When it comes to cybercrime, protecting 100 clients should be no different from protecting 1,000,000

cybercrime - putting the pieces togetherThe bulk of cybercrime and cyber events in the news are focused on large multi national organisations and government departments.   Newsworthy events are in fact always newsworthy.

These are the organisations we hope and believe are focused on protecting the information that we unwittingly give them through our interaction.

An attack on them makes for great copy.   But, the overall problem with cybercrime and cyber events is not the big fish.   The big fish are known to have millions of records that should be protected from a cyber attack.   Not protecting them reflects in spectacular thefts and large scale reputation failures.   Newsworthy events!

The biggest problem is not the theft of 1,000,000 records or more, although this will be pretty damaging in itself, the real big problem is the theft of 100 or 1000 records.

Large organisations have the expertise, the finances and the understanding that they have to protect their clients information in the best way possible.   SME’s do not!

Large organisations have the technical skills to not only protect the information but also the expertise to forensically dissect an attack and find out what happened, how they got in, where they went and what did they have access to.  SME’s do not!

Large organisations have the ability to test their environments through penetration tests and vulnerability scanning as well as the understanding that education is really important when it comes to a cyber event.   SME’s do not!

How many SME’s have gone out of business after a cyber event is unknown.   Some of the statistics are available, but not many are focused on whether it was poor management and cash flow or a cyber event that damaged their business to a point where it was unrecoverable.

Did it put them out of business?

One of the things I discovered a couple of years ago is the way the cyber criminal works.

There are 3 types of cyber criminal, 5% are hackers (criminal group or nation state), 10% are hacktivists (nation states and concerned citizen?) and about 85% are what we call script kiddies.

The script kiddies are the 12 – 30 year old who are interested in how things work, what they can do and how much damage can I do.   What I like to call the EGO warriors.

There is a large correlation between the script kiddies and the true hackers, one that is not really known, but every now and then becomes visible.

The internet is a great resource.   It is a great resource for us but it is an even greater resource for the budding cyber criminal.   The internet can put the budding script kiddy in contact with the true hacker.   That contact can be very problematic for SME’s.

For example, I am a hacker, and I develop an automated system for checking vulnerabilities of connected devices on the internet.   I do not want to or want to be seen running that automated system so I ask a couple of thousand script kiddies to do it for me.

I now have an army of automated systems, run by my ego warriors, that are testing the internet, the whole internet, for those vulnerabilities.   My automated system feeds back to the ego warriors with information about vulnerable systems (SME’s) and puts that information into a file that they can use to attack those systems.

There are even legitimate cyber protection businesses using this strategy.

But, it is also sent back to me when the automated system is run.   I can now pick and choose an attack vector as well as pick my targets.

For instance, there are ongoing vulnerabilities in Microsoft Remote Desktop Protocol (RDP), a system that is used a lot by SME’s.   A large multi national organisation will use virtual private network access (VPN), a SME will not.   They will expose that protocol port to the internet to make their lifes easier not realising that they are susceptible to an attack.

What are my targets, after a little research – SME’s with access to trusts, intellectual property, large amounts of cash or the new one, critical infrastructure.

These targets have reduced business intelligence, lack complex systems, lack digital expertise, but more importantly have a blaze attitude to security.

You know the attitude well – it will not happen to me, we have nothing worth stealing or she’ll be right.

Will an SME survive having its trust fund drained – probably not!

Will an SME survive having all of its research and development stolen – probably not!

Will an SME survive the reputation hit of having its customer database stolen – probably not!

Will an SME survive the compromise of its website / eCommerce site – maybe but probably not!

Will an SME survive a cryptovirus attack – again maybe, but probably not!

Protecting our digital assets is no longer a multi national organisations problem, it is everyone’s problem, everyone with a digital device has the problem and has to be part of the solution.

The solution is a change of attitude.   Changing our attitude to:

  • it will happen to us so we better do something to protect ourselves,
  • we have something of value worth stealing so we better protect it as well as possible and
  • there is no such thing as she’ll be right because when it comes to a cyber event, it will happen.

Doing X things to protect your organisation is not the best cybersecurity strategy.

It is no longer a case of do these ‘X’ number of things and your business, organisation or self will be secure from a cyber event.

We have all seen, read or been told that you need to do this or don’t do that (I even wrote an article recently on just that) to fix your cybersecurity.

This attitude is wrong.

All it does is focus you on the ‘X’ number of things that are considered important, it does not fix the overall problem of digital protection, cybersecurity and protecting the organisation’s data against a cyber event.

Today’s threat market is all about two things:

Risk management

Managing the risk to your organisation is totally dependent on the organisation.   Get it wrong though and the organisation is open to litigation, compliance and reputation challenges.

