The Biggest Cybersecurity Myths BUSTED!

TOM: Today’s topic – welcome to Deeper Dive. We do these every Tuesday, whether you need them or not. The Deeper Dives are typically topics taken from the main webinar and then we expand on them. Today’s topic is cybersecurity myths. We’re going to bust them.

I think I want to start by asking everybody if they have been told something about how to do cybersecurity or what you’d need to do in your organization or with your computer or what’s a good practice, and we’ll talk about whether that is a fact or a myth. Got it?

So type away on your keyboard. You can do something like “I was told that phrases are better than randomly generated 21 characters,” or “I was told that password managers aren’t safe.” That’s one that’s not on the list. What have you guys got? We can open the mics up, too. Just raise your hand and we can open the mics up if you’ve got a microphone, and you can ask your question and we’ll talk about whether it’s a fact, whether it’s a good idea, or it’s a myth.

This is like the old radio show I used to do, Kindsey. It’s like, “Dial in now. 479-652, something, something.” It’s a free call on your Alltel cellphone. What was that number? I did it for 4 years. Well, you can call the number for – well, if you already called the number, then you’re already in the webinar, so I guess it doesn’t matter. I’m not on the radio. I’m in a closed environment. The divers there are for the Deeper Dive idea that Kindsey came up with and found the divers.

KINDSEY: Yeah. A while ago.

TOM: Yeah. We’ve been using it ever since. We skipped the music today because not only the technical problems, but apparently it’s too loud. I’ve got to trim that down and fix that. But we’re booked wall to wall with webinars this week. Maybe some of you or one of you are going to be in those. We’re doing it with a bunch of different industries, not just water. But on one’s got a myth or a fact they want to talk about? That’s okay. We’ve got plenty.

KINDSEY: Mm-hm.

TOM: Let’s get right down to it.

This one is the first one here: “We are too small.” How many people here think they’re too small to be a victim of a cyberattack? Just type “yes” or “no” into the chat box. Those of you that have been to the main webinar, you should know the answer to this. There’s no such thing as too small. They don’t know who you are, they don’t care.

They have managed to obtain – usually the attacks are through file attachments through email, and they do a phishing attack. These emails have gotten so well done over the past few years that the telltale signs – maybe some of you can identify a phishing email, but I’ll tell you flat out that even the experts in the business these days are getting fooled. I look at our numbers on our phishing simulations and I see that sometimes somebody in our organization fails the phishing test.

The days of misspelled words or bad grammar or bad logos, these telltale signs, are over. They are well written, well crafted. They use psychological tendencies or psychological techniques like sense of urgency on paying bills, not getting cut off from a vendor, this, that, and the other, and they’re very, very well crafted. They can easily look like an advisory from PayPal or Google, Gmail, Microsoft Office 365. They just want you to click on a link or open a file attachment, an Excel spreadsheet. Could be from a vendor or a customer that you have.

If they breach a vendor business, not only do they probably have a relevant file to send you, but they might have all of the people they email as well, so they don’t even have to know who you are in that case. All they’ve got to know is “I just send an email to all these vendors’ customers and tell them, ‘Overdue bill. Here, open the spreadsheet.’” So they’re really, really good these days.

There’s other techniques that are addressed in cybersecurity awareness training. The best one is you want to carefully look at the actual email address in the “From.” And I don’t mean if it’s from “Tom Kirkham” and that’s a legit name. What you need to do is do whatever you need to do in your mail program to reveal the underlying actual email address. If you click on mine, you’ll see that, if it’s legitimate, it’ll be tom.kirkham@irontechsecurity, or tom@kirkham.it. If it’s anything else – and it’ll be something that has nothing to do with the company. It’s probably from somebody else’s compromised web server or email server or whatever. That’s one way to tell. That’s probably the simplest way to tell, the less risky way to tell.

Sometimes we have clients that will forward us the email because they’re not sure, and we want to make sure that they don’t trigger it themselves. So we tell all of our clients, “If you’re unsure whether this is a phishing email, or a spear phishing email, send it to us and we’ll look at it.” Sometimes we have to go into what’s known as the header record of the email. It’s a little bit beyond the scope of this webinar, but it’s a technical way to look at the underlying mail servers and IP addresses and all of that, and we can make a conclusive decision on whether it’s a good email or not.

