What is the difference between a Penetration Test and a vulnerability scan?

Ransomware for Medical devices – what happens then?

One of the biggest problems with our bright new shiny digital world is everything we do or use today has some level of digital components.
We know that everyday computers, smart devices, mobile devices and gaming platforms, are digital in nature.
We forget that Fitbits, Internet of Things devices and medical devices also have some level of digital incorporated into them.
So what happens to these devices if they become infected with malware, even worse if that malware is a ransomware.
If I had a pacemaker installed in my body and the medical staff lost control of it (that is what malware and Ransomware does, removes their control and gives it to someone else) I think that I would get a little panicky.

Definitely a WTF moment.

Most medical devices are either WiFi or blue tooth enabled.   That makes them relatively easy to break into.
Researchers have been looking at compromising medical devices and in 2015 there were 25 known vulnerabilities in some of the most popular devices.   What about the unknown ones, how many of them were there?
We all saw what happened with IOT devices when Mirai was released on the internet late 2016.   It compromised a certain level of device that had a hard coded username and password in the system.
We also saw what happens when the wannacry ransomware hit and the fall out from that in May 2017.

Now imagine a wannacry variant that targets your pacemaker.   “Give us $1000 or we stuff around with your heart!”  That would certainly make your life pretty interesting.
What’s to stop it happening?   Whats to stop it happening right now?
I keep coming back to people taking responsibility for the code they write.   I think we need to have a serious look at our new and shiny world and do something about it.  Before it is too late and people start dying!

We need to think things through.

Think like the bad guys.
Oh, and before you say “why would they target my pacemaker?” In most cases it is because they can.
Roger Smith is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.
He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one in 3 sections of Amazon.   
He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI
He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

Why do we still believe these 6 idioms about the Internet?

For 25 years the internet has been around.
Since its inception, thanks Tim, we have seen how it can be used for ‘good’, but we have also seen, in the last 10 years, how it can be used for bad, evil and nasty stuff.
The bad utilization is starting to have significant impact on the business world but we still have a number of areas where we do not see the dangers.
These are some of the internet attitudes that we come across constantly:

It will not happen to me

In one word, OK two – automated systems.
The free automated systems that are now available to any bored 14 year old cause major problems for anyone connected to the internet or digital world.

I have anti virus, that’s all I need.

We are constantly shown that most business organisations think in one dimension when talking about the Internet.
The fact that the bad guys and even the automated systems think in a multi faceted approach when it comes to targeting us.   Anti virus will find 95% of attacks and stop about 85%.
That leaves a significant number of areas where AV will not protect you at all

My password is strong enough for me

I was recently watching an interviewer on one of the late night shows that was sent out to the streets to ask people for their passwords.   The ridiculous easy way, in which she got that information, was astounding.
One of the other features to come out of it was people still use dictionary words, personal information, easy to remember sequences.
Passwords have to be complex, unique and more than 9 characters.   Its not easy for you it is easy for them.

I only trust my friends on social media

On my Facebook recently there has been a spate of people who are already my friends asking to hook up on Facebook again.
It can be very difficult making sure that you do not fall for this type of scam

3d people – man person with umbrella and arrows. Protection against problems

I am not rich and famous why would they pick on me

On the Internet everyone has something of value.
Even though you may not have money or access to money, trade secrets or you think your personal information is not important you still have one thing that the cyber criminal considers important.
You have some sort of technology that they can then use to target other people from and hide their attack behind.

Digital security is very expensive

The fundamentals are not.
Use a firewall, use an anti-virus, back everything you consider important up, patch it all and use a decent password.
None of these are expensive, but they all lift anyone out of the realms of easy targets.
In addition here are a couple more – Trust no one and be paranoid.

I don’t need a back up because it will never happen to me

If you think that your information on your digital device is not worth backing it up then ask yourself this question – if I lost my laptop, dropped my phone in the toilet or my tablet was stolen what information could I not live without.
That’s the information that needs to be backed up.
Backups are for any digital device that has your information on that is irreplaceable.
The bad guys have changed, we have not.
They’re are smarter, more persistent and definitely more brazen.   We have to adapt to their changes and make sure we are protecting ourselves, if we don’t no one else is
Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, Presenter for the Business Security Intensive, author of the Digital Security Toolbox and Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

6 cybersecurity countermeasures your organisation needs right now

Modern organisations use and need access to today’s technology but understand little of the actual underlying systems.

This creates a huge problem for the cybersecurity of the organisation.