Defining the risk and then mitigating, reducing or ignoring the risk depending on your organisations risk posture.

That risk posture has to have a basis in fact.   Every organisation is different, therefore every organisations risk posture will be different.

“She’ll be right”, “it will never happen to us” and “we have nothing worth stealing” are stupid risk postures and should be avoided at all costs.

Lets take patching – you can not implement a patching process if you have not looked at the associated risk of applying, waiting or ignoring a patch to software or operating systems.

Some patches are critical and the risk to the organisation outweighs the impact of a cyber event.   These need to be applied immediately.

Other patches could mitigate some risks to a system and can be applied as part of the patch process.    We recommend within 15 days.

There are also patches out that would have minimal impact on a system.   If the system was not patched and it was compromised they would not get access to critical data.   These can be applied based on the organisations risk posture.

Looking at the overall risk to an organisation will drive the security around that organisation and the underlying risk associated with a breach can be discussed as part of the overall business risk assessment.

Using frameworks

When used correctly a framework increase the awareness and security around an organisation.

We use NIST, but any framework will do.

A framework allows an organisation to take the blinkers off and focus on the organisation as a whole.

It is a holistic approach to protecting the organisation from a cyber event because it looks at a number of related but often overlooked,  important features of digital and cyber protection.

Each of the components of the framework allows the organisation to implement change in a managed and focused way.

It allows an organisation to improve security, with each change benefiting the organisation.

It is a process, not a knee jerk reaction to the next threat.

Business security is not about implementing a decent firewall, installing end point protection and sitting back because you think you are safe.

Business security is about education, policies and procedures, business continuity, visibility and viability.

This solution cannot be achieved through reaction, it needs to be a proactive process embraces by all members of the organisation.

Cybersecurity – we still do not have the correct focus!

focus on cybersecurity

With the expected $660 billion loss to cybercrime this year, we definitely have to change our understanding, our focus and most importantly our attitude when it comes to business security and cybersecurity.

We have to stop with the simplistic crap – I have been guilty of this myself but we have to stop.

Cybersecurity is not only about AV, firewall and patching.

Doing one is good, but the attitude of doing all makes you bullet proof is definitely stupid thinking in today’s business world.  The number of SME’s that adhere to that thinking is phenomenal.

Cybersecurity is about knowing your data, the location of your data and more importantly protecting it from people who should not have access to it.

It is about risk management and understanding that all risks associated with your data have been mitigated, differed or migrated.

There is a whole ecosystem of things that have to be done, as fast as possible, to reduce the risk of a cyber event, but the simplistic keeps getting in the way.

Attitudes like too small, nothing to steal and she’ll be right abound, and really does show that most people have a basic disdain for protecting their organisations.

Until this attitude changes, the basics are the only things that will be applied.

Introduction of the NIST framework (any framework), implementation of SOC and SEIM environments, an acceptance and adherence to policies, process and procedures and a basic understanding of what the bad guys are capable of is absolutely paramount for any organisation going forward.

But, we still rely on just or only the basics.

Without a change we will still go through the same solutions expecting a different outcome.   Definitely stupid thinking.

We forget the capabilities of today’s cyber criminal.

  • They are well educated in ones and zeros, in other words – the digital world.
  • They know how to bend and break the rules that society relies on to be a society.
  • They know how to bend technology to do things that even the designers never thought of.
  • They have a vast range of motivations to do wrong, and
  • They do not give a stuff about you.  To them you, your family, your business are cannon fodder.
Applying this knowledge to your business environment makes you realize that sitting ducks abound and improving your status is paramount.

To change, you need help in changing.

Changing the attitude, getting and listening to advice but more importantly actioning what needs to be done is the only way forward.

There is still one fundamental issue, in most cases, you do not know what you do not know.

Getting advise from experts is important.

You can no longer rely on the jack of all trades, someone who knows computers or thinks they know the digital world.

You need an expert!

You need an expert to stop a cyber event from compromising your organisation.

You have to find the time, the expertise and the financial motivation to make change, but you need an expert to put you on the right path.

If you cannot find it internally then you have to go outside your organisation.

 

Roger Smith is funny, scary, on point and is focused on one thing – increasing everyone’s awareness and understanding of the problems and issues associated with the digital world.

He is the winner of the worldwide 2018 Cybersecurity Educator of the Year award and was Runner up in 2017 .  

He is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.   

He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one on Amazon.   

He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.   He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

The insider threat, the hardest cybercriminal to keep out

The internal “spy” – the insider threat

The hardest attack to defend against in cybersecurity.