So that myth is busted.

“Our data is not valuable.” There is not a single person on this call that doesn’t have valuable data. Just the very fact that you’re on this webinar means you’ve got valuable data that can be encrypted and held for ransom or breached and stolen and things like that. Your bank login information, your email login.

Think about this; if somebody puts a keylogger on your computer and they get your email login, they can see who you bank with. They can see who you buy things from, maybe get into your Amazon account, maybe get into your bank account. Because when you forget your password, what do you do? You click on “Forgot password.” You get an email link for you to reset it. Well, if I’ve got access to your email, I can see you doing that. Or I can reset it myself and then get into your bank account or anything else.

Maybe you’ve got family photos from years and years and years, and they’re priceless to you. They’re not worth anything to a ransomware attacker, but what he knows is you’d be willing to pay a certain amount of money to get those files back and get them unencrypted. So there’s no such thing as data that’s not valuable. All data are valuable.

This one is another one that I hear commonly. “Cybersecurity is expensive.” Everyone on this call can afford Fortune 100 enterprise grade cybersecurity that is a lot better than what you’ve ever used in the past. It’s available from companies like ours. You can’t buy it off the shelf. Anything off the shelf is really not any good anymore. All those McAfee, Norton, Symantec, Bitdefender, anything you can buy at Best Buy, Office Depot – basically anything you can buy direct is probably, high probability, just not effective.

The main tool that we use is called an EDR, and we replace the antivirus with an EDR. All of our EDRs are managed by humans. That means it can only be acquired from a company like us. That is really the best thing. If you’ve ever watched the main webinar, what are the 4 things you need? You need EDR, you need backup and business resilience plans or disaster recovery plans, and then you need continuous cybersecurity awareness training. You need those 3 things. There’s others we’ll get into. If anybody engages with us, we do a security assessment. What type of business is it? Who’s the likely attacker? What are their objectives going to be?

Some of you may be likely to be hit by a nation-state, like China looking for intellectual property, or Russia just creating chaos with water utilities, or activists. But almost everyone, the most likely thing is ransomware, and the only way to effectively reduce that to less than a 1% chance is to put an EDR on there.

Good security awareness training will help you identify it and at least be on the alert for it, because remember, we want to have a security-first environment where everybody’s thinking about it. If you do it right, it’ll be no different than “Did I lock the office door when I left?”, and you’ll have to turn around and go check the door. It’s just something you know you have to do.

If you do good security leadership, that’s the way everybody will treat these things that are very, very easy to be considered a hassle, not worth the time or the effort, or it’s got a little bit of a learning curve, like a password manager. But I’m telling you, once you get used to it – just a password manager – for a few days, it’ll become so second nature. And then after about a month, you’ll go, “How did we ever live without this?” I promise you. I know because every time we hire somebody, they’ve never used a password manager, and then after they’ve used it for a while, they go, “I don’t know how I lived without it.” It’s fact.

Anyway, cybersecurity, just to give you an idea, $30 a user a month will get you really good cybersecurity. Fortune 100 enterprise grade security. Really, really good stuff.

The next one I hear from IT guys. I’ve actually heard “We’re too small” also, but this one – “Antivirus is good enough. That’s all there is. Just don’t click file attachments from people you don’t know.” That is bad advice, it’s inaccurate advice, and it’s simply not good enough these days.

The NSA had a breach. Our National Security Administration, our nation’s top tier cyber warfare unit – I know there’s military units as well, but the NSA is the one that develops a lot of these tools. They got breached about 3 years ago, and now their tools and their source code is for sale on the Dark Web. Those of you that were on the Deeper Dive about 3 months ago, I actually went on the Dark Web and showed everybody, “Here’s where you go to buy that stuff and here’s how easy it is.”

Especially since those tools of the NSA have gotten into the wild, we’re in a whole different world now. Now, a single guy in China or Russia or North Korea or a nation-state, an individual, it doesn’t matter, they’ve got NSA grade tools to wreak havoc, to break into your organization, to steal intellectual property. Like I said, antivirus is just about one notch above useless because of this. Mainly because of this. A lot of it has to do with that.

