[Music]
we tend to think of hackers as
individuals who perhaps work out of a
basement and there's pizza boxes
scattered everywhere and they never see
the light of day when in truth in
actuality the average hacker is a
full-time working employee at your local
business they are perhaps even high
school students or college students and
so when we face something like the Cova
19 pandemic we have to imagine that
while we are basically in quarantine in
our own homes what where is the hacker
and that's why in the cybersecurity
industry we fear that there may be more
of a risk now than there was two three
weeks ago as these hackers who
previously were spending their day
elsewhere and hacking during the
weekends and evening hours are now
spending their entire day working on
exploits here to speak with me about
some of the concerns that we could raise
and some of the things that we should
know about the dangers of the work from
home environment is cyber security
expert Stephen Cobb Stephen thank you
for joining me well good to be here Robi
Stephen I alluded to some of the concern
in the cyber security industry with the
fact that we do expect an elevation in
the threat level when it comes to cyber
security right and part of that comes
from our need to work from home there
are so many different technologies that
we should be tapping into and the
companies are tapping into can I just
give you the opportunity to kind of open
the floor to you to discuss how these
technologies can be not only helpful but
also dangerous in our organizations
right so I think as you alluded to at
the beginning the the activity of what I
would call criminal hacking I mean if I
these days I just tend to go to
criminals oh you know criminal activity
I don't think he's taking a break
although criminals may be working from
home now more than they were
because it a lot of criminal hacking is
pretty organized and you know takes
place in a structured environment in
many cases but through this disruption
from the earliest outbreak news onwards
we've seen a willingness by some
criminals to exploit this some of the
first things we saw were using the virus
as a bait to get people to open phishing
emails searching you know phishing
emails which were sent to trick people
into loading malicious code or visiting
malicious websites and so if we can
assume based on past experience of
crisis situations that there will be
part of the criminal element which will
try and use that and for people who are
working normally in an office with an IT
support group either on the phone or
down the hall they're not as exposed
necessarily to that activity as when
they're at home when they're at home
typically a lot of employees aren't
doing company work and so you've got
this situation where people are in a
different environment potentially using
technology they're not familiar with and
being potentially subject to attack by
criminals in in some form or another
now one of the things that that's
interesting about the term work from
home is that it encompasses a wide range
of technologies and I think just about
every organization and every company has
it set up somewhat differently and
depending on what that organization does
in its day-to-day operations it may be
more or less prepared for this situation
right
I was thinking a thing in the cut my my
last employer you had maybe twenty five
percent of people who were fully
authorized to work remotely most of the
time then he had maybe another twenty
five percent who worked remotely some of
the time and then you had the rest who
are mainly office based each of those
groups had a different technology
structure in some ways the software they
used to get to the company resources was
different and different levels of
experience with that hardware and
software and so for example the sales
team out in the field they were pretty
upon how to get into systems they needed
to use they were pretty savvy about
security my former employer was he said
a maker of security software so I think
they got a lot of training on that but
you have maybe 50 percent of the North
America group for this company and any
typical company I think you've got
probably 50 percent of the people at
least
come on accustomed to using their
computer at home to do work I'm not
talking about just dialing in to get
email I'm talking about doing their
day-to-day work and right we have
various technologies for that Remote
Desktop Protocol remote access protocols
and so on and so because this shift to
work at home has come very quickly for
some of these people there's a concern
and I'm certainly not yeah many many of
my colleagues in the profession have
expressed this as a concern that people
are not properly trained on how to do
this securely on how to avoid common
pitfalls they've left in many cases the
workers at home now have left a kind of
secure environment to do their work so
I have to say there's been some very
impressive work by people in the InfoSec
community to provide online tips and
advice to write articles and blog posts
and you know help raise awareness of
this problem and help provide solutions
but one of the weak links here I think
is going to be actually IT departments
themselves because you they've also got
to deal with this whole virus problem in
their family lives now they're being
asked to shift maybe their focus of work
to take on more work to support more
people I mean if you think of half a
work force at a company using technology
they're not familiar with you know
that's a that's a significant
potentially in support calls and and so
I think you know we have to look in you
know good stress factors there and then