There are three types of spy

The accidental spy – the person who thinks it is OK to bypass the security systems put in place to protect the organisation. Those who think the policies do not apply to them:

  1. I am the best sales person and those policies will slow me down,
  2. I am the CEO and I need this technology to make my job easier, less complex but it has not been tested in the organisation. “Just do it”
  3. I am the CIO and all of the other CIO’s have the newest gadget, so it must be OK

The incompetent and / or silly spy – the person who has been targeted by a social engineering attack and has fallen for the bait:

  1. Opened that email attachment, clicked that link.
  2. joined that Facebook group without checking their security settings.
  3. opened the video on Messenger
  4. Tried to win that Bunnings / Home Depot voucher

Finally we have the disgruntled or disappointed employee, the most dangerous – the destructive spy:

  1. The sales person who is leaving and takes a copy of the CRM, because they think they are entitled to it.
  2. The employee who has left who still has access to the system.
  3. The outgoing / fired IT person who has full access to the system and has put in back doors so they can continue to get in and do a number of nasty things.

Protection against the internal spy, comes down to policies, procedures and processes.

Policies are applied to all people in the organisation, if not adhered to then repercussions need to be in place

Procedures need to be created so that everyone knows, not only their own jobs, but parts of other staff members jobs as well. They need to be documented, distributed and authorized by management. But, more importantly, they need to be followed.

Processes need to be put in place to ensure that things are done and done the right way every time.

Although the insider threat is one of the hardest attack to protect against, there are still ways to reduce the risk.

If you are not sure then talk to someone who can help.

What do you think?

Am I correct?

Make a comment on this article.

Roger Smith is funny, scary, on point and is focused on one thing – increasing everyone’s awareness and understanding of the problems and issues associated with the digital world.

He was Runner up in the 2017 worldwide Cybersecurity Educator of the Year award and has been nominated for the 2018 Cybersecurity Educator of the Year award. 

He is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.  

He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one on Amazon.  

He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.  He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

“She’ll be right”, is not cyber event protection!

A cyber event is not a punch line.   It is a serious effort to derail your organisation.

Cyber event protection?

If an attack is intentional then you need to manage the risk.   If the attack is accidental or random then you have to understand the implications.

Understanding what is happening in your industry, your supply chain or other areas of the digital world is important.

The implications to your organisation could be a flow on effect of a cyber event on the other side of the planet.

To us humans it is 10,000 kilometers away in the digital world it is just a click.

Our understanding of the digital world for most organisations is mainly focused on client management, communication and service delivery.

CRM, sales, marketing, email, data and information are all woven into the fabric of improving the bottom line.

What can we do with the tools available without spending too much money but with a significant return on the money invested in the organisation.

10 years ago any business who was on the cutting edge of technology had the ability to multiply their revenue by a factor of 10.

Today everyone is using the same products and services to improve the bottom line.

Technology is no longer the multiplier that it use to be.

But, security of that technology is!

The news of significant hacks like Ashley Madison, Target, Yahoo and Equifax have created startling headlines but have they changed the attitude of business organisations world wide?

No they haven’t!

The problems with raising awareness to the true cost of a cyber event is not understood by most people.

“It will not happen to me” or the colloquial response of Australians – “she’ll be right” significantly reduce your ability to handle a cyber event and to come through one with the organisation intact and still functioning.

Making the simple attitude change, “it could or may happen to me”, has a significant impact on any organisation.

The change in mindset, a couple of words in a statement, starts people down the road to better protection.

Isn’t it about time that you made that change?

Once you have made that change, questions and answers start to be heard.

  • How about we put a policy around this process.
  • How about we put processes and procedures around the database.
  • How about we put together a disaster recovery plan.
  • How do we get back to business as usual – lets put together a business continuity plan.
  • How about we educate our troops so they can recognize an attack.
  • How about we invest in new technology.

All good ideas that would never come about if we believe we do not have a problem.

If we persist with an attitude of “she’ll be right” I can guarantee that we will not.

Roger Smith is funny, scary, on point and is focused on one thing – increasing everyone’s awareness and understanding of the problems and issues associated with the digital world.

He was Runner up in the 2017 worldwide Cybersecurity Educator of the Year award and has been nominated for the 2018 Cybersecurity Educator of the Year award.  

He is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.   

He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one on Amazon.   

He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.   He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

What every CEO and CIO should know about cybersecurity

The problem with cybersecurity is it is not sexy.

In most cases it is down right boring.

Although not sexy and down right boring it is still something that every CEO, manager, owner and board member has to focus on.

With all of the automated attack vectors available to the cyber criminals, we can no longer say we are not a target. We cannot say we have nothing worth stealing.