The other thing is that antivirus only detects signatures of a virus. Ransomware has no virus. There is nothing to detect. There is no signature to detect. An EDR uses artificial intelligence or machine learning or both, and then it’s backed up – in our case, it’s backed up by human beings analyzing. Even the automated response has successfully killed off the attack and quarantined the problem, but we still have human beings that go in there and verify. In our business it’s called look at the storyline of the virus. How did it get executed? What procedures did it call? All these things it does on the computer. So a human being goes in there and looks for other payloads, because there’s almost always other payloads delivered in conjunction with a ransomware attack.

EDRs do that because they’re managed by security professionals, security experts. Some of these are ex-DoD employees, other government snoops, or cybersecurity experts, depending on what you think of that. But the point of it is, it’s really a lot more effective. Even if you had an EDR, it’s still a lot more effective if you’ve got human beings behind it and they’re actually seeing alerts.

We get alerts every day, just like that, from all sorts of different tools. And there’s hundreds of people, literally hundreds of people all over the country that look at our alerts and help us orchestrate a response, or they tell us there’s nothing to worry about – or our own people go in there and look at it and say, “That’s nothing to worry about.” Or we go in there and look at it and we’re talking to another vendor saying, “Hey, what do we do about it?” because the first vendor says they don’t have a fix for it.

So we orchestrate a multi-vendor partner defense team to detect, respond, and mitigate and remediate threats. And it’s not as expensive as it sounds, I promise you. You’d be shocked.

This one I love talking about. For the last 3 years, we have yet to go into a new client installation that has had a successful ransomware attack and not find something else that they did not know was on there. Their IT staff did not know it was on there. The reason is they’re using a lot of these NSA tools, like the Stuxnet virus that attacked Iran’s nuclear centrifuges or plutonium centrifuges a few years ago. The United States and Israel designed the attack to not be detected.

Now what’s happening is that Stuxnet virus, source code and all, is modified by hackers and is deployed to target industrial control systems or SCADA systems. They’ll possibly deliver that payload along with a ransomware attack, and then after the ransomware attack is done and they collect their money from everybody, they’ll sell a list of everywhere they’ve put a trojan or a backdoor on it, a rootkit on the network, and they’re just waiting for another criminal syndicate specialist that specializes in nothing but exploiting server backdoors, and they’ll sell that list on the Dark Web.

It may be 6 months, a year, whatever, and we’ve seen that. They say, “We had our ransomware attack about a year ago, but we’re all good. But we don’t want it to happen again, so we need your stuff.” We go in there and install it – sure enough, without exception, there’s a backdoor, there’s a keylogger, there is something else on that network that is just lying there, waiting for a criminal or a nation-state or a hacktivist. Maybe the boogaloo boys. It’s just a matter of time before they start doing cyber warfare. I can’t believe they haven’t already done it.

These attackers and these criminals, some of them are ideologues, like ISIS. They’ve got their own cyber warfare unit at ISIS that specialize in doing nothing but attacking the United States, in ISIS’s case, or maybe Iraq or whatever. It’s a good guy / bad guy. All of us know how to hack systems, but we also know that it’s highly illegal. You go to federal prison for it. So do I want to be a good guy or a bad guy?

In the business it’s called black hat and white hat. We don’t really do attacks; we don’t do penetration testing. That’s white hat, but they actually go in and penetration test any organization for whatever it is, $5,000 or $50,000 – it all depends – and they will actively look to penetrate the organization to see what they can steal. If you guys remember the movie Sneakers – it’s got Van Kingsley, Robert Redford, Sidney Poitier, Dan Ackroyd. There’s a bunch of stars in it. It’s about 20 years old. But that’s what they do. They are penetration testers. A bank hires them.

At the very opening of the movie, he goes down and withdraws, I don’t know, $100,000. He gets it all in cash, puts it in his briefcase, closes his account, and the lady asks, “Do you mind if I ask you why you’re closing your account?” He says, “I just don’t think my money is safe here anymore.” He didn’t leave the bank; he walks upstairs to the boardroom, opens the briefcase, flips it around, hands them a list and says, “Here’s all your stuff. Where’s my check?” He just heisted $100 grand from the bank, he gave it back to them, and now they’ve got to pay him $20,000 to do the penetration test.