also we have to look at stress factors
on the systems we're seeing Nike shoes
yeah like your your face is occasionally
freezing a little bit and there's
conversation oh yeah yeah and we've seen
I'm in Europe I'm in the UK which is
still in New York for the moment
reduction in picture quality on
streaming services which companies might
let Netflix have agreed to to alleviate
the problem about a week ago a colleague
in Manchester which is a big city in the
north of England said they were running
10% bandwidth consumption in the city
was running 10% above it what it was wow
I young you know I'm on a potentially
360 megabit per second fiber connection
some parts of the UK have very good
connections there's not so much but
we're quite lucky we're where we live
but the performance of that has really
been drained by jumps in usage certain
times of the day you know it used to be
people coming home from work starting
torch streaming stuff at home would
produce you know a buildup of demand in
bandwidth and you know and then
everybody had to slow down a little bit
now you're seeing some of that during
the day because you're getting this
bandwidth shift to different parts of
the network right so company internet
connections are handled through big data
centers and you know at different levels
service provider from domestic and so
you know you've got the shift of traffic
into networks which are not as prepared
to deal with it as you know main
providers you know so we go a lot of
these issues what I fear is that
employees who aren't you recently
updated shall we say on their security
awareness training yeah I mean they
joined that three years ago and kena can
I put a slightly different perspective
on it as well Steven in that you know
we're thinking in the context of ok so
coming from a company like ESET as you
mentioned your previous employer it's
big company thousands of employees
they're obviously very security
conscious and they understand and a lot
of the folks that work there understand
best security practices and you have
training in place but looking at our at
this shift that is a result of kovat 19
and and the government decisions around
protecting its citizens we're talking a
shift entirely from those big businesses
who have fifty percent of their
workforce working in the field to
mom-and-pop shops to every little IT
firm that normally just provides walk-in
service to to
contractors to builders to all these
different industries that now need to
still be able to operate their business
but they're they're being told stay at
home yeah so these are people that are
not so cybersecurity conscious they're
not trained in cybersecurity practices
and and so how can we as a community and
how can we as a podcast help to provide
some advice I suppose to those users who
are now thrust into this like nobody saw
this coming nobody knew that we were
going to be working from home
halfway through March right what can
what can we say to those individuals so
I think there are resources available
and you know referring back to ISA they
have a very good security awareness
training program that anybody can sign
up to use for free and there are a
number of companies quite a few now that
that offer you know the basics cyber
security awareness training which you
know good training lets you know what
the threats are you know what why is
this happening so that employees will
know I like to put it you know the
extent to which criminals will go to you
know abuse systems to steal information
to ransomware systems that is hold them
up for per Ansem and then the things
that they can do to protect and if there
was one thing I would say is understand
what phishing is understand whether
email threat is because that's still one
of the preferred methods of attack
attack vectors as as we say look at your
email and and it's quite interesting
one of the effects of this crisis has
been and I various people have remarked
about this and increase in the emails
that you're getting from people who you
kind of remember or maybe done I mean
clearly there are companies around the
world who are emailing everybody on
their mailing list or anyone they have
ever had contact with to say hey we're
here to help we're you in COBIT 19 is
making this difference and only some of
these messages are great and some of
them are important some of them were for
products you don't own anymore so you're
not so interested but what you've got is
an email situation which is rife for
fake emails where you know with
potentially the offer of updated
information on on Kovac 19 check the
latest cures for Kovac 19 yep alluring
titles in the subject matter that people
are going to be tempted to click on if
those have got through their email
service and their security software I
think whether it's it's a company
decision or an individual decision you
have to be running a really good piece
of security software a security software
suite on your system now you know
Windows comes with some protection built
in but the different methods of attack
and approaches of attack need to be
covered by a security software suite one
of the things that we see with with less
experienced users and smaller companies
is that they may be under the impression
they've got security software because
there's a logo on the desktop for the
product which was there from when it was
installed and I can see from the look on
your face yeah well you know I hear
about it all the time Steven yeah oh
yeah no it says it has anti-virus yeah
there no there's the logo on the desktop
for the antivirus program when you click
on it it's expired or it's running but
it hasn't been updated in 12 months you
