Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 2 - Conor O'Neill - OnSecurity - CyberSecurity
136 Plays2 years ago
In this episode we discuss how you can protect yourself and your business from cyber threats.
- How the hacking funnel works
- Passwords and how they’re leaked
- Tools you can use to protect yourself
- Will we have passwords in the future
- What are social engineering and phishing attacks
- Prioritising what you protect
How hacking takes place may not work as you realised. It’s a very sophisticated industry but there are simple ways you can protect yourself to help keep your data and business secure.
Recommended
Transcript
Improving Security for Small Companies
00:00:00
Speaker
Yeah, I'd say the good news is like, if you're a company and you have less than say, I don't know, 60, 80, 100 people, it's really not that hard to be, I'm not gonna say to be secure, but it's really not that hard to be a lot more secure than your average other company like that. And it's just about taking those basic steps we've already talked about.
Introduction to Cybersecurity Podcast
00:00:19
Speaker
Welcome to Survey Booker Sessions. Tune in to hear from people working in a range of industries and roles to provide you ideas that you can take away and use in your own business. I'm your host, Matt Nalley, the founder and director of Survey Booker, which is the leading CRM and survey management system for surveyors. In today's episode, we're going to take a look at how you can make your business more safe and secure from a cybersecurity perspective, whether you're an SME or a large firm.
Connor's Journey in Cybersecurity
00:00:41
Speaker
Here to tell us all about that is Connor, who's the co-founder on security. So thanks for coming on today. Hey, cheers, Matt. Thanks for having me on. No problem.
00:00:49
Speaker
Before we get started, how did you get into the cybersecurity space? Well, I did a degree in computer science, and then after my degree, I didn't really work in computers and IT. I was just traveling around the world and working in bars and stuff like that. And while I was doing that, I read this book around cryptography, and that got me really interested. And it just all happened then when I got home.
00:01:13
Speaker
that the Irish government were doing.
Understanding Ethical Hacking
00:01:15
Speaker
They were paying for people to do masters in cybersecurity because they wanted to increase the amount of people obviously getting into that industry. And I signed up for that. And then that was it pretty much from there. I kind of worked in various aspects of it and started off in like cyber forensics and investigations and then moved into what we're kind of doing now, which is the more pen testing or offensive security side of things, sort of hacking into things. I suppose you call it ethical hacking.
00:01:41
Speaker
And that's what I'm trying to get into people's systems and understand where the weaknesses might be before someone else does. Yeah, exactly. Trying to understand what things look like from the perspective of a hacker. Yeah, it's finding the weaknesses effectively before the hackers do. Interesting. Okay, I think that segues quite nicely into one of the questions I wanted to ask, which is,
00:02:00
Speaker
I think a lot of people think back to movies where you've got the guy in a hoodie sat at a desk trying to hack into a system.
Ransomware Attack on Small Firms
00:02:09
Speaker
And I'm sure actually that's not probably the case most of the time. It will be for maybe certain companies that are getting targeted or whatever it might be. But what are the common misconceptions about who gets hacked or how people get hacked?