The more and more reliant business has on the digital world the greater the chance that a cyber event will cripple the organisation.

What are the main things that every management type needs to focus on when it comes to prevention of a cyber event.

Here are a few!

The cost of a cyber event.

The cost of a cyber even can range from lost time and functionality within the organisation to more money than the organisation can find to pay for the breach.

Cryptovirus is an example of lost time and functionality. If you do not have a functioning and tested backup of the data, you have to rebuild the offending device but you will also have to also replicate all of the data.

A full blown breach by a dedicated black hat hacker can steal everything and then use your system as a platform to target your clients, suppliers and staff. When that happens you realize that you are NOT too small to be a target

How they get into your system

The go to weapon of most cyber attacks is social engineering. Two parts of a very effective attack strategy. The technology to effect change, follow a link to an infected website, click on an ad in social media or open an attachment in an email, combined with getting you to trust them where you let them in.

Either way they are now in.

Risk and problems just compounded.

Simple ransomware for instance, the initial encryption of data is only one of the stages of the attack. What about stage 2,3 and 4.

Wannacry showed us that a combination of 2 attack vectors allowed a single infection to traverse a whole network. One computer is a problem for any organisation. All of the computers is a nightmare.

The protection challenges

In most situations managers, owners, executive and board members do not understand the digital realm. Risk management of data (a critical component in today’s business world) is often overlooked and considered an ICT problem.

Its not! Today’s digital security challenge is everyone’s issue and the sooner it gets noticed as a business risk and treated as such the faster we will see a reduction in attacks.

From the largest organisations to smallest single entities, we all keep critical data in places that are easily accessed, relatively unprotected and mobile.

What are you doing to manage the expected cyber events that could cripple your organization?

There is no single, simple fix. If there was everyone would be safe.

It is a complex issue and one needs to dedicate some time, money and expertise to understanding the issues and risk associated with a cyber event.

Come to one of my intensive workshops it will open your eyes on your business requirement to be safe as an organistion.

Roger Smith is funny, scary, on point and is focused on one thing – increasing everyone’s awareness and understanding of the problems and issues associated with the digital world.
He was Runner up in the 2017 worldwide Cybersecurity Educator of the Year award and has been nominated for the 2018 Cybersecurity Educator of the Year award.  
He is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.   
He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one on Amazon.   
He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.   He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

Cyber event – Why does it take so long for answers?

Have you ever thought to yourself – that hack – Cyber Event –  happened 6 weeks ago why do we not yet know what happened?

The problem with today’s cyber events is actually how complicated and complex that hack or breach was to achieve.

Like every criminal they like to cover their tracks and there are a huge variety of ways to do that in the digital world.

How many out there have fudged on our profiles – old photos (missing the gray hair), wrong birthdays, wrong year of birth.

So the first problem – who just hacked my system?

Everything can be fake.

If you, an honest law abiding citizen, can lie on your profile why then can’t the bad guys.

We only lie about our profile out of vanity, they do it because they are legitimately trying to hide.

This is the first hurdle when it comes to identification.

Little or no information.

In addition they use what we call handles – think old radio speak “over and out rubber ducky”.

Today’s handles are a little more complex, or they convey some level of anonymity.

The calling card of a cyber event

The calling card of a cyber event

The second problem – what system did they use to hack my system?

The internet is full of systems, information and attack weapons that are easy to use, have large quantities of how to’s, help and videos.

That is just the internet.

If you want to know more get onto a chat room on the dark web and see what happens.

In addition to this there are also a vast range of ‘Proxies’.

These are devices and systems that have either been hacked and the owner has not discovered it or have been put together in other countries and locations specifically used as a way to hide the next attack.

The third problem – what has actually been stolen?

Everything today is data.

If I steal money from your credit card or bank account it is noticeable in the real world. I can see that someone has removed money from my possession, in some way. Stealing money from you then comes down to making you trust the transaction.

If I can steal $20 from you with an illegal pay wave transaction will you notice it?

But data is different. When i steal data from you, the information stays in the same place.

I am stealing a COPY of that information.

What I now do with that information will not have an impact on the original copy of the information.

If I have removed that data, how do you know that I have done that?

Each one of these steps can take hours, weeks, months or years to unravel. In that time the general public, industry, regulators, government and press are screaming and carrying on. To find out what happened.

Roger Smith is funny, scary, on point and is focused on one thing – increasing everyone’s awareness and understanding of the problems and issues associated with the digital world.
He was Runner up in the 2017 worldwide Cybersecurity Educator of the Year award and has been nominated for the 2018 Cybersecurity Educator of the Year award.  
He is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.   
He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one on Amazon.   
He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.   He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.