need to be running a piece of security
software which is
constantly checking for new threats Oh a
good piece of information which again a
lot of people aren't aware of is that
companies like Google and Facebook and
the providers of browsers and Internet
service providers and all of the
security software companies are
constantly sharing a vast amount of
information about these emerging threats
so if a criminal sets up a malicious
website to try and trick people into
getting infected with malicious code and
taking over their system that is
detected into these days often very very
quickly and as soon as that first
detection happens its shared around the
world and if you're running a good piece
of commercial security software it's
going to get that update your browser
you know all credit to you know
Microsoft and and Google and Firefox the
main browser makers are in on that so if
if somebody discovers a new malicious
address that's updated in the browser so
you see these boxes come up saying you
know don't go here yeah don't proceed oh
ok can I proceed don't proceed when it
says that yeah so being careful about
what you click on in an email
yeah yeah and making sure that when
you're looking at an email it's
legitimate or it's serving some
important purpose and you know who's
sending it listen to the things it says
in your computer if your security
software says don't go there don't go
there it's not okay to oh I'll check it
out anyway you know that alert is coming
up for a reason there are very few false
alerts on these systems and and you know
you pretty much guarantee that if Google
Chrome says don't go there
you shouldn't go there
what some people you know companies from
my bank well if your banks trying to get
in touch with you go to the bank website
open a new browser window a new browser
tab and manually go to the bank yeah can
I just say what this is revealing some
really interesting aspect of social
engineering Steven which is when we
realize as users as computer users as
network users and users of cloud
services that hackers are watching for
the things that people are that are
going to trick people so you're making
me think yeah when I click on a link
that's more information about kovat 19
I'm thinking oh well I can differ I can
distinguish with my mind because I'm
smart enough to determine whether this
is fake news or if this is legitimate
scientific news I feel like so I can
make that distinction but what a hacker
will do and what a social engineer will
do is they'll use those types of
websites to then infiltrate a system so
it may look like it is supposed to be
this and you're talking also about
banking but it's a way for this malware
to get in as well yes and in fact you
know John Johns Hopkins University in
America is been doing a lot of tracking
and he's kind of the go-to source for a
lot of information on covert 19 and
early on their map I think it was of
infections was taken over or or abused
by hackers a criminal hacker - yeah so
it's not just a question of is this fake
kovat 19 information or is this
legitimate information is the sort the
legitimate source say and so any it
could be legitimate like phishing scams
it could be an exact copy a legitimate
information so what you may see in your
browser sometimes is is you've looked at
an email
it looks legit you've clicked and you've
gone to a legitimate site that that
sites been compromised again this
background updating and sharing of
malicious data of data about malicious
activity will often catch that so you
may be in a situation I think you raise
a good point Robbie you've gone to your
known source but that known source has
been compromised you get a browser
warning that says don't go there and you
go but hey it's a legitimate place those
are those are kind of transient because
what will often happen is is the you
know the legitimate source has been
compromised we will find that out fairly
quickly and rectify the problem sure and
I think what and then this sounds really
like a forever
but it's not a happy thing to say but we
can sit at home just clicking away
merrily because we're at home are we you
know we're not at working got a we got a
pass the time somehow Stephen yes but
but don't do it by you know being daring
on where you go on the Internet yes I
mean there are many studies over the
years that show that right and I guess
you know this would be potentially
something that's not in your standard
security awareness is there's a strong
correlation between certain
age behavior and infection of systems
with malicious code right so unless we
let's say adult websites now
interestingly a lot of adult web sites
are very very secure because they know
that you know they're a target and they
they want to build trust with their
visitors but if you're looking for stuff
that's free stuff that's edgy stuff
that's pirated stuff that's copyright
infringement then you are exposing
yourself because that is some that's an
area where hurt for example we've seen
this in in Torun services in the past
where people are like wow I want to
speed in that movie it's not available
yet legitimately but if the pirated
version is available I'm going to get a
torrent player criminals love to infect
those I'm going to stream this file
criminals like to in fact those a night
yes in some way I saw an article
recently and I'm afraid I can't credit
the person who wrote it because I
remember who it was but criminals are
ace marketers they're monitoring the
trends you know they're going hey you
know there's a game come out recently
about crossing the road right Animal
Crossing I think the kids call it animal
crossing is that right my right kids
