Transcript: A - Z of Tech Episode 3: C for Cyber Security

 

Louise 

Hello and welcome to episode three of our A-Z of tech podcast. Today, of course it’s C, and we will be talking about cyber security.

Felicity 

Louise’s favourite topic!

Louise

Absolutely.Felicity and I are joined in the studio today by Dan from the National Cyber Security Centre. 

Felicity

Thank you for joining us today, I wonder first of all, perhaps, if we could just ask, why should people care about cyber security at the moment?

Dan

Well, that’s an interesting question. I think in the past it would have been a more difficult one to answer, but these days, because basically the internet is literally everywhere, so you get in your car, you drive down the street, your car is likely to be operating off the internet. You stop in front of traffic lights, and the traffic lights are likely to be operating off the internet. You are likely to be living in cities in the future that are heavily connected to the internet. Sometimes your kettle is connected to the internet, so the internet literally is everywhere, you depend on it, and actually you depend on it not just for your own security in terms of being able to ensure that it is secure, but you depend on everybody else’s internet being secure and defending their networks in order for you to be secure as well.

Louise

It would be really interesting I think for our listeners to get a little bit of an insight into what the NCSC is doing at the minute and what your priorities are?

Dan

Sure, absolutely. The National Cyber Security Centre is really the national technical authority for cyber in the UK. It was created in order to have a single place in government, where people could go for cyber security advice and cyber security expertise, knowledge and information. We do a number of really important things, one of which is to understand the cyber threat, understand cyber generally speaking, and to be able to convey that to the public and private sector and public sector obviously. But, we also provide quite a bit of advice, which is designed to help people understand how to protect their networks, and how to respond to cyber threats and generally mitigate them.

We also provide an assessment function, which is aimed at government, but it’s increasingly being aimed at the private sector as well, which will provide an understanding of how we see the cyber threat in overall terms.  We do quite a lot of work with industry to help them secure their networks and with government to help them secure their networks in a way that will generally make the UK the safest place to do business and live, and that’s the whole concept behind the NCSC, to make the UK the safest place to work and do business online.

Felicity

If we think about those consumers sitting at home, what are the most important things that could be hitting them at the moment, what should we be looking out for?

Dan

It’s a difficult question, because the way that the internet works, it could be pretty much anything that you could be exposed to, but I think the trend that we are seeing at the moment, obviously there is a lot of cybercrime that’s out there at the moment that’s hitting people, and that might be anyone trying to steal things from your bank account right through to people actually trying to steal your personal information and then sell that on cybercrime networks or you might be actually hit by someone who is exposing a vulnerability in application that you use. You are not necessarily the target of the information, but they will steal what you have, and then use, I guess, sort of bulk data analysis to then identify how they can use that, and then they will onward sell it if they can possibly monetise it.

We do see a lot of ransomware about, which is like a particularly virulent threat currently, and hackers are getting better at understanding where to actually deploy that, in order to have the best effect. So, a lot of small businesses, perhaps who really see their client list as important, or who have important records or data that they need access to all the time, where actually locking that up with a bit of ransomware, would cause that business potential economic harm, and maybe in fact cause the business to go under over a period of 24 to 72 hours if they don’t have access to it.  People are getting client to try and pay the ransom in those circumstances and make that cost calculation between paying the ransom and potentially loss of business as a result of that.

That could be a person sitting at home as well - we have cases where some particular exploitative hackers out there, might for instance, deploy kind of malware that is designed to surveil what a person is actually doing on the computer, they might activate the camera to do that, and might record things or might steal information that they can use to blackmail the person into paying a ransom as well. So, we see all those sorts of things happen on a fairly regular basis.

We work very closely with the National Crime Agency, who are the lead on cybercrime in all of those incidents. We do our best to provide the right advice to enable people to prevent themselves from being exposed to those kinds of threats.

Felicity

I read that the NCSC removed a 100,000 phishing sites and blocked 11,000 malicious domains last year, but will hackers always find a new way to do things, will they always find a way around these kind of things?

Dan

Yes, hackers overall are trying to get access to something, so it doesn’t really matter what it is. So, effectively whatever they want access to is going to shape the kind of attack that they use. At the moment, there are a lot of software and hardware applications out there that are particularly vulnerable anyway. So it’s not really too hard for them to use quite commonly available tools and methods in order to exploit those. The more that those vulnerabilities exist, the easier it is for them.  

Obviously, the more secure those applications and that hardware gets, and the more savvy people are to the tactics and procedures that they might use to actually get those. Then its, I guess, a bit of a race against the hackers in order to protect yourself, as well as a race for the software companies and the hardware companies out there to ensure that their devices are secure enough that they provide security for the consumer.

