Rocket IT Business Podcast | Eric Henderson | The Anatomy of a Hack | Ep 15

Like What Your Heard? Give Us Some Feedback!

podcasts@rocketit.com

Show Notes

Adam Forrand (00:00):

Good morning, everyone. My name is Adam Forrand. I’m the Vice President of Education and Talent Leadership Development here at Partnership Gwinnett. We’re so glad you joined us this morning for the anatomy of the hack

Intro (00:20):

[Music Plays]

Adam Forrand (00:21):

And today we are very thankful for the support and partnership of Rocket IT. And for those of you that may not be aware or have knowledge of partnership Gwinnett, we are the economic and community development initiative of the Gwinnett chamber of commerce. Our job is to recruit and retain and expand business in Gwinnett. One of our five target sectors is information technology. We’re very pleased today to focus on this particular issue, this particular challenge during a time of vulnerability, across our systems, and very pleased to have the expertise and knowledge of Eric Henderson, who is the vice president of technology at Rocket IT. So without further ado, I’d like to welcome Eric and have him introduce himself and we’ll carry on with the topic, Eric.

Eric Henderson (01:08):

Good morning, everyone. My name is Eric Henderson, as Adam mentioned, Vice President of Technology at Rocket IT. Rocket IT is an IT services firm Suwanee, Georgia. Our purpose is to help people thrive. And so we have worked very closely with the chamber of commerce and then partnership in particular over the last 10, 15, 20 years today, we’re going to be talking about the anatomy of a hack, what it takes to stop a threat. So many cyber security presentations are very theoretical. So they’re just talking about what does Eric think is best to stop a hat they’re not based in any sort of specific event and what I have learned. And I think what my colleagues at Rocket IT have learned is that because the environment cyber security is changing so so rapidly, we have to learn from things that have actually happened. We have to learn from people in our community.

Eric Henderson (02:06):

So key is a member of a number of peer groups. And the, the motto of almost all of these groups is, Hey, something, if you hear about something, tell us what happened, you know, distill it down to three things that you learn from this event and sharing that with your peers. And so that’s what we’re doing today. This isn’t, you know, an it company to another IP company, this is an IP company to members of the chamber, and then people that work closely with Partnership Gwinnett. So we’re gonna talk about four main things today. How do we identify a threat to mitigate the success that’s rate of a hack? What to do with an attack makes it through, and then how to prevent future attacks from occurring in many areas of my life. And certainly in the area of it, security, we take kind of a consistently evolving, evolving approach.

Eric Henderson (02:57):

So we say, okay, we’ve got a set of technology standards, they’re working fine. Oh, okay. Something happens. All right, well, what do we do about that? How do we adapt to that? What did we learn from that event? How can we improve to make it a little bit better? And so that’s, that’s the whole model for today. All the questions we’re going to ask you and everything we’re talking about is built on, on that particular idea. So quote here, those who cannot remember the past are condemned to repeat it. And the world is proving this true, you know, very heavily when it comes to it security right now, there was news earlier this week that the Honda corporation and then Honda, that makes automobiles Honda, that has a massive customer service division that has a massive financing team, was hit with a cyber breach. And they are very quiet on exactly what happens, but they had to stop production.

Eric Henderson (03:52):

And if the attack was bad enough that it stops production, it had to hit some very, very critical systems to Honda’s operation. And so they’re not the first thing actually to get hit. They’re not going to be the last, the best we can possibly hope to do is just learn from what happened to them. And then what happened from people even much smaller and closer than that. So we’re going to do a case study today. This is a event that actually happens. This is an event that I was personally involved in helping with the remediation on. We probably spent three or 400 hours of labor in about three weeks among a whole team of individuals handling this particular event for this, this organization. In fact about them there, I’m going to County 450 plus employees, a million dollars a year in annual revenue. When this event occurred, it was a single attack.

Eric Henderson (04:48):

And the total costs estimated was around $1 million in both lost time, stress costs related to the attack. So which of these three things caused the particular problem. Three options were on the table, right? Fraudulent email. So project email would be a phishing email. It would be some sort of attack, too many permissions. You might think, Oh, well, why would it be too many permissions? Well, some of the largest breaches that have happened, the one that hits experience the credit reporting agency was because they had a database of an entire country’s worth of people’s financial information. And that database was just sitting open on the web. So as silly as that sounds, it happens all the time. And then the third option, and this is one that doesn’t get as much attention, but we’re going to talk a little bit about today as an insider threat.

Eric Henderson (05:44):

So that means someone inside the organization, either because they’re disgruntled or they only got a job there to attack their employer or they’re paid off, not sure did something. So you guys voted find me on an email that is in fact the correct answer. Let’s talk about how that happened and what happened with that. So another word for a fraudulent email would be phishing, phishing with a ph. I’m going to guess based on the popular usage of this word over the last couple of years, that most of you know what this is, I don’t know exactly why it’s spelled with a ph. I think that’s just people on the internet, like weird phrasiology. So let’s talk about what happens from here specifically. So, you know, came in the spam filter did not catch it. The email was opened by a specific employee, worse than opening the email.