00:02:22
Speaker
Yeah, that's a, that's a really good question. And yeah, there's a common misconception. And so we, um, I suppose I'll start off with a small story. It's like about a year ago, uh, a customer of ours, he was like a small building engineering firm in like, uh, Warrington somewhere quite random in the UK, small, like about 30 people working there. Um, re reasonably small revenues. And they, they called us to say they'd been the victim of a ransomware attack and all their computers are encrypted. So that really got me thinking like how,
00:02:52
Speaker
did this random business in the middle of kind of Warrington up in the Northwest of the UK, get targeted, you know, like what was the process? Because I'm pretty sure it wasn't a guy in Russia waking up one morning deciding to target this random business in Warrington. So we tried to,
Cybercrime Industry Mechanics
00:03:08
Speaker
we created a research project, basically, we sat two or three of our engineers working on this long term research project to try and understand better how that happens, like how
00:03:19
Speaker
that business goes from being like a needle in a haystack. There's what, there's like 219 million businesses on earth, 6 million alone in the UK. So how do you go from being one in 6 million to being ransomware? And the results of it were fascinating. So that's kind of, it's kind of what we base our, I guess our products and services on, but the results of it kind of like, it showed that it's effectively a
00:03:43
Speaker
a very sophisticated industry, the cyber crime industry. It operates very similarly to the SaaS sales industry in terms of there's different organizations at different layers. And at the top of the layer, and like what we've got at the top of the funnel, we call this the compromise funnel. And you're probably familiar with sales funnels. There's like a whole
00:04:01
Speaker
range of organizations that are dedicated to lead generation effectively. So they find potentially vulnerable businesses. And what they're doing is effectively mass scanning the internet the whole, the entire time, looking for weaknesses that they know are reliable ways of breaking into businesses. And they don't, they don't target specific businesses. What happens is the business pops up on that at that point at the top of the funnel. And then that will, those weak potentially weak businesses will get sold on down further down the funnel for,
00:04:28
Speaker
to other organizations. So the people that's top doing that mass scanning, they don't want to break into businesses. They don't want to execute ransomware. They want to kind of stay away from that. They will just sell those leads down exactly the way like you would sell like a sales lead down to, you know, an account executive or whatever, and for them to actually make the sale. Those guys at the top would sell these leads down the funnel for like a ransomware group like Babook or whatever, or Revil or Revel, I don't know how you pronounce it, to actually compromise and extract revenue from that target.
00:04:58
Speaker
And that's kind of how it happened. So that business in Warrington, they made a small mistake in one of their servers and that popped up on the sort of radar of these attackers immediately.
Common Mistakes Leading to Ransomware
00:05:08
Speaker
And then that got passed down further and further until they eventually ransomware them and sort of extorted them. So you know, a payment request of a quarter of a million quid to them. And that's effectively at a high level how it happens. It's very sophisticated industry. There is like,
00:05:23
Speaker
interview processes, their CVs going around, they advertise for jobs on both on the internet and the dark web. They sell the stuff on forms like their collections of compromised businesses and stuff like that. So it's a very, very sort of sophisticated industry. And that's effectively how you go from being one in six million to getting compromised. You're basically in this funnel as soon as you make a mistake or someone else makes a mistake.
00:05:50
Speaker
that affects you. Do they still have a priority or preference as to who they go after? So would they still, once they get those leads through, focus on their large firm because it's potentially a bigger reward or is it anyone's fair game? Yeah, like any sales thing, no, they will have criteria. So for most of like our customers, the sort of the SMEs and the, you know, we're not talking about Amazon or Coca Cola here, right, who are going to be targets anyway, right? And for most of those,
00:06:18
Speaker
And yeah, it's, there's a, it's a target selection criteria, right? So it'll be like the ransomware groups will advertise on the thing. We want companies that are, have a revenue of more than X million. Usually around five or six has to be greater than a lot of them will say, we don't want healthcare industries. We don't want charities, that kind of thing.
00:06:36
Speaker
And, but then other than that, it's kind of fair game. And so what they do, then the people we have to worry about is, is what's called affiliates sort
Risk Factors for Small Companies
00:06:43
Speaker
of effective. Like what we, what we were like, they're the gig economy, like they're the Uber drivers of, you know, the cyber crime industry. And they're the ones that are, that are scanning and compromising these companies. And then they'll say, right, they'll match what they, who they've compromised up against that target criteria that have been set out by the ransomware companies. And then they'll sell, they'll sell those.
00:07:03
Speaker
compromise machines in those companies to the ransomware groups and they'll take a percentage then of the eventual ransomware. And interestingly, the affiliates get more of the ransomware payout. Typically, it's like typically a 70, 30% split.
00:07:17
Speaker
So yeah, it's, it is, it's, you might get compromised. Your, your full, your company might get fully compromised, but never get selected because you don't meet those criteria. So, you know, that's why a lot of times we will see that we'll see like, Oh, somebody did something in your network, um, compromise your machine, but never went any further. And it's usually because of that you haven't hit the criteria, but there's so many different groups that most people will fall into a criteria somewhere.
