What do we learn and what can we teach from the cyber attacks happening all around us? Or do we just sit back and say, “there’s another one”? If among us we include the trainers and training designers, evangelists, and business leaders of this world, is it not our role to try to educate our staff (and potentially our future staff) in how to be more web savvy?
Every single day we see something in the papers or on the news about yet another attack. “The head of security at xxx has been hacked,” “GCHQ backdoor found,” “After Snowden, how vulnerable is…” We also see 300 thousand, 40 million, or 60 million credit cards or personal accounts or bank details hacked, stolen, accessed.
In the next breath the media publishes the top 20 most-used passwords in the world today. Top of the list is “123456”—seriously? Or how about “starwars”? Someone told me they could not remember their passwords, so they changed all their passwords to “incorrect.” When they typed any random set of letters or number into a password box, a pop up told them that their password was incorrect—ah, now they remembered it! Do you wonder we have some problems?
Thinking like a thief
To understand what we can learn and what to educate, we have to get inside the head of the cyber thief and understand a little of what they are doing. Sounds easy, but trying to explain what is really going on is an uphill struggle. Each time we get a handle on what is happening, the thieves do something different. I put together the following analogy to try to show the whole picture in the simplest terms. Once we have that picture we can move forwards.
Cast your mind back to the old Wild West where gun-slinging robbers, wearing leather chaps and a mask over their eyes, got off their horses and shot up the small town bank to steal the money. In those days there was a small room in the bank that held the cash. The thieves would walk in with guns blazing, fill a saddle bag with money, and ride off into the sunset with a posse on their tail. Come forward to today and the thief walks in and steals your data in broad daylight and has all the IT techies trying to work out where he went. Has anything changed?
So back to our story. To stop the gun-blazing attack, the banks realized they needed to build a vault for the money. These got more and more complicated as the decades went by with bigger locks, time locks, then bars at the windows, security devices, closed-circuit TV (CCTV), and now armed security personnel standing guard outside and inside when the bank is open.
The thieves got clever and stopped trying during the day with all this security. They started to work at night or weekends when the bank was closed, so they could not be seen. This is not too dissimilar to the cyber thief who comes in quietly and hides—not wanting to be found. To stop bank robbers attacking at night, bank owners put even stronger locks on the doors, followed by walls around the building (firewalls in the IT world). When thieves climbed over the walls or cut holes in them, owners made the walls taller and stronger. They added guards behind the walls 24/7 in the bank.
The walls however still don’t stop the occasional thieves. Over the Easter 2015 holiday, the biggest heist ever in UK history was attempted by a group of eight middle-aged and elderly men who cut through concrete walls and raided the most secure vault in London, only to be foiled by modern-day technology they did not understand: CCTV caught the leader parking his own white Mercedes convertible just around the corner, and the group called a cab for the getaway. They made a haul of jewels, cash, and other valuables worth millions of English pounds.
How does theft happen in the virtual world?
While a thief would be pretty obvious wearing a stripy black and white shirt carrying a bag labeled “Swag,” the thief embedded in software can’t breach the firewall or get past the antivirus without being recognized. The parallel in the online world to the guards in the bank is the antivirus tools looking for what they can recognize.
Now if the thief had worn the right color shirt or arrived in a delivery truck, with what appeared to be the right credentials, I bet the security guard would think he was a good guy and just let him in—once. After that, the guard would recognize the thief, so the thief would have to put on a different disguise each time he tried. This is what the modern day technology thief does: each time he arrives he looks different, has a different story, and has learned from the last time he got stopped. Each time the phishing email arrives, it is a little different, Nigerian princes have become free iPads and all sorts of tricks to get you to click—and there is a sucker born every minute of every day.
Our physical thief, having run out of different disguises looks for a different method and now, like the thieves in the story above, tries to tunnel in. Going under the defenses worked for a while too. However, by now the bank looked like Fort Knox and was pretty hard to penetrate. The cost of all this security had become so high that companies could really no longer afford it. So they buried their heads in the sand and just hoped it would not happen to them. In the IT world this is all too familiar.
Enter the scammers
Where are we now in our story? Are you getting a picture?
In the cyber world, we now have (figuratively speaking) pretty secure banks, deep strong vaults, and many security features. Guards all day and night, cameras, and everything else we possibly can have to keep them out. But the cyber criminal still manages to get in? How?
The latest techniques use the oldest, simplest methods. Fool the guard into opening the door for you. Hijack the delivery van. Break into the office of the company or contractor that maintains the air conditioning and see if you can find the access cards the workmen use.
There are other ways. If you saw a wooden horse approaching your local bank, a horse on wheels moving slowly and it looked like it had people inside it, you would know there is something not right. But we allow Trojan horses into our computers by accepting documents and PDF’s and USB sticks from people we do not know, and we open them without question.
“Not me,” I hear you thinking, but do you remember that last conference you attended? All those freebies? How many of them plugged into the USB port on your computer? We visit sites we know we probably should not, and click on links sent from our friends on social sites that supposedly contain a joke or sexy picture or some other lure. No different from that wooden horse outside the bank! And you are the accepting gatekeeper, duped to opening the door. Computing pioneer Rich Pasco has done a great job of compiling a list of scams: http://www.richpasco.org/virus/everytrick.html
Do you want to know how I would do it? Simple, really; you would win the competition at a conference and get a free iPad. I’ll even take your smiling picture as you are presented with it. Go back to your hotel and plug it into your laptop for me, will you? Some call me a little paranoid, but if you worked where I work, you would be too.