Eric Henderson (06:37):

There was a word document attached to the email and the employees have the word document was real. And because all the little prompts that windows throws up at users are generally ignored. The user clicked the button that said disabled protected view. So if you open an attachment from an email across the top of word, there’s little yellow bar that says this document is open and it protects the view. You won’t be able to edit it, save it, change it, print it in the inbox. And you have probably clicked on that bar, hundreds and hundreds of times, and probably only read it two, five, 10 of those times. And that bar is actually trying to protect you. And that bar was kind of the last line of defense and the user let’s get to click the disabled protective you, they, they want you to quit disabled, protecting you, which would allow the document to be open fully and to be trusted when the document was open, it launched a script.

Eric Henderson (07:39):

All a script is, is just a little snippet of code that does something. So if you think about your home automation system, and you say, Alexa, turn the lights on, or Alexa, turn the lights off. All that is doing is just running a script that says, this might run this command on it. That’s the same thing that happened. Somebody embedded a script inside of a word document, which is a feature that’s supposed to be used for. Good. It can do all sorts of cool things, but generally speaking, it is most often used for evil. And so that installed a virus on a single computer, which we’ll talk a lot more about what this virus did was three sentence thing. The first one was install a key logger. What is it? Key logger. Keylogger is a piece of software that remembers everything that you type. So if you type in a password to type in, I angry email, if you type in some sort of pen that you use with your bank, it just keeps a record of anything that you typed.

Eric Henderson (08:45):

And at the time it was very surprising because one of our engineers was troubleshooting on one of the computers and they tried to copy something so they can paste it like the copied some texts. And then they took it over to another place to paste it. Well, their copy didn’t work. So they just pasted, whatever was pasted last. And what was on the clipboard was a full log of everything the user had typed for several hours. So just one line, every time there was a gap. And so it would say like the user’s name, and it would say a password in the past. It wasn’t the little dots or asterisk. It was the actual password. And if they typed in email or the text, an email address, the second thing that the attack did is it spread across the network. So it looks for other computers on the network and attempted to install itself on each of those computers.

Eric Henderson (09:39):

And the third thing it did was crack the local password data. So you’ve probably heard, and we’ll talk about it here. Hey, you need longer or more complex passwords. And I think what most nontechnical users here, when they say that is you want your password to be hard to get, but that’s not really the problem. People aren’t really worried about someone just guessing what your password is. But just too many combinations of letters and numbers that it could possibly be very unlikely. Someone would get it exactly right. What they’re worried about is this type of attack, because the shorter your password in the state of computer technology is it’s not terribly difficult to break that password wide open if it’s short. So if your passwords six letters, no numbers, no symbols, no upper case letters. Then a computer can crack that password in less than a couple minutes.

Eric Henderson (10:38):

And so if the password was 25 characters, 16 characters, it could take years or tens of years or hundreds of years, at least with the current state of technology. Okay. So how long did it take for the virus to accomplish everything? I just said, get on the computer, crack the things in the local user spread across the network four hours is when, when we went back and tracked the times and dates that that’s how long it became clear that this took. So yeah, that’s, that’s not very long. That’s almost instantly right. It’s pretty close to just as fast as it possibly could happen. So what happened? One user inspected 180 devices. Two days later, three individuals had their personal finances breached. So what does that mean? That means if I have a computer that I use at work and just out of convenience sake, I occasionally go to Amazon and place personal orders, or I go to Wells Fargo or bank of America or any other bank.

Eric Henderson (11:46):

And I type in my credentials and there was a key log around my computer. Well, not only is the business I worked for breached, my personal accounts are also breached at this point. So there’s a lot more we could say about that. I think the, the world is not right ready to accept this yet, but setting policies that would say that employers should not access personal websites on their work computer isn’t unreasonable. It certainly would have prevented this particular attack in this case. It leads to all sorts of interesting problems and complaints when an employee’s personal accounts are breached because of the actions that make different employees and the, you know, the security did not, did not prevent that. So I’m not the focus of today. So they found individuals using business computers for personal tasks. They waited for a user to type on their credit card number or have the credit card number automatically fill in, which is a convenience.

Eric Henderson (12:48):

And then, and this is probably the worst part. And we’ve actually seen that several other times, it’s called an email bomb attack. You know how if you were to go on amazon.com and change your password, Amazon is going to send you an email that says, Hey, just letting you know your password changed. Probably no big deal. If you chose to change your password, if you didn’t mean to change your password, that’s a big problem because that means someone’s in your account. So Amazon’s intention in sending you this email is that if you see the email and you’re not sitting at a computer, I want to change is your Amazon account. You need to take action immediately because the number of services that are tied to Amazon at this part point and the number of things that you can purchase and all of that has huge implications into your financial security, your personal security.