yeah so you know tips on how to win on
that if you google that there will be an
attempt going on I can bet I bet that
the
the strategy of what's called search
poisoning is going on where criminals
will use various methods to get their
search results for their site that they
control into the top search results
this isn't Kovac 19 related but of a oh
I don't know three or four months ago I
was looking for a map of the world and
right in the top 10 search results for
our you know map of the world was an
infected site and there's some bears and
sometimes when I say there's somebody
doing something I actually mean an
algorithm is doing something but there
are algorithms which look for the most
popular search topics marketing people
use those for legitimate purposes but
then criminals use those to find what
people are looking for and you know when
when a particular singer becomes popular
or a particular actress becomes popular
search results for pictures of them are
a great way for criminals to get you to
click on something that they control hmm
so let's take what we've learned here in
summary and bring it together into
something that's very relevant for our
small businesses for the medium-sized
business that's being impacted by
everything that's going on in our world
today we've learned that hackers are
smart
hackers are let's let's make a
distinction that we're talking criminal
hackers because we don't need implicate
the people who are hacking for good
right sure yes so maybe that's a
generalized term at this point so
criminal hackers are smart they are
intelligent they are good at social
engineering which means basically they
monitor those trends they understand
what kinds of things we're thinking
about and what kinds of things we're
looking for so putting that into
perspective here as Steven you use the
example of the
BitTorrent downloads and maybe trying to
find illegal copies of movies and things
but maybe I'm not a lawbreaker maybe I'm
not looking for those illegal things but
I'll tell you what I am looking for
right now my google search is going to
be for things like for example free
remote desktop free work from home
software and the social engineer
criminal hacker is watching for those
kinds of trends and saying there's an
opportunity for me to provide some free
software right once that gets into your
system I mean right now we're not we're
working from home our computers at the
office in our business are basically
free for all for outside attack so I
have one customer in particular who I'm
thinking of who called me up and said oh
I've got work from home settled because
I installed VNC on my computer and I
open the port in the firewall right so
now that computer is accessible from
anywhere in the world by anyone if you
need to it's not done properly yes and I
think the point here is that if your
company hasn't or your organization's
hasn't supported working from home
before and you're just setting it up now
you need to get professional advice
that's going to be you know that's
possibly going to be on the phone or
online not in person but there you you
want to get this done properly I'll
share a statistic with you kind of a
fresh statistic I happen to think about
this problem back in the beginning of ma
of the month our DP we met Remote
Desktop Protocol as you know is one of
the ways in which remote access is
enabled to systems and I studied this in
the past and I would refer people if you
don't mind - we live security comm which
is a great website with security
information just use their search
our DP because this is widely use
protocol which is often used in securely
so one of the clues is that if you set
it up and you can be seen by other
people to be running that that if it's
clear that you've got the default port
for that open on your systems you're
probably you possibly haven't done it
right not not every visible port is
insecure but I thought okay let me just
see how he's not running RDP I'm right
use a tool legitimate legal tool to do
this because every very basic piece of
information is every computer on the
internets visible to the Internet in
some way and there's scanners which look
for that March 6 there were three
million systems where the default port
for RDP was was visible right I checked
before our conversation four million
two hundred and forty thousand so people
are turning on remote desktop in order
to be able to access their computers
from home right so so we've seen a 40
percent increase in the number of
visible systems running the default port
for for this and and I want to be clear
they're not all insecure but my chances
as a criminal the finding room that's
insecure have just gone way way up I've
got a 40 percent better chance then and
from my own work I know that you know
even when there were just a million you
could very quickly find one or two in a
particular area and this is all
geographically located too so you know
if you were a criminal targeting people
in Philadelphia you can find who's got
their port open in Philadelphia and if I
can say and if I can say Steven my
concern with remote desktop is that an
RDP being the protocol so on your
Windows machine turning on remote
desktop but is simply the fact that
somebody
be brute-forcing your password and you'd
be none you.your none the wiser so
eventually they get in and because
you're working from home you don't even
realize that they're accessing your
system can I suggest that without
two-factor authentication we should not
consider any work from home safe and
this comes back to your previous point
you're setting this if you're setting
remote access of it whatever software