The reason we don’t do that is because I think – and I think most people would agree with me; there are some exceptions, which I don’t agree with them. It’s an ethical problem if we do penetration testing while at the same time providing cybersecurity defensive tools, procedures, policies, things like that. We would prefer an outside organization do a pen test on clients that we protect. We can do a vulnerability test, and we don’t mind doing that, but there’s a difference between – not only is there is a difference between vulnerability assessments and penetration testing, but – I forgot where I was going to go with that. Where was I going to go with that, Kindsey? You listen to a lot of these.

KINDSEY: You were talking about penetration testing and vulnerability testing. I don’t think you’re going in a Sneakers route.

TOM: [laughs] Well, anyway, the bottom line is I would shy away from any company that says they penetration test you and they provide the stuff because their penetration testing techniques may not be as good as a company that only does penetration testing. That is the one that you need to hire.

Most of you on the call, I assume you’re probably small, and penetration testing is just not practical. A vulnerability assessment is just fine. They’re easy to do. We can actually see open ports and lock all those down in the firewall and see some things that the IT guy may have overlooked because that’s really not their specialty. Then we’ll have a better idea of what the IT guy needs to do. We’ll have a list for him, actually. “You need to fix this, this, and this, and oh by the way, Mr. Owner, Mr. Head Honcho, CEO, Managing Director” – whatever your head honcho title is – “you’ve got this risk to ransomware and you need this tool or it’s not a matter of if you’re going to have a ransomware attack, it’s when.”

The long story short of that whole bullet point – I got off on a tangent – is if you have had a ransomware attack in the past, chances are extremely high you have something on that network that can be exploited and will be exploited at some point.

Finally, everyone wants to consider cybersecurity as an IT issue. It is not, I promise you. IT companies and cybersecurity companies have differing objectives. IronTech’s main deal is to protect your clients’ data, protect your data, keep you off the news or the newspapers, and make sure you stay running even if an attack is successful on your organization. That’s our job. An IT company says, “Minimize help desk, make everything as frictionless as possible, that server can’t go down, let’s get another NIC in there, let’s put some more switches in here for better performance we need 10 gigabit ethernet, not 100 megabit. I don’t need you calling me all the time. I want to make it as easy as possible for you to log into websites,” and this, that, and the other. It’s fundamentally different than cybersecurity.

I’m going to say, “No, you have an outbreak going on. You’re going down. I don’t care if it’s still working or not. We have to shut you down. You either shut down or you fire us. That’s it.” And we’ve had those literal discussions. “You’re having a cybersecurity event that’s being stopped, but if you don’t shut everything down immediately, we can’t guarantee you that you won’t be on the 5:00 news and you won’t be in business 6 months from now. So I don’t care about the surgeries you’ve got scheduled or whatever. Reschedule them and shut down, or fire us.”

Without exception so far, they’ve shut down. We have possibly saved their practice. We’ve saved them tens of thousands of dollars, and overall minimized their downtime for a slight inconvenience of having to reschedule some appointments for a day and a half, rather than a month or forever. And they didn’t have a breach. None of their patient records were stolen, because we got them to shut down.

So remember that. I meant to put the slides about the organization chart, but you need two specialists in your organization, and they need to be different: an IT specialist – could be break/fix, could be your brother-in-law that you just call when something’s broken. That’s all good and well. But then you need a security specialist.

Now, we work with IT. A lot of people think they feel threatened, but good IT people welcome security experts to come in and secure the system because that meets their objectives, too. And they acknowledge that they’re not experts, or maybe they can’t even get the stuff that we use. So separate in your mind IT and security.

Cybersecurity, or information security, is a subset of the whole entire security industry, not the IT industry. It’s a part of the business like private investigators, video surveillance systems, alarm systems, and then there’s cybersecurity. We think about things like physical security. We have to know things like biometric scanners, badge readers, physical locks on server doors and office doors, because the computers themselves could be stolen. How do we plan for that breach? What tools and techniques and policies do we put in place to stop that? Generally speaking, IT people do not consider that because it’s outside of their true core competency. So that’s a myth busted. Did I do that right, Kindsey?