Eric Henderson (13:37):

So what the attackers did is when they selected a person that they wanted to breach, they decided to send that person tens and tens and tens of thousands of emails as rapidly as possible. And the attention is not just to be annoying and attention is to divert that person’s attention from any one email. It’s very difficult to see the email that says your Amazon password change when you’re getting thousands of other emails an hour. And so when this type of attack happens, kind of the opportunity here is every couple of hours you have to search the word, password, transfer, financial, new card, credit card, any sort of thing that might appear in one of those emails. If you, if you think about those emails, like if you’re making, send you your credit card, they’re going to send you an email that says, Hey, just letting you know, new credit cards on the way.

Eric Henderson (14:32):

And the reason for that is that old school identity theft was you go on the bank, you change the person’s address, and then you would request an new card. And then the card comes in and you have full access to a card that is valid, that went to the wrong address. And so, you know, one of the things we learned in this event is that’s the purpose of that type of email spam, and your best case scenario is to go in and prevent that by doing searches for the words that might appear in that. Okay, next question. How long does it take to recover from attacks of this size four weeks was the time and arguably took much longer than that. And the reason for that is when something like this hits your network, you have a pendulum swings back and forth between convenience over here and very secure, but very inconvenient over here.

Eric Henderson (15:31):

And so to get the organization operational, let’s say, you know, the pendulum was very balanced between convenience and security. They swung the pendulum so far over this direction because they had to be sure that they’re sure that they’re showing that the backward network was operations, but I’m sure you’ve had the experience of working at an organization. And the it person comes around and says, we’re going to put this new software on the computer. We’re going to make you type on this new code. We’re going to make your password 25 characters. We’re going to make it so that you can only log in between 8:00 AM and 5:00 PM. We’re going to make it. So you can only log in from the office. We’re going to restrict access to this. We’re going to put a web filter in place, whatever it doesn’t matter, which of those things, it is many of those things, hamper employees productivity.

Eric Henderson (16:18):

And so the, the recovery time is actually substantially longer. So as noted for these four weeks, all bunch of stuff had to be done. We didn’t actually use fire extinguishers. There was no actual literal fire on the servers, but it certainly felt that way. So a large number of computers needed wiping and reloading. So the nature of this attack was, and the nature of a key logger is that it’s extraordinarily difficult to tell if that has been completely wiped off of the computer in the network. It’s very, very, very hard to tell if you’ve actually gotten everything. The only way you really know is if some amount of time goes by such that another attack does not happen. Secondly, and this is something this client did have in place. They had strong backups. So when I say strong backups, I don’t mean there’s a USB drive.

Eric Henderson (17:17):

That’s plugged into the servers. And every so often I make a copy of it. They have backups that we’re on a completely separate network that went off site that were completely away from the network. So what makes this, this type of attack series is if I put my mind in the place of someone who’s perpetrating, one of these attacks, I’m generally looking to do three or four things. I want to give them to network quietly. I want to figure out where all the data is and all the backups are. And then I want to launch the attack in such a way that it’s going to be very difficult for the business to recover from it, without paying me some sort of ransom. And so they are always focused on how do I get in, how do I stay in, how do I make sure I have all the rights that I need to do that where’s the data?

Eric Henderson (18:09):

And then how do I lock it down? In this particular attack, they didn’t do it. There was no encryption, it wasn’t any ransomware. This was just about trying to gain access to the network. I think it got cut off faster than they really expected. And then as I mentioned about, you know, security versus convenience, a variety of new company, wide security policies were put in place as a result of this particular event. Okay. So that is the summary about that particular event. I want to talk about kind of our collective wisdom that we’ve gained from this event and a huge number of other events a relatively common story. And the Rocket IT I’d see world is we get a frantic phone call from a business owner or a manager that says, Oh my gosh, my network had XYZ happened to it. And either I don’t have an it person.

Eric Henderson (19:06):

I don’t have an it company. I work with my it person. And I’m worried about their level of access or worse than that. I have one of those things and it’s been two weeks and we’re still suffering. We’re still completely locked down. We don’t have any sort of access. And so that’s kind of our, that’s, that’s our moment to be a hero that’s about as important of work as we ever can get, because it’s very time sensitive and there’s a lot of stress and a lot of pain that, that comes from that. And so from handling those types of events and from handling the events that I just described to that case study, here’s here’s kind of our key takeaways. I’m going to try and make these as accessible, as accessible as possible so that you can take these back to your organizations and really be able to use them for, for your own, for your own game.

