with the individual, individuals or organization managing your IT and we can show them the errors and faults of their way to prevent them from a lawsuit from our mutual client, we’ve done our job.
I took you off track, so your folks paying the bill?
They were able to take advantage of the secure VPN and I was able to monitor all of their traffic coming in. When you’re overseas, for those who’ve never been out, I’ll use China as an example. If you go to Google.CN, the DNS, the domain name server, is basically the route where all of your traffic is going goes to a Chinese version or Chinese server. A lot of the things that we enjoy here, various YouTube channels, various news sites, they’re blocked over there. More importantly is I have no idea what entity is watching the traffic that is going across my parents’ laptops. By having an encapsulated secure tunnel going from wherever they are in China to my server, they can have more peace of mind that if I go to X bank to pay my bills, that my password I’m typing in isn’t going to be immediately pushed out everywhere. Again, I must preface, there is no such thing as a 100% guaranteed or secured solution. If someone really wanted to go after my parents, I’m sure they could do it, but at the very least, it deters a random individual, a random entity from gleaning all that information off of public Wi-Fi, a trusted relative’s Wi-Fi, it doesn’t matter.
The last thing I would to say is on our website, every month, every few months and usually every quarter, we have free software that we patch out. Sometimes it’s our own software. Sometimes it’s through an organization that we’ve identified is just absolutely killing it in the industry. We’ll have links on our website, “This month or this quarter we are pushing out this software.” It can be anti-ransomware, it could be a trial subscription to a VPN that we like, it can be a Cisco software. It doesn’t matter what it is. The software that we try and push out there, we don’t get paid because when they download our free software, they are being proactive in their own light and they can go on and have more peace of mind and confidence that what they’re doing is that much more secure.
It makes us feel better too. Our goal here is to protect our community, the people around us and anyone we can. Whether or not we’re selling you a solution, we’re giving you advice, we’re giving you free software, whatever the case is, we want to help our community. One thing I do want to state here for you though, VPN, Virtual Private Network and what that does for you is basically it creates a link between whatever device you’re using and a server back home, a security appliance, whatever the case is. It creates a tunnel from your device to that, sends the information through that. If it needs to be exported, it’s exported through the basically home base, if you will. That’s what that is meant for.
A couple little tips I’m going to give you. It absolutely is a pain, but change up the passwords every so often. You’d be surprised how much that helps and what kind of passwords. That’s the next step I was getting to is you don’t want to be using those passwords that it’s favorite thing in the whole world. If you got one kid and your kid’s name is Don, I love Don, whatever the case is, that’s something people are going to find out about you. Dogs, favorite colors, favorite hobbies, restaurants, names of kids, whatever the case is, try to make your passwords as unassociated as possible. You don’t want them to link back to you in any certain way.
If you want to be crazy, you can be like me with my security questions. When I fill out a security question, it could say, “What’s your favorite type of food? My answer is blue.” It’s something completely unrelated. That gets to be kind of a pain and you have to keep note of that somewhere or keep track of it if you can. Switching up your password is immensely helpful. Doing two-step verification is great. What that is, let’s say for Google, I enter in my username, I enter in my password, and then I get a code that’s sent to my phone. All that code is unique and it’s a six to eight-digit and I have to enter that into my computer to verify that it’s me. Granted, that’s not perfectly secure either, but it helps. That’s another one that I recommend.
Speaking on the China thing, because it’s been a thorn in my side since you mentioned it. There have been quite a few studies, and I can’t quote on who from. However, it has been shown that often if you go to China, if you go to some of the Asian countries and you check into a hotel, let’s say you leave your company laptop in the room. Let’s say you even lock it up in a safe, it has been shown that oftentimes the employees will go into your room. They will open up the safe, they will disassemble your computer, they will install whatever they want into it, put it back together and put it in your safe and lock it for you. If you’re going overseas, especially to the Asian countries, I recommend if you can, don’t bring your company stuff with you. Keep it as minimal as possible. A company phone, a company computer and take it with you. Don’t leave it in your room.
There was that discussion after the Olympics in Russia. It was basically everybody. In fact, they did that on the news. They were talking about it. It says, “Here it is in real time.” I appreciate you taking the time. For everyone, if you have some concerns, I encourage you to reach out. These guys didn’t ask to come in, I asked them to come in because I thought it was important to at least get the knowledge out there or at least the awareness that you can do something. Thanks for your time.
Thank you for having us.