00:07:43
Speaker
you know eventually but yeah it's exactly right like you you might you might not meet the specs basically for the for the ransomware group. Okay so if you were I suppose let's say an SME whether you're an individual within a company you know that one man band type of thing or a small company it might be five six seven eight of you what are the types of risks that that
00:08:06
Speaker
small type of company would face. I suppose they're less likely to be targeted in those types of things. If you're a small company, you're more likely to be targeted in a sort of like, what we call it, a more like a script kiddie type of attack, where it's more vandalism or, you know, they've just done it for fun kind of thing because they know
00:08:27
Speaker
Those ransomware groups are spending a lot of money to actually, they might dwell, they might compromise a company and then sit there for up to a year. We've seen understanding fully how the company works and how to extract the most revenue before actually executing the attack. So there's a lot of investment and if they know the payoff isn't there, if the company's too small,
00:08:50
Speaker
then it's going to be a different type of attack that targets those kind of very much smaller companies. So it'll be more like what we call cyber vandalism, that kind of thing where they're just doing it effectively for fun and just kind of break stuff. And then what they can do then is, even if you're small, you might have a lot of good data, right? You might have thousands of customer records in your database.
00:09:14
Speaker
And they can steal that and
Protecting Valuable Assets
00:09:17
Speaker
sell it. So that might be an angle. It really depends on what your assets are as a business. And that's how we like to think about security. It's like, what are my assets and how should I protect those? Because if you don't have any really important assets that are going to be useful for a cyber criminal to sell on, then there's not much point in that cyber criminal targeting you as a business.
00:09:43
Speaker
Okay. So it's really about that. So if you don't, yeah, if, if you don't have good assets, you're going to just, it'll be like more worried about like cyber, cyber vandalism almost. Um, but if you do, then yeah, it's about like, right. What, what are these assets worth on the open market and how should I protect them? Okay. That's interesting. One thing I have seen on, um, you know, a handful of times on, on LinkedIn is, is people posting about.
00:10:07
Speaker
their email account has been compromised as an example. You know, someone's managed to break in and, you know, set stuff out as them, posing as them. What's the type of scenario in which, you know, those credentials get leaked and someone gets hacked? And yeah, how do you protect yourself from that? Yeah. Okay. So that's a good question. There's, there's kind of two primary ways I'd say that would, that would happen. The first is and
00:10:33
Speaker
by malware or something on your, on your computer, um, or, you know, a virus, whatever that effectively reads your, uh, keystrokes as you log in or grab stuff off your computer or whatever it takes to, to, uh, your details from the, from your, from your browser. Um, so that's kind of a classic way. Um, and, and you get that by, you know, you prevent that with the basics don't, you know, have an anti-good antivirus and install, or even windows defender, if you use windows as good. Um,
00:11:03
Speaker
you know don't use dodgy websites is kind of one of the big ones to not put too fine a point on it and the second way I guess it happens is that you get affected by another breach right so if you use the same password to log into multiple sites which I don't recommend it's really bad practice but if you do and say you use the same password to log into your Google as you do to LinkedIn and then LinkedIn gets breached
00:11:29
Speaker
A very, very common attack is for hackers to just grab all those passwords and try them against loads of services. So they'll grab your email account that's been leaked and say in a LinkedIn breach and try that all over the place on various services. And they get a lot of luck with that. That'll be the kind of two main ways that that happens. And does it matter, this interesting one of passwords, does it matter if
00:11:53
Speaker
it's a similar password, so it's not exactly the same with different sites, but I've added an exclamation mark or I've changed the letter at the start to be capitals rather than a lowercase. Is that effectively the same password? It's not great, but it's not the exact same, but most password spraying things will involve slight modifications to the password. In terms of passwords,
00:12:18
Speaker
Hopefully we're getting near the end of passwords being a thing at all. Started to see that in the second half of 2022, which is great where some sites have had passwordless logins and stuff where you just clicked it yes or no on
Password Management Essentials
00:12:30
Speaker
your phone. Hopefully that will become more prevalent over the next few years. But one of my main tips for security for everyone is using the password manager. I think that's basically step number one for being a lot more cyber secure than your average person is to use a password manager and then
00:12:48
Speaker
it just takes all that hassle of trying to create different passwords out of your hands. If one gets compromised, you're not too worried and because you've used a super random password on each different thing. If you take one thing away from this as an individual rather than a business in terms of business strategy, but an individual, you use a password manager. Even though I mean the last pass got hacked, which is probably themselves. This way, cybersecurity is so difficult. But yeah, effectively, I used
00:13:17
Speaker
I used a built-in one in Google Chrome, for instance, which is perfectly good. And it works across mobile and desktop and stuff like that. So password manager is the way to prevent a lot of that stuff. And then to check if your password has been compromised and something, there's a lot of websites out there. But the famous one is Have I Been Pwned? P-W-N-E-D.