Eric Henderson (19:57):

Okay. We could go a whole hour on this slide, but the point is the way back in the day, 10 years, 20 years ago, all you had to do to do security was these four things, firewall, backups failed, filtering antivirus, and everyone agreed in the IP industry. As long as you have a good firewall, good backup, good antivirus, good spam filter kind of got this magic square or these four things to protect you. You’re good. And what, what has happened since then is that attackers used to attack the blinking boxes in the server room. They went after servers and firewalls and websites, right? All these tacks were always, Oh, a deficiency was found in this one program. And this hacker figured out that if you do this, this, this exactly right, that it just lets you have administrative access. Well, since 2013, the style has shifted.

Eric Henderson (20:53):

And now people aren’t really trying to do that too much work. There’s armies of people that are focused on preventing people from getting into that. So what they decided to do instead is a people and it’s very smart, it’s evil, but it’s also very smart. People are naturally trusting a segment of the population. I, if I get an email, no matter what it says, they just assume it’s true. And I think that’s certainly because they’re good mates or good people. Like they, they can never themselves imagine trying to trick somebody into surrendering their financial information. So they have a hard time just being vigilant around, assuming that if I get an email, it must be safe. And so we’ve met with hundreds of companies and I’ve brought up this point hundreds of times and every single time the company says, well, you know, we sent an email out about three months ago about that saying, don’t click on emails and people don’t really bring them to me very often.

Eric Henderson (21:54):

So I don’t think people are clicking on phishing emails. And the problem with that is when you click an actual phishing email, most of the time what happens, isn’t what I just talked about the last 20 minutes. It’s not this disaster, you know, apocalyptic style problem for that organization. That’s not, that’s not the normal thing that happens most of the time, either the attack gets blocked by some device or it was successful. I mean, you just don’t even know it yet. So a lot of security companies would say, you need to act at all moments as if you’re already breached. I’m not sure I’m quite bad a despairing of life. But the point is, if I click a phishing email, there’s no instant feedback to tell me I did something wrong, right? So if I touch a hot stove, I know instantly through pain, that that was the wrong thing to do in a phishing email, your employees have no idea that they’ve done something wrong unless they can trace it back to this point.

Eric Henderson (22:59):

And so what we do is phishing testing. So we send out a fake email that has a link in it that looks like a real attack. And if the user clicks on it, nothing bad happens to them. But the system records that they clicked for email, and then they became a clicker and you don’t want to be a clicker. So that gives us the data to say, well, you know, actually 22% of the time your employees put these emails and you have one employee that just clicked every single one of the emails that we send them. And they don’t even know they’re doing anything wrong. So there’s no opportunity for change. If you don’t understand your action is bad, you’re not going to invest any time or effort in fixing it because you don’t see this problem. And so if all hear this whole conversation is this one slide implementing, this is the as close to silver bullet.

Eric Henderson (23:53):

As we get to reduce the risk of your organization getting breached. And there’s lots of ways to do it. There’s lots of firms that assist with us rather than T as you might expect, has a variety of means to roll this type of system out. If you’re not doing it strongly recommend that you do it. And if you only do it once a year, it’s really not enough. We are recommending at this 0.2 emails a month to every employee. So every employee gets sometimes if you’re going to eight to five on two week time-space, since it’s random for every employee to get a random email, it’s totally different from their peers. So it’s not all the emails sitting at the same time. And we do pretty close reporting back to management to say, you know, we’ve tried to train this person and they keep clicking the emails.

Eric Henderson (24:38):

I think it’s really time for you business owner or CEO or manager to have a direct conversation with them. Because one of these days they’re going to click a really now and then something bad is actually going to happen. And you have the data here to know. Who’s likely to do that based on the second item. And as I go into this, I understand that if you read the things on this slide and actually imagine doing them for yourself, it’s roughly like going to the dentist and the dental hygienists thing, you know, Eric, you really need to floss twice a day, like at least once a day. And you just say, yeah, I know, I know I need, I need a clock. And then most people don’t do it. I don’t know what the statistics are. I wish I did. I hope they’re higher than I think they are.

Eric Henderson (25:24):

But the point of this slide is if you imagine what key logger attack, where they got ahold of a user’s password, most single password was elephants. One, two, three. That’s not any of my passwords. Don’t, don’t bother trying not the password. And I use that password for my Amazon account, my bank, my utilities, my Gmail and Facebook, but I only use Amazon on my work computer. Let’s say I go to Amazon. I type in my email address. I type in elephant one, two, three, they get a copy of that password because they have software on my computer that logged it. The next thing they’re going to do is they’re going to go to google.com and their computer. They’re going to type in my email address. And they’re going to type in elephant one, two, three, and see if it works on that site. And then they’re going to try the top five most popular banks in the United States.