The big time thief uses more sophisticated techniques. They will find out, using social engineering, all about you, your company, where you have been, where you are planning to go. And then they will impersonate someone you know, mentioning things that you know that person knows, and they easily trick you into opening the door for them. They know you probably use the same password on Facebook, Twitter, and your bank, not to mention your office laptop.
The sad part is you probably won’t know you were duped, in fact you won’t even give it a second thought. (Have you done a stupid quiz recently on Facebook? Did you log in to get your results using your Facebook password? Oh, oh!) But what they have done is use you to gain access to your customers or clients. For example, recently a CFO was duped to transferring hundreds of thousands of dollars to a Chinese bank. This by an email seemingly from the CEO that said, “This is secret, don’t tell anyone, it’s highly sensitive information, but send a few hundred grand to an unknown account for me in China.” Without question the CFO did what he was told (I know it sounds farcical when you read it here, but this really happened). It was not until he got the next email that said, “great job, now can you do it again for a few million?” that he even thought to pick up the phone and ask the CEO, “Are you serious?” Reading this now in hindsight you would never have been duped like that, would you?
Don’t be the low-hanging fruit
Of course in the physical world the criminal looks for the easy win. That money or the gold bars or those high-value jewels are hard to attack in the vault. But when you move them, they are an easier target. Armored trucks delivering to Fort Knox are easier to attack than Fort Knox itself.
Here is where the fight back begins in our analogy. This is where the cyber companies are fighting what we call World War C (cyber). This is where you play a part in re-educating your staff as to what is good and what is bad.
There are many types of cybersecurity (actually there are very many, but few that are effective). Either you increase the defense and try to stop them getting in, or you accept they will probably get in, recognize them as they do so, and stop them taking anything out.
The first option is increasing defenses to stop them getting in; this is proving harder to achieve. Some cyber-security systems work by analyzing files to look at the signature of the file and comparing that against a database of known signatures. If you alter a file by just one byte you change the signature. But if your database of signatures is just a few minutes out of date, they are easy to beat.
Our armored truck delivering to Fort Knox handles money in cases that the operatives carry. They made the cases small on purpose so they carry less value, lowering the individual case loss in the event they are attacked. But now the operative has to make more journeys from truck to vault which increases the risk again.
The second option comes into play if you attack one of those cases. Try to open it without the right key and something explodes inside sending fluorescent ink (called SmartWater) all over the money and the thief, making the money zero value and marking the thief so he can be seen 100 yards away. He got in, he got the bag, but there is nothing he can use in it, and he is now easy to spot. This is accepting they will get in, but once they’re in we shut the door and make it impossible for them to take the data out. We fool them into a sense of security, so we can catch them literally red-handed. This type of security is a big enough deterrent to have lowered the attempts significantly. Why would they? They can steal it from you easily online.
A new alternative, and really a third option to this, is to use analytics. Here the cybersecurity companies watch everything in the world and understand from the data what the most likely next attack will be. We are ready for it when it happens. Big data analytics is not new, but is becoming one of the very powerful tools in the cybersecurity toolbox.
Our role is to start to build good training material to educate the end user not to use “starwars” as their password. Ensure they do not use it on Facebook, Twitter, bank and credit card accounts, and in your corporate network. They may store all their passwords in a file on their desktop called, you guessed it, “Passwords”! I know it sounds ridiculous, but it’s true.
Train your staff not to bring outside equipment into your network. “I never joined the network,” I heard one employee say. “I just plugged my phone into the USB port of my work laptop to charge it up while I was on the train.” So you have a BYOD policy at work? Are those mobile devices within your managed defense? Don’t have a managed defense? Time for a rethink.
We need to create a fun compliancy course called “Let’s be tech savvy”—something we all claim we are, but breach almost daily in one way or another as we have become blasé.
Use new catchphrases in your organization: “Think before you click” may be a good one.
We have to constantly drip feed new information to our staff to be vigilant, not to open documents, to check when the CEO sends you a PDF file with a new share certificate as a present. Not to plug in the USB stick with the Apple logo we found in the local coffee shop this morning, however tempting it may be. Not to click on the million-dollar giveaway, especially if your brother sent it to you. Don’t do the mindless quizzes on Facebook that require you to login. Understand that the picture in your email of the hunk with a six pack or girl almost naked is a red flag waving frantically to say STOP.
I suppose I have to ask, how did you read this article? If it was on a link in LinkedIn and was posted in my account, you’re probably OK. If you saw it in a magazine that you trust, such as Learning Solutions, don’t panic—it’s safe. But if someone sent you a link, or attached it as an email—“great article by…”—you may want to check who the sender really was.
[Editor’s Note: While I was editing this story, an email arrived with great news: “BFTSPLK JACQUELYN shared this with you. Catherine just sent you $2,223.00 with PayPal!” No, thanks, Bftsplk Jacquelyn, I didn’t even open the email.]