00:13:37
Speaker
Pwned is like, um, hacker speak for compromised. Um, I don't know. And then, yeah, and that, that'd be kind of two things. So take away from that password manager and then check if your, your accounts have been compromised, which they have been like a hundred percent. Every, everyone's, everyone's email will be featured on there. Have it been pwned and you can run your business emails and your company emails through there as well. Yeah. That's really interesting. You say that about the password managers. We use them here, but we, um,
00:14:05
Speaker
with some of our staff and started looking at them from a personal perspective. And when they started putting in all their own passwords, they realized A, how many sites they actually use, because you forget how many things you've signed up to, you know, different e-commerce sites and stuff, but then how similar or samey the passwords were. And of course, as you say, one password gets leaked and then suddenly you've got access to everything. Yeah. And that's the thing is like,
00:14:29
Speaker
Hackers, like cyber criminals, mostly aren't geniuses, you know what I mean? They're looking for the easiest route in. And one of the easiest is just people who use the same passwords everywhere. So it's one of the things we look for during pen tests and stuff with clients that we check if their staff's passwords or staff have been reusing the same password across multiple sites because it's just a really, really easy way in.
00:14:54
Speaker
compared to like trying to you know write a sophisticated kind of zero day vulnerability um to get you to get access that way it's just they want to go in the easiest path possible and it's usually passwords are are that easiest path i suppose things like um
00:15:11
Speaker
not security sharing passwords if you've only got one log into an account and you just sort of send it over a text or email or something like that it was not encrypted properly and you know the email gets leaked or whatever it is. Yeah I always say when we um when we do like tests and networks and stuff like that one of the things we like to get on is Teams and Slack because people are forever sharing passwords
00:15:32
Speaker
or you're like a guarantee if I went into your own personal, your slacker teams and your messages to yourself, there'd be passwords in there for sure. Like everyone's always writing. So it's one of the things we do. Yeah. But yeah, ideally, everyone should have their own account. Yeah. We should know that our account sharing shouldn't really be a thing. But
00:15:52
Speaker
Anyway, that's not the reality. No, no, fortunately. There's a lot of benefits of having your own accountants, it's just beyond security. It's, you know, seeing who's actually changed things so you can, you know, get lost. Yeah, exactly. What else can people do to protect? I suppose one is using password manager, but if, I suppose even if then the passwords, you know, lost somewhere, you know, someone gets hold of it, you then still got access. So the thing that what the multifactor authentication, is that something that you should always have on if you can? And what is it?
00:16:20
Speaker
Yeah, so this is another one of those.
00:16:23
Speaker
Brilliant steps that are really, really easy, but they make you just so much more secure than either the next individual or the next company that doesn't do it. So yeah, multi-factor authentication is effectively using a password and then something else. So that can be something you have or something you know, or something you are. So something you have is like a token or your phone or a dongle or whatever. Something you know is a second kind of password, I guess. And then something you are is like biometrics, like your fingerprint and stuff like that.