Eric Henderson (26:20):

And then I’m going to try the most popular shopping sites. They’re going to try all the email providers and by having the same password in multiple places, you are multiplying your risk because if that passes breaches in any one of those places, all of those accounts are breached simultaneously. The second thing I already spoke about this is password link. I think our industry has done a bad job in the past on this, we tried to convince users that a password that was hard for humans to remember like eight after lower tastes, you uppercase P one seven explanation, something like that. Password. It’s not, it’s a bad password for a variety of reasons. It’s a bad password because users write it down, which is just increasing the risk. It’s a bad password because it’s hard to remember. So it’s going to frustrate the user and it’s going to frustrate the it administrators that serve that particular user.

Eric Henderson (27:19):

And probably worst of all. It’s not that hard for a computer to guess if it’s only six or eight kids. So the guidance in the last five years is basically we need to move to passphrases. We need to move, basically passed this random short password system because it’s only hurting us. It’s only making life worse. It’s not actually solving anything. So we we advocate for past scrapers. We’re looking for 16 to 25 characters. If I thought we could get away with it, we would say 25 characters, but people are so used to passwords being six, eight, 10 characters long. We’re trying to gradually ease them into much longer passwords. So you might be thinking at this point, okay, Eric, do you want longer passwords? You want them to be phrases and you want them to be different on every single site that I have.

Eric Henderson (28:11):

How in the world am I possibly going to remember that it’s a good PR good point. And I’m not saying the world is completely in consensus on this, but our guidance is you use a password manager. Basically you use a system that keeps track of all those passwords, and then you only remember the key to the vault. And as long as you don’t use that key to the vault anywhere that’s insecure. And as long as you write it down and keep it somewhere safe, or you memorize it perfectly, then everything in the ball will be fine. And so this is how we manage passwords at Rocket IT. This is how I manage my passwords personally. There are trade offs in all of the different methods of doing this. It’s interesting having a written piece of paper that has passwords that are all different for all your sites, kept somewhere in your home.

Eric Henderson (29:02):

That’s very safe. Arguably is more secure than what I’m describing, but it’s entirely inconvenient. And so most users aren’t willing to put up with that. The final thing over here on the left, two factor authentication. So what is that? A factor of authentication is a fancy way of saying, how do you prove you are who you say you are? So if I go to the bank, I can’t just tell them my name is Eric Henderson, right? I have to produce some sort of proof through either my pen, my driver’s license, my debit card, something along those lines to prove I am who I say each of those things. So the pen, my banking password, my driver’s license, my debit card. Each of those is a factor of authentication. And security always goes up. As you add factors of authentication right now, most websites just require a username and a password, which is a set of credentials.

Eric Henderson (30:00):

That is one factor of authentication. And it’s also really easy to break into because as long as you know, the password and username and you’re in the most common, second form of authentication is usually something related to your phone. So either it sends you a text message that says type in your text message. You’ve got, you know, 20 seconds to fill it in, or you have a little app on your phone and every 30 seconds, it puts up a new code and you have to time that code in and make sure you type it in at the right time. The text message is, I think that’s going to fade away. Hackers have caught onto this and some of the most famous attacks, particularly around cryptocurrency lately have shown that the hackers will go to the Verizon store, pretend to be, you get a SIM card, which is the record of whose phone, which phone should the carrier send text messages to.

Eric Henderson (30:56):

And then the time of their choosing to get the user’s password, they put the SIM card on a phone, the type of password. It sends a text message to the phone, but the problem is they went to Verizon and switched which phone it is. So they get the text message that would meant for me, or they’re attacking. And they breached the account. And so several million dollars, there was, there was a complaint filed, I think in New York that a cryptocurrency investor lost seven digits and was suing a 18 year old that perpetrated this attack against him. So the text message thing. Isn’t great. I will tell you that some of the world’s largest companies are relying on the text message thing. I think because then in a rush to get this pushed out, they tried to make it as user friendly as possible. And it’s way more user friendly to receive a text than it is to have an app and the whole system for doing this.

Eric Henderson (31:49):

How long would say to you is even if you have the text message system, it is still super more secure than just having the password. It would be better if you had it’s called Pott. One time I went to call time-based one time password, I think. And basically that is the gold standard right now in terms of this type of stuff. But just having any second factor of authentication is wonderful. Just getting from one, which is a username password to something with your phone would be great. I won’t spend too long here, but antivirus in the past works the same as antibodies in your back in your body. So the way antibodies in your immune system work is if they’ve seen a virus or bacteria before they know what it is and they kill it. So that’s how antivirus was modeled, which is fascinating.

Eric Henderson (32:44):

That humans made software that works the same as our immune system. The problem with this is that many of these attacks have never been used before. So it’s kind of the same as a new packaging, much been much ink has been spilled about how this is basically why the coronavirus was labeled as novel it’s because our immune system never encountered some, most of us had never had our immune systems encounter anything like this before. So the end of virus companies picked up on the fact that it’s way easier to write viruses. Now this worked great 10 years ago, and now what they do is they monitor what your computer is actually doing and watch for bad behavior. So if we go back to our case, study, the person opened a word document and launched a script. Is this employee someone who normally would launch word documents that have scripts attached to it?