Now, hackers are also getting very savvy in terms of how they target people. Ransomware is one example where they can target anyone, anywhere, at any time, and get the same result, but you might have examples, where for example they target a finance department within an organisation, with what looks like a spreadsheet, and of course, somebody sitting within an accounting job within one of those finance departments, it might be a phishing email, it might look like a phishing email, but because they are doing that day in day out, they’re easy to exploit in that respect.  

You have other examples, where for example, they might go after people who have administrator roles within IT parts of the organisation. By exploiting them they can get access to very sensitive parts of the network, and get sensitive privileges, and they will send them phishing emails with, for example, job advertisements for somebody who is an IT professional with very lucrative offerings, and that will lure them into potentially clicking on it.

With government departments, it might be a current event. So, send something to the Foreign Office, for instance, that might be particularly Brexit-themed, and use an email address that looks like it comes from a very legitimate partner or customer, and it is enough for anyone to click on it, because it is very difficult these days the way the hackers construct these things to identify there is a phishing email in the first place, but that’s a very detailed examination.

Felicity

One of your colleagues was telling me about an HMRC case to do with that, can you tell us a bit more about that one?

Dan

I think the problem is that HMRC is a very effective lure document for phishing emails, mainly because anybody in the UK, who is working in the UK is a customer of HMRC.

Felicity

And particularly this time of year.

Dan

Correct, especially when it comes to tax time, everybody is concerned when they get something that looks like it’s legitimately from HMRC, they are likely to click on it and that malicious attachment will then infect them and then so on and so forth, and it depends which particular hacker you get, as to what the exploitation is going to be as a result of that.

Usually, in those cases it is predominantly cybercrime that you see, but obviously it could be of equal use to a state-sponsored hacker or anybody else really, who wanted that kind of access.

Louise

So, actually cyber security then is really a combination of things. It’s not just focusing on the technical security aspect, but it is also about user awareness. Are there any tips or tools that our listeners could delve into, that will maybe give them a little more guidance on how to be a bit more aware around this?

Dan

I think the first thing that you need to do is use basically a complex password if possible, and separate passwords for all your accounts. I know that’s a really basic thing to say, but I think there are a lot of us out there, who would probably repeat passwords, because we’ve got so many accounts between Facebook, Instagram, our email accounts, our work accounts that we use, that actually we just repeat the same password over and over again. If that’s too hard, there are browsers out there now that have password managers attached to them that will create a very strong password for you that you don’t need to worry about. You can save that off so that next time you are asked if you want to authenticate you just use that same one again.

Two factor authentication for your accounts is the other thing. Just to explain that a little bit, so you’ve got your username and your password, everybody has got that, and that’s the sort of thing that hacker will exploit.  The second factor really is to do with, either something that you know, or something that you own or have, or something that is you. So, something that you know, for instance it might be a secret question that you don’t know. So, you put your password in, and your username, and then it would come up with a secret question to authenticate. So, if the hacker doesn’t have that answer, then they are not going to be able to respond. Something that you own, might be for example, a token that you get for your internet banking sometimes, where basically it will ask you for a number, you click the token, and the number comes up, and you put that in, or some banks use SMS, for example, for that, and they will send you a text message and you put that number in. Something that you are is biometric authentication - it might not be exactly looking into a special optical unit to actually verify you from your iris, it might be something like on your iPhone just using a thumbprint to authenticate who you are, and that’s a second factor authentication.

That at least will make sure that no matter what happens, the hacker at least has to have one of those other things to authenticate in order to get access to your account, and that’s really important. Using a password like “fluffy”, or whatever your favourite pet’s name is, is really dangerous. You get access to anything from your Facebook messages to a whole range of different stuff if you’ve used that password across multiple different sites.

Louise

Having a password that is complicated combination, is that to make it harder for an attacker to guess what it would be?

Dan

That’s right. There is a lot of automated solutions out there on the internet that these days will enable people to brute force so they will allow people to guess passwords effectively. Most hackers worth their salt will have a number of these different tools available to them, and will deploy them and that goes from state-sponsored actors right through to cyber criminals.  Unfortunately, they have an incredible amount of success with them.

The other thing I perhaps didn’t mention in this regard as well for the listeners out there to make sure that their apps and their operating system are kept up to date.

Hackers effectively, as soon as there is something exploitable will deploy it.  If you haven’t kept up with your software updates, or your app updates, they are literally weaknesses waiting there to be exploited by hackers. So one of the best things that you can do to protect yourself is actually to keep those as up to date as possible, so that they’re compliant with what the actual producer of the software or hardware is requiring in order for you to stay safe.

Felicity

You mentioned there state-sponsored hackers versus cyber criminals, perhaps you could talk a little about the different types of people out there, who could be looking to get into your information online.