00:16:53
Speaker
So yeah, one thing to note is that if you're using it, SMS is probably the least good, but still a lot better. Now, so I use the authenticator apps on my phone, you know, which are, you get the six digits and stuff like that. And yeah, really, as an organization, you should enforce that on your accounts. So all your sort of like CRMs and all that kind of stuff where they
00:17:16
Speaker
where they support 2FA, you should enforce it. I've seen Twilio and stuff, I've seen some companies in the last few years offer discounts on subscriptions if you enforce 2FA. And that's because it really doesn't make a massive difference to security. So the Google one's great. I don't know if you use that, where it just pops up and says yes or no. Are you logging into the thing? It just pops up even on your lock screen. You just tap yes. It couldn't be easier. So yeah, MFA, those two things,
00:17:44
Speaker
There's like three or four steps you can take to make yourself a lot more secure. And the first two are password manager and multifactor authentication. And then, you know, a lot of, you prevent a lot of easy attacks that way. Yeah, it's just, we use that ourselves. I think one of the very good things is that a company admin as well is.
00:18:03
Speaker
on things like Google and other sites, you can enforce policies, can't you? So you can minimum password lengths and complexities and, as you say, use of MFA and stuff so that your team can't get away with using a three digit 123 password.
00:18:18
Speaker
Yeah. Yeah. Yeah. I mean, the whole the whole concept of passwords is a bit mad, you know, like there are terrible idea because humans are so bad at them. So we've kind of we've gone down that path now for like 30 years and trying to just come up with ever more complex passwords. So hopefully, like in the next few years, a lot of stuff will switch to passwordless logins and stuff like that, because it's a very weak chain in the system or weak link in the chain, I should say. And, you know, a single point of failure for
00:18:47
Speaker
the kind of security of your entire organization but yeah password managers and MFA can kind of mitigate against a lot of that. What are the other types of things that you know people can protect themselves against or be aware of? I've heard of things like social engineering campaigns for example or phishing and stuff like that.
Phishing Threats and Awareness
00:19:08
Speaker
What are they and how can people protect themselves more?
00:19:12
Speaker
Yeah. So, um, I think, I think the general sort of public would, would be kind of aware of what fishing is at this stage. And, uh, fishing will be like a subset of social engineering and social engineering is effectively, uh, an attacker trying to get you to do something that benefits them. Um, so the classic example is, uh, they'll send you a, uh, an email. I tried to get you to click a link in the email that
00:19:37
Speaker
and clicking that link will do something like bring you to a site that installs maybe some malware on your machine or gets a fake login to one of your sites or one of your admin sites so that they put in their username and password and then they have your credentials and stuff like that. So to protect your staff from them, it's all about awareness and knowing that they can take place.
00:20:01
Speaker
One thing that we do that's quite effective when we run training courses is we get staff members to create obviously fake phishing emails that target their other staff members, their colleagues, because they know them best. So it gets them to think in the mind of an attacker. So I know a lot of, there's a lot of products out there like Know Before and Curricula and ourselves, we do like simulated phishing attacks.
00:20:27
Speaker
But there's just quite a lot of research to say, to say maybe that's not the most effective way to do it. But we found, we find that method in terms of getting your staff to write phishing emails to each other and thinking about what would entice this person to click a phishing email. So like based on their interests or what they know about them. And so it's quite, you know, some of the, the, the output from that exercise is quite fully in, you know, it's a, it's a really good exercise to run, but it gets them thinking in the mind of an attacker then. And then once they, when they get an email and they really kind of
00:20:57
Speaker
think twice before clicking it. And we've had metrics from our customers that we've done that for to show how much has improved their resilience to phishing attacks. So it's just about getting that mindset and being aware that these attacks are, you could get them at any point. Like cyber criminals love running those attacks on Thursday and Friday lunchtimes, for instance, because they know that people are like in a good mood and receptive to stuff at that point and not really
00:21:26
Speaker
thinking more about the weekend and not really in proper work mode. So they launched those attacks like at that time, because it's the best time, you know, statistically, they'll get a better return on investment from those times. So it's really just creating that sense of awareness. And yeah, you can do sign up the services that do simulated fishing campaigns and stuff like that. But I like that exercise model.