you're using
first of all it needs to be legitimate
software and some operating systems come
with legitimate built-in tools there are
products that you can purchase but it
needs to be legitimate and it needs to
be installed properly and installed
securely and that means more than a
password to protect it now you could do
things like limit the number of times
somebody can try bad password but you
really shouldn't have a password based
authentication remote access system you
should be using something that's
two-factor and by that we mean roaming
we mean something which generates a code
that you put in to access and it's
something you have that the criminal
can't and I don't have a lot of people
are familiar fortunately through things
like Facebook and other sites turning on
two-factor authentication people know
what it means they know it's important
you get a code on your phone and that's
something which a criminal can't do
unless they've got your phone and sorry
there are ways to secure this but and
you you you you can do remote access
securely but you you need to have it
configured correctly and the person
who's using it needs to know the things
that they shouldn't shouldn't do while
they're using that system which has that
capability right and you mentioned just
the fact that and I and I alluded to the
fact that we're not all tech savvy so I
may not know how to set it up securely
because I don't you know I I do but
maybe you're thinking to yourself I
don't know how to do that and Stephen
you mentioned that maybe we should call
some profession
to help us with that and I think that
you know you say well I don't know who
to call and I think it's important for
us to remember as a global society that
we're all in this together
and that goes for the mom-and-pop shop
that goes for the 2,000 user networks
and that goes for your IT companies in
your local community IT companies are
seeing the exact same shift we are
spending a great deal of our time
assisting people like you
in order to get secure safe remote work
from home environment setup that's what
we're here for right now for our
community yeah I thought I think the the
trusted managed service providers around
the world are you know stepping up I've
seen a lot of professionals online
stepping up helping out and so on I mean
one thing you could do is say if you for
example use Twitter you know say anybody
out there available to help with remote
access small organization hashtag
InfoSec would probably get somebody's
attention you know there there are
people I know some people who've been
laid off in IT because their company's
basically shutting down for a while yes
of them are volunteering to help out and
you know we those of us who have
knowledge to share are willing to share
it and you know stepping up to do that
what
it would be good if people had the sense
that they don't have to go this a lot
that you know if you've got a hardware
store and you've got a small workforce
that could do some work remotely they're
doing it for the first time don't feel
bad that you don't know how to do this
um you know I don't feel it's really I'm
not gonna try and fix this piece of my
house that's broken without a
professional try and reach out get a
professional to help set this up I don't
mind admitting I don't know how the gas
boiler in this place works I need a
professional to service it yeah I think
we do see many examples you know online
and in the media of people stepping up
to help and I think reaching out and
asking for professional help is the way
to go and if you need it if your company
hasn't been doing this for a while you
know and as we talked about earlier in
the area of security awareness education
there are free resources out there you
know if you're a manager and you want to
bring people up to speed look online for
free security awareness training for a
chick check it up make sure it's a
legitimate company i I have no financial
stake and he said any more of it they've
got some good stuff and imagining the
process of making a list of these to
post on Twitter had to send an email to
employees I mean if there are employees
who don't have as much work to do as
normal now would be a great time
security awareness training yes yeah and
I'm just gonna say I mean we're I don't
want to send mixed signals because we're
telling you be really careful what
you're searching for because the the
criminals are out there trying to
socially engineer you know and trick you
in to clicking the wrong links so what
we're going to do is we're gonna provide
some of these resources for you that we
already know are trusted and true we're
gonna provide those at blog dot endpoint
security dot CA and those will be
available to you just to help give
you a good head start at some free
resources that are that you can just
click through and it will provide some
descriptive text there to help you to
find what you're looking for you're good
Stephen Cobb I appreciate you so much
I'm so glad to see you again and you
look at you're looking well
same same back to you and take care of
yourself and your family and I think
well we'll we'll keep fighting on we're
gonna see this through together folks
okay take care thanks Ruby
thanks so much Stephen and thank you for
joining us this week I hope that you've
taken in some great information
again those resources will be on our
website so be sure to check those out as
well in the meantime I'm Robbie Ferguson
for the endpoint security dossier
podcast from positive II solutions and I
wish you and your families your staff
your loved ones all the best
take care during this time and we'll see
you again very soon bye for now