With due diligence to the fore you would think that implementing a cloud solution would be relatively easy, everyone is doing it and of course it will make the organisation more competitive.

But will it?

Today’s organisational technical environment are a hash of unrelated systems needed to fit a niche requirement, combined with the least available spend and with the best return available.

It is no wonder that inter operability becomes a huge problem when combined with the cybersecurity aspects of protecting the organisation.

Now tie that in with the business compliance requirement and you can see how big a problem business security becomes.

There are a number of strategic requirements that can be used to make the organisation more secure.

They are:


Teach your children well, never mind the children, teach your staff an understanding of cybersecurity and securing your business. Your staff are usually the first line of defence and the last line of resistance.

They will see something happen, open an attachment, follow a malicious link and they need to be able to recognise what they have done and then do something about it.

Realise that they have gone to a malicious website and unplug the network card.


Invest in the best.

The newest operating systems and applications, the best firewall you can afford to buy, the most secure wireless and VPN system.

They are all important in protecting your organisation.

But, they all need to be updated and patched as required.

Data management

Who has access to what and what can they do with it. Where is it stored and have you got a backup of all critical data.

Those questions are all part of the risk management component of an organisation.

When it comes to risk and data always err on the best protection that you can afford.

User access

Restrict access to system.

Need to know, yes its an old saying but it still has currency in today’s world.

Make it a rule that no administration account has access to the internet or has an email account. These are the primary attack vectors for a cyber criminal.

Policies, procedures and processes

Build them and they will protect your organisation. There is a fine line between over restrictive and non existent.

All of the three P’s should be designed to support business functionality.

Back it up

No matter the expense, an investment in a backup strategy, a disaster recovery plan and a business continuity plan can mean the business will survive a silly mistake.

No matter the situation a decent strategy around recovery will save you every time.

Your organisation can come to a complete stop with one interaction with a dedicated bad guy. Make sure that you are not exposing your organisation to that problem

Everyone within the organisation has a requirement to look for the signs that depict a cyber attack.

Use them, educate them and make sure that everyone knows that the requirements are within their job purview.

Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, Presenter for the Business Security Intensive, author of the Digital Security Toolbox and Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

Stopping Cyber Events, It’s all about focus

Until the people in charge, managers, board members realize that

  • cyber crime is not going away,
  • no one is immune and
  • protection is everyone’s problem but needs to be addressed from the management down

We will continue to have spectacular cyber events.

Spectacular cyber events that cross over from the internet into the real world.

Stop the blame game and focus on the solutions.

The solutions need not be expensive, but they have to be implemented.

They are your first line of defence.

In today’s social media driven world any mistakes will be highlighted, in some cases spectacularly.

People no longer keep they mouths shut.

They open their mouths for political gain, to score points, to settle old scores, for just plain vindictiveness or they are just being idiots.

The information will come out.

The information will come out whether you want it to or not.

I was told something a long time ago.

It was called the today tonight test.

and i think that it still applies today.   If i had made a mistake and someone put a TV camera and microphone in my face would I still be able to say that i acted in the best interests of what ever i am talking about.

If i could then OK, if not why not?

Armed with this piece of advice I have kept it in mind with everything that I have done since.

I think it is about time that government officials, politicians, board members and C level executives went back to applying the same principle.

If you stuffed up, admit it, take the bumps and bruises and get on with fixing the problem.

The Japanese attitude of fixing the problem not assign the blame is really important in today’s world.

The rain of cyber events

We are all still looking to assign the blame

In the last cyber attack (wannacry) the blame game has once again come to the fore.

  • Stop thinking that the cyber event will not happen – it will
  • Stop thinking that the cyber problem is going to go away – it will not
  • Stop thinking that investing in cyber event prevention is too expensive – it is not
  • For F!?k sake, Just stop

Today’s cyber criminal needs you to think that the operating system is fine even though it hasn’t been updated or patched in years.

Needs you to think that easy to remember passwords are not a problem.

Needs you to think that your staff are informed or trained enough to prevent a cyber event – they are not

Needs you to not invest in better security around everything digital.

Needs you to think that the whole cyber problem is an IT problem.

The cyber criminal is happy that you think that, because that is how they get in.   Once in, well we saw the repercussions on the weekend of the 12 May 2017.

Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, Presenter for the Business Security Intensive, author of the Digital Security Toolbox and Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

Ransomware – So you think you have nothing worth stealing?