Timing of Cyber Attacks
00:21:47
Speaker
It's something you can do yourself for free. And then it's really, really effective. That's really interesting. I haven't thought about
00:21:53
Speaker
The fact they do it at a specific point, I considered that maybe you more likely fall for it when you're busy. You know, cause that's the thing, if you're just trying to race through things and tick things off and get emails cleared. Um, but it's interesting, you know, when people are a bit more relaxed in their job. Yeah. Yeah. And it's, as well, like, um, there was quite a famous one involving, um, Reiner, I don't know if you heard about that one. It was a phone based one. Um, but what, what they kind of did, what they, what they did is they, they obviously knew
00:22:21
Speaker
Michael O'Leary's quite like a, you know, everyone kind of knows what his personality is. And they kind of leveraged that to kind of scare the target into changing bank details for a bank transfer. You know what I mean? So it was like, they knew that he would be, have such a position of authority in there, that the email wouldn't be questioned or the phone call just wouldn't be questioned. So that was another, it's another interesting one as well. That kind of leveraged the personality of the, of the person in charge.
00:22:50
Speaker
to get the administrators in there to do what they want. It's the high-vis and lanyard situation, isn't it? Look official. Yeah, yeah. Absolutely, yeah, yeah.
00:22:59
Speaker
Yeah, they're more rare, that's what we call physical social engineering. But we do do those exercises, they're a lot of fun. Yeah, the hives gets you anywhere, a mobile phone, you can kind of hide behind it. That'll get you into a lot of places. Yeah, that's right. I've heard stories where people have gone through security tests, even for physical controls, like getting into a building. And the guy testing had managed to get to the person's desk. And he's like, did they not escort you through? And he's like, no, I came through the back door. Yeah, yeah.
00:23:30
Speaker
We did one a few years ago, and the consultant we sent in ended up getting invited to this staff Christmas party. They're so receptive to it, because people are generally nice, right? And they're friendly and helpful. And that's effectively what social engineering is all about. Attackers are preying on those characteristics of staff. That was very interesting. Another question I had.
00:23:58
Speaker
Because obviously you do loads of pentesting and fun mobility scans and all that kind of
Importance of Basic Security Protocols
00:24:04
Speaker
stuff. But when you go through and you speak to companies and particularly maybe with training and stuff, what are the common mistakes that you see people make? I guess from any angle of protecting themselves.
00:24:15
Speaker
Yeah, well, it's it's really interesting because no matter how many years this industry goes on for cybersecurity, people just it's the same mistakes over and over. And it's just the basics. And it's we've already talked about two of them, but people are still
00:24:31
Speaker
If you had asked me in 2010, will people still be sharing passwords and using the same passwords across sites in 2022 or 2023? I would have said, I really hope not, but here we are. It's really basic stuff. It's not patching your machines. It's having stuff exposed to the internet. It's using weak passwords on stuff that's exposed to the internet.
00:24:53
Speaker
A lot of it is security 101, right? And people just still aren't doing it. And it's because everyone's busy. I'm not criticizing. I run a business as well. I get it. It's really hard to, it's not what you're there to do, right? You're there to run a business and keeping your stuff up to date and having sensible things in places isn't kind of priority number one, but that's what
00:25:18
Speaker
That's how people are getting broken into and getting compromised. A lot of it really is basic stuff that can be prevented. But then the other side of the coin is what's really tough is a lot of compromises are because of a supply chain or a partner. So again, let's use that LinkedIn example. LinkedIn gets compromised and then you do because they have
00:25:43
Speaker
And so that's why service security is so hard, right? It's just like a lot of it is actually out of your control. You can become the victim of somebody else's mistake and then your company gets compromised or ransomware or whatever. So it's really hard, but in terms of stuff that's under your control, it's just do the basics, right? Keep stuff up to date, run some sort of antivirus, block malicious websites and teach your staff to be aware of social engineering, particularly phishing.
00:26:12
Speaker
phishing is kind of like the number one route in for, for ransomware gangs.
Supply Chain and Partner Breaches
00:26:15
Speaker
I suppose it's, um, very easy to make exceptions and then, uh, and then forget you've shared a password and, you know, it comes to Stingy says it's. Turn, turn on something just to get a file once or whatever, just turn on some FTP thing out on the internet and forget about it. Like stuff like that is very common. And I'm like, I think while.