Dan

Absolutely, so hackers come in all sorts of different forms and varieties.  You have state sponsored ones, you have cyber criminals, you’ve got hacktivists, you might have terrorists out there, of course who are doing that kind of stuff.  

It is worth saying that, it is not all about espionage. Some of it might be about getting intelligence on other people, or other organisations; some of it might be about intellectual property theft. So, actually stealing information on technologies or products within organisations that can then be used to reproduce that technology somewhere else.  

It might be for a disruptive purpose, so if you want to cause a non-violent and non-kinetic effect against another nation, you might do something that would be termed an offensive cyberattack, where you actually hack some system that’s critical, and either disable it temporarily, maybe that’s using ransomware, maybe it’s like using something more destructive that actually wipes the data or records, they control whatever the function is.

So, let’s say that the internet controls the traffic lights in a particular city, you might hack into the central system that controls that and then wipe that data or lock it up and disable it, thereby causing chaos in the city, might be an example of how that might be used. There is also economic theft and those sort of thing that cyber criminals do, or even state-sponsored hackers.

Then you’ve got the other kind of theft, which is more the general economic type theft, where it’s more information that would be valuable to actually exploit for economic purposes for another nation.

So, that’s the nation state actors. I’ve already spoken about the cyber criminals and how they might go after personal information or personal details, or in fact banking information they can exploit. Some of the senior, like organised crime groups are very specialised, and will go after whole chains of restaurants or whole chains of petrol stations, or something like that, will exploit a weakness, and then will effectively steal large amounts of money through those systems, sometimes through the salary payment system, and they will compromise every element of the network that they need to actually get that large payment authorisation out.

Hacktivists, you would know that Anonymous have been making threats recently against banks and government departments, etc. They are more a, sort of, activist collective, who have some hacking skills. Some of them might be, what we call, script kiddies where they actually just go on the internet, get rid of the available tools, and then use them to actually do some hacking without any special expertise.

Some of them might be very experienced hackers. They will basically hack for a cause, and often those guys are more about defacement than they are destruction or disruption of network, something more serious than that, although in the future we might see something more in that vein. Terrorists of course, at the moment, we mainly see terrorists defacing websites and having that propagandist effect than we do see them actually do any kind of disruptive or destructive attacks. The problem is, going to the future, I think, with the cybercrime marketplace, having so many dangerous tools available for purchase to the highest bidder, with the right access, terrorists could dip into that marketplace and then do things that we haven’t seen them do previously, which would be extremely disruptive or destructive.

Then you’ve got the individual hackers out there, who might be insiders within an organisation, who might know how to exploit a network, because they’ve already got some kind of access, and they are often the hardest ones to pick up. All of them are trying to get access in some way. All of them are trying to manipulate and exploit a network in a particular way that is going to gain them some kind of advantage depending upon what their actual purpose is.

Louise

Are there any particular trends you might be anticipating seeing over the next 12 months, when it comes to cyber security or anything that our listeners should be thinking about?

Dan

In terms of the people out there in the street, ransomware is proving itself to be an extremely prolific and effective means of garnering economic benefit for cyber criminals and others. I think, we are going to see more of that. In terms of protection, the sort of things that I’ve just mentioned, are really important.

On the ransomware piece, we do say that it is better not to pay the ransom if you can. There is some advice again on the NCSC website for individuals and families that gives you some pretty direct information on that, but again it is up to the individuals, what they feel like they can and they can’t do, and how they react. But, there is every chance that if you pay at the first time, we are dealing with criminals, they are likely to try and exploit you again, and if you are still vulnerable that’s where you are going to be exposed to.

Louise

Thank you very much Dan for coming in today and sharing some of your insights with us.

Dan

It’s a great pleasure, thank you for having me.

Louise

And now let’s hear a little bit from our colleague Alex about executive profiling.

Felicity

So, Alex tell us a little bit about the interesting work that you do here with CEOs and their personal cyber security.

Alex

We do a lot of work for businesses that are concerned about the risk of their CEO and their boards pose to the company, but also to themselves.  So, we do a lot of work where we go in and provide questionnaires, where we sit down one on one with a board member, and talk through not just basic things like what are your email, what are your social media handles, those types of things, but we ask specific questions around their behaviour online. So, do they use the same password across multiple different platforms, are they using the same email to do online shopping as they are to do their personal email, is that the same as their work email.

Are they putting information out that they possibly shouldn’t be about what languages do they speak, do they do online gambling, or play games online, all of that sort of information that you don’t necessarily think of first and foremost when you are talking about cyber security. We get all of that information, go away and do some open source research to look at what can we actually find about their digital footprint online and then take that back to them, and sit down and explain what information we’ve been able to find out about them, and then how that poses a risk to both them, their family, and the business.

Felicity

Sounds super interesting. Are they ever surprised about what you find?