Lets just look at that for a moment

In today’s world we all use the internet to do business, to communicate, to have fun.

What we forget is this!

  • You have a Mobile phone or tablet = target
  • You have email = target
  • You have a web site = target
  • You own a Smart TV = target
  • You live in a Smart home = target
  • Have anything that is part of the Internet of things = target

There is no getting away from it.

If you are connected to the internet, the digital world, the cyber world, in any shape or form – you are a target.

Do you now agree that you are a target!

By being a target, what are they after?

Most people think that they have nothing worth stealing?

In today’s digital world, that is bull.

If I was a hacker – What could I steal from you?

Lets just start with just the basics –

  • money or access to money
  • Intellectual property, trade secrets or restrict access to information
  • PI information about you

Additionally, Technology – your computers, phones, tablets, your smart devices.

Things you may not even consider your phone systems and your gaming console.

So you are also saying that you have nothing worth stealing!

So lets look at the phenomena that is the fastest growing digital crime ever seen – ransomware.

Ransomware Why is ransomware so effective?

To anyone who has been a target of ransomware, you realise very very fast that not having access to things that you considered not inportant, suddenly become very important.

With a ransomware attack you have three actions –

  1. its not important so I won’t worry about it,
  2. I will pay the ransom or
  3. I will restore from backup

Your choice, but i can guarantee that not having a tested and secure backup will haunt you.

The problem with the digital world is we are all exposed.

We are all targets.

More importantly, if you don’t do something about it who will?

Want to know more about business security?

Join us for the business security intensive


Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and the SME Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

A business security framework for the cyber insured

The introduction and subsequent uptake of insurance focusing on “cyber” have shown that the insurance industry is serious about protecting the assets of businesses all over the world.
The level of protection is dependent on the policy, your business requirements and also how much protection you need for your business.
Insurance without looking at increased protection however, will not work.  A breach would / could put you in the situation where you are not covered.
If you do not get your business security and protection correct then you will be in a situation where a cyber crime against your business will not be covered under your insurance policy
Here is a basic framework that aligns with most cyber insurance policies.
  1. Technology.  There are a number of areas where technology investment is paramount.   Here are a few
    • Router, modem, firewall – get the best you can afford.   Definitely get rid of the system supplied by the ISP or the shop bought one from a home retail shop.  As a level of protection they will not protect your organisation.   Minimal spend should be around $600 for a small business up to more than $20k for a large organisation
    • End point protection – 2 things about end point protection, they will catch malware and suspect applications because, like us the hackers are inherently lazy and use old known code.   The second is doing a regular scan, this will allow systems to catch up with malware that has been recently discovered.
    • Wifi – access to your wifi allows access to your systems, whether it is set up to have access or not.   Once again spend a little and invest in the best you can afford.
    • Encryption – if you are collecting staff, user, client and financial information then it need to be protected from ease dropping with encryption.   Encryption needs to focus on data at rest, where and when it is stored as well as in transit.
    • Patching and updates – operating systems – do it, applications – do it, websites – do it, tablets and phones – do it.   Absolutely critical to protecting anything digital in today’s world.
    • Up to date operating systems and applications – if you are using old versions of MAcOS, windows XP, android – replace them ASAP
  2. Management.