00:26:40
Speaker
If it was me and I had a business to protect what I would do, have you heard of threat modeling? Do you know what that is? No, I don't actually know. So threat modeling is basically, it's a thing large organizations do, but it's effectively like, they've got a limited budget and limited resources for security, right? So you kind of say, well, what are our crown jewels?
00:27:01
Speaker
You sit down and think, what's the most important thing? What would I hate to be to get compromised the most? And for the likes of ourselves, it's probably our customer database, our software, stuff like that. And you start with that and you say, at the minute, I don't care about anything else. And then you think, what are the sensible security controls we should put in place for that? So you sit down and start thinking, I need to try and protect this whole business. It's very, very difficult.
00:27:27
Speaker
If you're just thinking that in terms of your assets, rank your assets in the order of how critical they are and how much you would hate to lose that asset or for it to be compromised and think about the controls from that and then go out in ever increasing circles. So there's no point in spending a fortune protecting stuff that you don't really care about if it's lost or not. That's the kind of approach we try to take with our clients. Just like, right, here's your crown jewels. You have to do everything you can to protect those. And then the next layer of stuff is not that important and so on and so forth. So is it a case that
00:27:57
Speaker
it's best actually just to sit with pen and paper and saw something in the cupboard and not go online because you're just at some point likely to get hacked.
00:28:12
Speaker
What's that? I find that there's a phrase in that the only secure computer is one that's switched off or something like that, which is kind of nonsense because it's not really a computer anyway, I guess. But that kind of answers your question is that that's not a business then, right? So that's what security is. It's a trade-off between, right? We need to do this securely, but we also need to operate as a business. I agree with you. It's back.
Effective Use of Cloud Services
00:28:37
Speaker
Protecting all the critical stuff and make sure it's backed up elsewhere and not able to be deleted and the modified and you know what kind of stuff but if it's because of your backups. Yeah, I'd say the good news is like, if you're a company and you have less than say, I know 60, 80, 100 people.
00:28:54
Speaker
And it's a reasonably straightforward operation that you're running. It's really not that hard to be, I'm not going to say to be secure, but it's really not that hard to be a lot more secure than your average other company like that. And it's just about taking those basic steps we've already talked about.
00:29:10
Speaker
And start, I would start with like a paper-based exercise of this track modeling stuff and figure out what's going to, and then do the really easy stuff like the making, making sure things keep patched. I mean, I assume you use like AWS and as your, whatever. Yeah. So yeah, we've got, yeah, we're all hosted on AWS and we've got, you know, scanners, like your own, um, you know, checking the systems constantly for, um, potential weaknesses that can be fixed. And, you know, we've got all those types of processes that you've mentioned in place. It does a lot of, you know, password managers and
00:29:39
Speaker
Yeah, AWS and Azure are great, right? Because it's a whole thing that you don't need to worry about anymore. It's keeping that stuff patched and all. It's kind of their problem. And yeah, you can take that extra level of assurance by using the vulnerability scanners and stuff.
Choosing Off-the-Shelf Software
00:29:53
Speaker
If you're a business looking for a software solution, and I'm not trying to plug SavvyBooker at all here, but just as a general, that's the most point, unless you've got a really, really niche requirement for software, are you better off
00:30:05
Speaker
using an off-the-shelf solution in terms of from a security perspective because they'll be focusing on those types of things and therefore do you open yourself up to vulnerabilities because you forget to patch your software or you don't necessarily know enough about
00:30:21
Speaker
certain security angles on the software. Is it better to look down those routes first? I'm not a developer, but for tons of reasons, I would agree with that. But from a security perspective, for sure, because if
00:30:37
Speaker
especially if you use a piece of software that's from a company that's reasonably reputable, they will have had to gone through that pain of like pen testing and code reviews and stuff like that anyway. And you can ask for their pen test reports and like their ISO 27001. So I think, you know, their compliance to ensure they adhere to certain policies and they have certain security standards in house. So yeah, a hundred percent, but it's a really good point like where possible, but make sure you see evidence.