Eric Henderson (33:35):

The answer is almost no one does that. There’s almost no legitimate reason that a end user working in the some portion of a, of a business, whatever run a script. Most users don’t know what it is. Most users wouldn’t even know where to start and they wouldn’t even be able to come up with a valid reason. So at the end of hours, clients do now, and this is relatively new because they watch for scripts being run. And they say, Oh, I don’t know if the script’s legitimate or not, but we’re blocking it because this is not a normal user behavior. I don’t care if I’ve ever seen the virus. I don’t care if my antibodies by my computer have seen it before does not matter. And so this is sometimes called end point detection and response. You’ll see it acronyms to EDR. You can see the words at the top. Okay. Now that is the end of our presentation. I noticed that various points through the conversation, there’s been some questions. And so a Colleen has been gathering those questions. And so now we’ll have a conversation around them.

Colleen Frangos (34:37):

Awesome. Well, Eric, I’ve got a two questions that were over in the chat, so I’m going to start there and weave my way into our other questions. We got, we got a question from ACE and he is wondering company that we, that you pointed out in the presentation. Did they have an internal cyber security awareness training in house?

Eric Henderson (34:58):

Did they, or do they

Colleen Frangos (35:01):

I’m going to, I’m going to go with, do they based on how he phrased it, but I, I assume they didn’t have one

Eric Henderson (35:09):

That’s right. So this attack actually happened a couple of years ago. This is not something in the last one or two years or something. I don’t know exactly what year it was. All kind of runs together. But the answer was prior to this attack. No, they did not have a focused cyber security program. And the it’s kinda the same as you, you know, you don’t think you need a title of insurance until you have an event that would pay out a claim. That type of insurance. One of the purposes of this whole presentation is just to say, if you’ve ever gotten a phishing email, it has an attachment. This could have been you that’s, that’s not far fetched to say this happened to an organization within that County. I realized that every attending here isn’t going to the County, but they probably generally work for small businesses. And so this is something that totally happen. And I totally agree that a security awareness program. I mean, I know they have one now would have gone a long way to potentially prevent that.

Colleen Frangos (36:12):

Great. Thank you, Eric. All right. We’ve got another one here. So Layla is asking what if the employees or using incognito mode for personal use guessing it’s on a work machine?

Eric Henderson (36:29):

Yeah. So incognito mode is a function that was popularized by the Google Chrome browser. It, I don’t know if it promises us, they probably doesn’t promise this. But the idea is that most users believe that by using incognito mode, that your actions are in fact incognito. And as in no one knows about it, there’s no tracking done on it whatsoever. The reality is it almost does nothing. All that it really does is makes it so whatever website you went to Google search history, doesn’t keep a record of that. And your web browser doesn’t recommend that website as a site you’ve been to. So if you go to facebook.com on Chrome, and then you on another day, come back to Google and type F at the beginning of Facebook, it’ll say, Oh, you went to Facebook. That’s great. We know you like Facebook. You can go back to Facebook whenever you want.

Eric Henderson (37:26):

All it’s doing is preventing this being saved formerly in your Google record and auto filling in when you go to that website in the future. So as far as the tax go, attackers don’t care about that at all. That is a Google specific thing. And worse than that, your corporate network still has a record that you went to that website, your internet service providers still have the record that you went to. The website, that website still has a record that it came from you. And if you log in, I mean, you’re just as logged in as you are anywhere else. The purpose of incognito mode is really around. I mean, it serves two functions. Basically, if you have some reason, you don’t want your web traffic to be saved into your Google profile. That’s great. And then I see people use it when, if you know how you go to a website and it automatically logs you in, if you don’t want that to happen, like you have some reason you want to use a different account. That works very good for that because it assumes you’ve never been there.

Colleen Frangos (38:27):

Great. Thanks, sir. All right, go. Another question. What is the safest way to do online banking?

Eric Henderson (38:35):

Sure. Well, as noted earlier in the presentation, the foreign away safest thing to do is to not do online banking on a work computer, unless it’s obviously your work you know, the corporate bank account, you are assuming that your it provider at your work is doing a great job of protecting the network. And you’re assuming all of your coworkers don’t put phishing emails. And while those are hopeful, I would say assumptions. They are not definitely true. So basically you want to do online banking in a network that you have as much control over as possible. And that doesn’t mean you have to be an ITG. If you have a computer at your home. And one of the computers is logged into by children, teenagers, et cetera. People that may not know the exact rules apply to security and might try and download movies for free or video games for free or download something that they shouldn’t.