Alex

Yeah they are actually. So, a lot of them have obviously been through the standard social media training that you get. I am sure you’ve all done it yourselves. You sit down and you get told, lock down your Facebook, don’t put things on Twitter that you don’t want repeated, and put in a magazine, and all of those sorts of things, but they don’t think about the fact that all of those accounts can link to their family and friends. The information, a lot of the time that we find specifically people’s children putting on their social media that explains an awful lot about their life that they didn’t think you could find out. You get some interesting conversations that you have to have with very senior people around that.

Felicity

Yeah, it sounds fascinating.

Louise

And that blurring between somebody’s professional persona and their personal one is something that’s becoming more evident at the minute?

Alex

Yeah it definitely is, and a lot of people don’t realise the information they put online has a physical real world consequence. So, it is not only, ‘well someone can use the information I’ve put out there to try and phish me or target me, and try and get to a company’ or, if they are high net worth individual then sell that way. But it’s things like, if they have put all over Facebook, they are going on holiday, and the whole family is going, there is an empty house there. These people are quite high profile, they are earning an awful lot of money, it leaves a wide open opportunity for someone to come and burgle the property.  

You’ve had cases where people will talk to journalists and sit down and have a perfectly nice conversation, but reveal an awful lot of information about how they get to work every morning, what time they leave their house, what way they walk there. The information around their partners and their family, where they have dinner every week once a night, Tuesday night they go to this specific restaurant, and that sort of information, leaves them very open for targeting of - they might drop USB outside the house when they know someone is about to leave, and they picked that up and put it in a computer, and they in fact did, or if there is any controversy around the business, they can be targeted for protest and attacks that way as well.

Felicity

So, we’ve probably all heard from loads of different sources all the types of things we should be doing to keep ourselves safe online, but do you think we are actually doing those things?

Alex

No is the simple answer. People are quite good about their own security, but they are not that great around their family, and their really close friends’ security. So, it’s advising people that they need to be aware of what they are posting about others. They can post whatever they want about their own lives, but when it comes to what other people are doing, they need to be a bit more careful, and it is educating your friends and family around that, because they don’t necessarily get the same exposure as you as an individual do.

On top of that it is separating out things like having work accounts and personal accounts. You have a work account where you put up all of your business material and that sort of information, and then have a separate personal account, which is locked down, very private, only your friends and family can access alongside you, so that you are then only sharing information with people that you trust.

Louise

Actually, that family angle is a really interesting one. When we think about, maybe, younger members of the family or children being online, we often think about it from their own personal security perspective. But also, interesting to see that flipped and think that actually they can themselves be putting out information, which can compromise other family members.

Alex

Yeah absolutely, so we see it more and more commonly now with young generations making all of their life so accessible, and not that I am any different, I have every social media account under the sun, but it is thinking about who you are wanting that information to be shared with, and trying to explain to them in a way that actually means something as to why they shouldn’t be putting every single thing they do, and every single place they go online for people to see and read about.

Louise

What are some of the main recommendations that you tend to give clients when it comes to keeping safe online?

Alex

We have a wide variety, which each of these engagements were obviously personalised very heavily, and so on top of your standard security hygiene practices that you should have in things like using different passwords and very complex passwords for all of your different accounts, we recommend install a password manager, so you can do that and keep them in a secure location. You can have separate email accounts for things like online shopping or if you want to do online gaming and things like that, have a lot of that on like an email account where you are not giving a personal information as well. If you get spam to it and things like that, and people turn to talk about one, it doesn’t really matter.

Felicity

Separate from your banking, I guess, is probably quite important.

Alex

Exactly, keep your banking separate from all of those sorts of things as well, and that’s also a very key one with secure passwords obviously.  Then making sure that you are very vigilant around the communications that you are getting. If anything looks remotely suspicious from any organisation, even if it’s someone that emails you all the time, but there is just something a little bit or doesn’t feel right, call them and talk to them about it, and get a real world person on the phone from a number that you have found from somewhere that you trust to check that sort of thing first.  Then on top of having those conversations obviously with your family and friends and having separate work and personal accounts, they are the key things that we really try and get across to people.

Felicity

Cool. Thank you so much Alex.

Alex

You are very welcome, thank you for having me.

Louise

So, in this episode we have heard from two Australians about cyber security and hopefully some top tips and useful insight into how to keep yourself safe online.

Felicity

Are Aussies the oracle of cyber security?

Louise

So it would appear!

Felicity

So, next week we have D for Drones, we’ve got two great women that we interviewed for that, and Dr. Pippa Malmgren and Elaine Whyte from PwC’s drones team.

In the meantime, don’t forget to rate and review on whichever podcast you listen on, and you can find us on Twitter. I am on @FelicityMain

Louise

And I am at @LouTagTech.

Felicity

And we’ll see you next time!

 

Follow us