    • Policies procedures and processes – policies are very important as they tell your staff where you stand on passwords, internet usage, email usage, education and training.   Make sure everyone reads and understands them.   Procedures allow you to specify how things are done so that anyone can walk in and do a task without supervision.   Processes will also allow systems inside the organisation to be implemented as a standard
    • Audit and reporting – it is no use collecting information from the system if no one is going to look at it.   You need to implement a standard process that audits the information and reports it to management.
    • Logging and alerts – all systems have some level of logging.  In a small organisation daily checks of individual logs can be done, in larger organisations there is a need for a central location and a system that alerts staff to issues coming from firewalls, intrusion detection or AV.
    • Password management – in today’s world passwords are your passport to the digital world so they have to have 3 components – must be more than 10 characters, must be unique for each location and must be complex, having letters, numbers, capitals and symbols.
    • Education and training – there is a 300% ROI on education in an organisation.   Your staff are the first and last line of defence, when the technology fails an educated user will be the last line of defense
  3. Sustainability
    • Disaster recovery – when it alls goes to custard (and it will) you better have a way back.   This is what disaster recovery is all about.   It doesn’t matter if it is physical (flood, fire), digital (cyryptovirus, failed hard drive) everything that is stored digitally is vulnerable.
    • Risk management – you need to way up the risks of a issue impacting your organisation.   The higher the risk the more you need to mitigate it.   If you use the NIST framework to manage your risk and exposure it will benefit the process of risk management
    • Backups – everything that is important need to have a backup made of it.   If it is business critical then the risk of something happening needs to be weighed up against mitigation and cost.   Virtual imaging backup software is a huge solution to this priblem
    • Business continuity – what happens if the district where you office is locked down and noone can access the office.  What contigencies have yo got in place.
  4. Compliance – if you are collecting PII (personal identification information) then you will have a compliance requirement.   If you are collecting financial information then PCI DSS compliance requirements come into the situation as well
 So insurance is all very well but unless your organisation invests in the additional components of your cyber protection you may find that the cryptovirus that has encrypted all of your data is not covered.
If you want to know more get my book or ebook
Roger Smith is the CEO of R & I ICT Consulting Services,(http://rniconsulting.com.au), Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime (http://www.amazon.com.au/CyberCrime-Clear-Present-Danger-Security-ebook/dp/B00LEJTN5Y), author of the Digital Security Toolbox (http://www.rogersmith.com.au/roger/toolbox/) and the SME digital security framework (http://smesecurityframework.com.au/csb/).   He is a Speaker (http://www.rogersmith.com.au/roger/roger-smith/), Author, Teacher and educator (http://securitypolicytraining.com.au/cybersecurity-awareness-introduction/) on cybercrime and how to protect yourself from the digital world.

Cybersecurity and business security training when it is working, you WILL know!

Joining the Cybersecurity IN Crowd

When it comes to proving that your Cybersecurity and business security training is working there is usually not much to show!   In most cases there is a general rumbling within an organisation, like every other training: wasting time, effort and sometimes money.   

BUT, there is a little known fact that when cybersecurity training is embraced there is an overwhelming camaraderie created.

Complete the course and you are one of the crowd.  

A part of the IN crowd.  

Look at that you, know a little more about computers, security and that is important for moral within any organisation.

Like any other training and education program we need to know how to use the tools that we are given in the organisation.   Cybersecurity and business security focuses on protecting the information that those tools generate.

How do you know that your training is being embraced

If they are discussing the training – you win

Getting people involved in any training is hard – most people just want to do their jobs.  More importantly, in todays world they either think they know it all or management doesn’t think it is important.  

If you have delivered any type of business security or cybersecurity training or presentations and they are talking about it in the break room then that is a vast improvement.     

This increase in awareness allows the organisation to concentrate on other areas of core business namely products and services.   In addition this level of discussion also makes for increased awareness, better protection for the organisations infrastructure.   

A win for the staff as well as a win for management.

There is a distinct lack of visible passwords

If your training is working you will find that everyone is more aware of the organisations password strategies.   This awareness should be visible with a distinct lack of post it notes all over peoples work stations, monitors and under keyboards.   

When everyone has been taught how to create complex passwords that are unique to every website or location, that are easy to remember and are longer then 10 characters, security within the organisation just has to improve.

Errors and mistakes with digital information start to disappear.

Once a training package has been completed there is a distinct decrease in the number of silly mistakes made by the people who have received the training.

Why don’t People make as many silly mistakes.   They do not open email attachments, follow links, email critical information outside the organisation, make silly regretful comments on social media and are less susceptible to social engineering attacks.   They think about the consequences and the have a higher awareness threshold

They have been taught to follow the “trust no one” philosophy, are paranoid of the digital world, show an increased awareness in what and how the bad guys are targeting them, your organisation and their access to money.  

Bragging about recognizing a specifically sneaky phishing / spear phishing email

The biggest off shoot is when staff members start to brag about cyber attack failures that they have been involved in.  A targeted email that was aimed at the accounts department.   A phone call they thought was fishy.

When that happens everyone feels good.

There is an increase in business interaction

With an increased awareness of what is a true business proposal and what is krap, business can start to make an impact in their areas of core business.

If you combine a true cybersecurity, business security training package with an above average NIST score you can start to influence your market niche, control who you do business with and improve their business capabilities.

As we all know training and education of staff, management, C-Level execs and board members is very important.   The significant changes in internal attitudes to cybercrime and fraud increase significantly if a decent training.

If you are interested in a decent inexpensive training package for small and medium enterprise then contact us on one of the following links.


Roger Smith is the CEO of R & I ICT Consulting Services, Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity), Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and the SME Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world.