Eric Henderson (39:43):

And then you have another car that you only use, and you only use it to go to these four websites and you’ll use it to use Microsoft word and you don’t check your work email on it. That computer far and away is a better option, even better than that. And I know this is weird, but this is just the state of the world. If you have an iPhone, there have been no known situations that I’m aware of ever in which an app has been breached by another app. The way the iPhone is set up, it’s very different than on Android phones, iPhone apps, do you know, interact with each other. This app has no ability to interact with the Wells Fargo app. And so my traffic is protected. The other thing I would say is where you’re connecting from matters. So generally you want to connect from your home, not from say a coffee shop though. That example isn’t great. I generally believe that Starbucks and Google has properly secured the wifi network and it Starbucks, if it’s a kind of small mom and pop place. So maybe they did, maybe they didn’t, I wouldn’t put my information.

Colleen Frangos (40:49):

Nice. All right. All right. Well, Eric, we’re getting in a lot of good questions. Hope we have time to hit most of these. Alright. Is it typical to see an attack like 10 smaller businesses or more organizations? It’s a good one.

Eric Henderson (41:07):

The next thing get reported are the large organizations that there’s something like 1300 or 1700 cyber attacks last year, which is ridiculous because it’s actually been tens of thousands of them. The small ones just don’t have to be reported to anyone. So there’s no statistics. I don’t think the attackers are targeting. Most of them aren’t targeting anything. They’re just spraying attacks across the entire network. If they get a list of email addresses, it’s just as easy to spam, 50 fortune 500 companies as it is to span 10,000 small businesses. It costs no difference to attack small number versus large. So they’re just testing as wide of a net as they possibly can. I think I don’t have an opinion on whether it’s easier to breach a smaller or larger organization. It’s probably easier and harder in different ways for both of them. I would guess just because the number of small businesses is extreme compared to the number of small, but compared to the number of larger businesses that small businesses are getting hit tremendously more often.

Colleen Frangos (42:05):

Great. Thanks Eric. All right. Next question. If a member of my team starts getting spammed by individuals potentially trying to cover up a crime, what action should I take to stop the spam from occurring?

Eric Henderson (42:18):

Sure. so the first thing is there is a anti-spam technology called DMARC that D M A R C. It’s also called D K I M domain keys implementing this will block a decent portion of it. Additionally, if you’re on office three, six, five, there are features in office three 65 that can block all emails that have non English characters. So if you don’t do business in any country, that speaks a language that uses a different character set. So, you know, Russia, China, Japan, et cetera, you can block all of the, any email that has any letters in Cyrillic or Korean or Chinese third and a member of record. He actually helped us with this. Recently, often they use services like MailChimp to mass enroll in a email address in as many newsletters as they can find. And MailChimp doesn’t want that either. And that’s prevalent use of their system. So if you contact MailChimp and say, Hey, this email addresses, I just got enrolled 1500 newsletters in five minutes. Can you remove that? Can you mass remove them? And I’ll happily do that.

Colleen Frangos (43:30):

That’s great. Awesome. All right. Got another one for you. This is from John. Alright. Before calling Rocket IT, what steps does one need to take right away? Thanks, John.

Eric Henderson (43:44):

That’s great. You got some plants in audience, apparently. The darn away, the most important thing that you can do is start treating this topic like it’s already happened to you basically begin to believe that at this moment, right now today, Thursday, there’s someone on your network and they’re just biding their time until they get a chance to do something to you. And if your it provider, whether that’s an employee or a firm, isn’t taking a approach of vigilance and isn’t taking a proactive approach, then you need to help them understand that that’s really what you’re looking for. And honestly, most it, people will find that very refreshing because their, one of their chief complaints is that nontechnical leaders don’t take this seriously enough. And the reason we can tell that if they don’t give it the time of day, or they don’t invest in it as they should.

Eric Henderson (44:45):

And so if you just change the mindset there, that one step alone will lead to almost pretty much. Every it person I talked to today would love to sit down and have a conversation around how to better secure the network. I can’t give you a magic, just go do this. Maybe the closest thing I could give you is for your most sensitive accounts, retirement accounts, investment accounts, banks, email, make the possible different, and see if you can enable two factor authentication. That would take you a large percentage of the way down the road with 10 minutes of time.

Colleen Frangos (45:22):

Absolutely. Thanks, Eric. All right. I like this question down here at the bottom. Again, John, he’s asking for resources. So what websites or blogs should subscribe to in order to keep on top of cybersecurity threats?

Eric Henderson (45:38):

Sure. well, shameless plug anytime there’s a major event Rocket IT is publishing to a blog and newsletter Facebook, Twitter, and I think LinkedIn, but certainly Facebook and the newsletter, anytime there’s a major event. Secondly, depending on how deep you want to go down the rabbit hole, there are a variety of publications that basically every major antivirus company has like a threat center. And so the one that I see pop up pop up fairly often is called Sophos S O P H O S. They do a tremendous job at identifying threats and getting news out there as quickly as possible. Now, the issue here is what they’re often writing to a technical audience. So you have to be a little careful with just getting snowed under with you know, an incident number of security, things that you can’t tell if they’re important and you can know what to do about it. Calling, I can see the questions I’m going to grab a couple of them. Okay.