00:31:04
Speaker
because about 70% of our businesses is testing web apps and we find dozens of critical security issues each week in web apps. But that's a positive thing because they can fix those before hackers have found them. So yeah, go back to your point, 100%. It's a really good idea, I think.
00:31:29
Speaker
for lots of reasons about what you said. Yeah, because I think one of the difficult things if you are building your own thing is do you really want to be putting thousands into checking you built it right? You want to be just putting your resource into building a business and not worrying about how close you're going to fit. Yeah, yeah. Security will slow you down. That's a fact, right? And if you're a business, you've got to get something at the door to start generating revenue from it. So, oh yeah, 100% there's a solution out there.
00:31:59
Speaker
just use it. I think, I think that's, I mean, you're the same as us, we're effectively a SaaS business now and there is nearly something for everything these days. Like, whereas we used to, we used to write our own like onboarding guides, let's say, you know, for when people first logged onto the platform and then the last three or four years, tons of solutions have popped up, you know, where you can just do drag and drop and no code solutions for that kind of thing. So, um,
00:32:25
Speaker
Yeah, that'd be an example of like, we would, for us, write in code is a last resort, you know, we use probably the same for you guys as well. But security is another benefit of that for sure. So I suppose overall then it's the basics are secure passwords, password managers to handle them, multi-factor, and then what was the last one? Yeah.
00:32:47
Speaker
basics like patching and then like that situational awareness we mentioned there just you know and depending on the type of business you are and you can there's a lot of products and stuff like that but yeah if you've got something critical like a web app or something like that and get that pen tested but yeah in terms of day-to-day it's the things you mentioned there and then
00:33:11
Speaker
That exercise about writing phishing emails to each other is quite a nice little one that I recommend.
Creating a Security Roadmap
00:33:17
Speaker
And before you do anything technical, it's that thought exercise around the threat modeling. So start with that and then work and then that should effectively create like a roadmap for security for you. Yeah, interesting. So if you're a surveyor, go and look at what are the types of data you've got and why are you storing them and which bits do you need to really protect and the rest, what do you not want to worry about so much? Yeah. And actually as an individual,
00:33:41
Speaker
And this is another thing we do. So we imagine that concept of the crown jewels, like, so for an individual, your crown jewels are your primary email, right? So like, say if someone gets into my Gmail account, they're, they're me effectively, right? Cause they can reset all my other stuff.
Protecting Personal Email Accounts
00:33:56
Speaker
They can, you know, they can use that to, to leverage attacks from where they can pretend to be me and they can, you know, access
00:34:05
Speaker
almost all of my other accounts, if they get, if they compromised by Gmail. So I, I spend a lot of time and effort making sure that that single account is, because also it's my, my Google drive as well, where I store a lot of, you know, documents and stuff like that.
00:34:20
Speaker
personal finances and admin stuff. So I really, really don't want anyone getting access to that account. So again, the password manager, I only, I only ever access my Gmail from, you know, one laptop on my phone and that kind of thing. It's a, it's two factor authentication, obviously. So that, so as an individual, rather than at the business level, focus on that, on that single account. That's like your crown jewels effectively. That's a very, very good point. Cause yeah, as soon as you've got access to that, you can go and do a password reset on anything on you. Yeah.
00:34:49
Speaker
more or less yet. So yeah, and just the small little thing is if you can, rather than SMS use the authenticator stuff, it's a slightly more secure SMS can be spooked and things like that, reasonably easily. Interesting. Well, thanks for coming on today.
Contact Information for Connor O'Neill
00:35:07
Speaker
And then if anyone wants to get in touch just about security stuff and pen testing, where do they contact you? Yeah, they can go to our website, which is on security.io, or I'm on LinkedIn, Connor O'Neill, with Connor, with one M, and two L, to get that wrong in the UK a lot. Yeah, and that'd be the main place where I'm kind of active, is on LinkedIn. Well, thanks for coming on, and we will, yeah, we shall touch base ourselves again soon. Cheers, Matt, good talking to you, I enjoyed that.