Colleen Frangos (46:43):

Oh, okay. Okay.

Eric Henderson (46:46):

John mentioned what two factor authentication authorization after you recommend? The one we recommend is called Authy, that’s A U T H Y, and Authy is based on the Google authentication platform and the key benefit that it has over the other ones that we’ve used is that if you get a new phone, you can transfer all of your two factor authentication systems over to the new phone, without having to re enroll all of them, which would be very frustrating. I’ve got a question here. What about work? Why sign on our mobile phone? How safe is it to use our bank apps on the work wifi? Assuming you’re doing it from a mobile phone, that actually is reasonably secure, the type of attack that it would take steal your password in transit from your work. Wifi is fairly difficult to pull off. It is substantially better than using a windows desktop at your workplace.

Eric Henderson (47:39):

If you have to do it at work, if you just, for whatever reason, that’s where, where you have to make those changes strongly recommended to do it on your phone versus a computer. Alright, we’re almost out of time. What did I miss? Are there downsides to white listing applications? Are those cons outweighed by the security of providers? Okay. Application white listing, basically right now, if you ask your computer to install something installed, it it’s a command and the computer respects the command. And it doesn’t the problem with this is that users sometimes accidentally install the wrong thing. So there’s a line of software called application white listing that says, well, we’re not going to say you’re going to solve whatever you want. We’re going to say, you can only install this list of 10 applications and you make that last list of 10 applications. What your business uses, the benefit of this is that if something isn’t on this list, it doesn’t install, but that’s also the drawback.

Eric Henderson (48:34):

A users have a variety of use cases for installing things and application white listing software can be very, very annoying because it means if you want to change anything and someone hasn’t explicitly allowed it before the change doesn’t happen. But that said, we we, we still do it. I’ve got a question here. Do you suggest authentication by call? No syndication by TA call is roughly the same as an authentication by text message. It’s in the same mode as text messaging. It is way better than nothing. It’s very likely not to get breached, but there is a way to do it. And depending on if you get attacked, you know that that’s an issue. Another question can a password manager be hat, okay, this is, this’ll be the last question. This is the hot button question. So if I put all my eggs in one basket basket, and that basket is my password manager vault, and somebody steals that well, now I’m way worse off than if I didn’t have a password manager.

Eric Henderson (49:34):

Right. I made it really easy. Here’s my website. Here’s my username. Here’s my past. Here’s my website, username password, the technology that the password managing companies used and there’s trust involved in this. Everything I’m about to say, but I trust them in this because I understand what the technology and the mindset is that vault can only be unlocked by your password. The password manager company themselves can’t open that vault. So if someone broke into the password manager company and sold the vault, that’s okay, because the password manager company couldn’t open the vault themselves anyway. And as long as your password is 25 characters, the rules of encryption are that they wouldn’t be able to ever break into that in any reasonable time. Now, on the flip side, if you get a key logger on your computer and they see you’re using a password manager and you type in your password manager password for your vault on the Kellogg’s computer, well, you just literally gave them the key for every password that you have.

Eric Henderson (50:32):

And now you have to pretend that the entire thing is completely breached and wide open. So you are focusing the risks down into one place. But I think the benefits that you’re getting from that outweigh the loss of a, the progress. It outweighs the potential pain that comes, that can come from that. Okay. if you have other questions you are free to email those over. I’m sure you can reach out to Adam. You can reach out to Laura and you can reach out to Andrew anyone on the partnership with that team, and they will make sure to get those over to us back to you, Adam.

Adam Forrand (51:13):

Awesome. Thank you so very much, Eric and Colleen for your expertise in particular your witty banter is always appreciated. But what I particularly appreciate about Rocket IT, is their human centered approach. And you saw a lot of that today is like despite the tools, despite the technology, this is a human challenge, our, our human behavior. And as Eric acknowledged earlier, a matter of trust that we, as people who interact with technology have to afford and with Rocket IT, that trust that human centered approach is deeply and sincerely appreciate it. So we’re thankful for you and your presence in our community and continue to lead and to inform and educate. So thank you so much, Eric. Thank you. Calling let’s say thanks to Lauren Como, my partner and colleague here at partnership quit and Ken Rutherford from the chamber as well. And know that partnership cornet is here again to sustain, to support and to encourage your growth as a business in our community. So whatever we can do for you on behalf of your organization, please do not hesitate to contact us at Partnership. Gwinnett thanks again. Thanks for Rocket IT. And thank you all.