KINDSEY: Yeah, you did. [laughs]

TOM: We’ve got this password management, EDR, and awareness training bundle, hopefully by the end of the month. We’re really struggling with this. We’re almost there. Just keep your eyes out for that. We’ll send out an email when we launch it.

And finally, if you’re unsure of what you actually need, you can buy a security assessment for only $495. It’s no obligation. We’re not high-pressure people. We’ve got plenty of business. We don’t have to do those things. Really and truly, my job is to educate people on how serious this issue is. I have IT people come to me and tell me some of these myths. “Well, this group is too small to be a victim of ransomware.” Whoa, whoa, whoa. I have to educate the IT people, but I also have to educate all of you.

The more you learn about this – if you saw the things that we see, you would be wondering, “Why aren’t we being attacked each and every single day?” because of the sheer scale of just the criminal part of it. Most of you may not even have to worry about the nation-state stuff or the hacktivists or the lone wolves. But just ransomware is scary enough. How many people know how to buy bitcoin? You’ve got to have bitcoin in order to pay the ransom.

A former client of ours went to a friend of mine that started his own IT company, got hit with ransomware. They got rid of us, decided we were too expensive. They went with cheaper. Got hit with ransomware. My friend comes, “I need to buy a bitcoin.” I sold it to him. If it hadn’t been for that guy knowing that I had it, they wouldn’t have been able to pay the ransom in time. They give you a deadline, 5 days, maybe 7. But it’s usually 5, because it usually takes that long to get your act together to learn where and how and why to buy bitcoin.

At any rate, the security assessment – that $500 is well worth it. You will end up with a security assessment report that you can hand over to your IT guy and say, “Hey, can you do this?” You can hire another security firm to do it. There’s no obligation. Worth every penny. We can do a bunch of other stuff with security awareness training, like give you a 30-day trial, and we actually coach you during that 30 days, from a management and leadership perspective, on what’s the best way to use this tool in your organization.

I’ve been talking a little bit more about this leadership lately because it’s such acritical component. If you’re a good leader of your organization, you’re going to create that security-first environment. And everybody’s going to know it, and they’re going to know why they need to do these things. They know they’re a hassle, but actually, like I said first off, once they’ve been doing it a month or so they wonder how they lived without it. And they also know that they themselves are more secure personally, and the company is definitely more secure.

There’s Kindsey’s email. She’d love to hear from you if you’ve got any questions. If you’ve got any statements, if you didn’t want to type something in, or you couldn’t, or you didn’t want to talk, you can email a question in to Kindsey or to sales@irontechsecurity.com. We’ll take it up on the next one or reply back. Whatever you need, just let us know. That’s pretty much it. Any questions? Any comments? I think that was a good one.

KINDSEY: It was. I don’t see anything in the chat box just yet.

TOM: I went into a lot more detail on that slide, the myths. I went into a lot more detail because we’ve only got – usually the hour-long ones, we’re trying to cover a lot of territory, and it can be overwhelming to a lot of our attendees. I hope they get the high points. I really spend a lot of time on concentrating – what, 15 minutes, I talk about nothing but the sheer scale of the criminal part of it?

KINDSEY: Yeah.

TOM: To get people to appreciate that this is a huge, huge problem for everyone, no matter who you are. One of these days – I made this prediction the other day – there’s going to be a significant cyberattack that’s going to affect a large number of people, and it’s going to be a wake-up call. It could be a disaster for the country or for the planet, and it’s going to happen. It’s just a matter of when. I don’t know how the attack will be. Ransomware still has trouble getting through spam filters and things like that.

But there’s going to be an attack, and it’s going to affect a significant number of people. The ones that have the best shot of surviving this massive cyber warfare attack – not just hitting DoD and the United States government like the big one that happened about a month ago; I’m talking about something that will actually affect each and every person – those that are already prepared for it have a much, much higher chance of surviving it.

I don’t come here to be Mr. Doomsday, but I’ve been getting this feeling for the last several weeks that there is going to be a huge development and a new attack vector that is going to surprise and shock everyone, and maybe possibly exploit a vulnerability in the internet itself that we’re not aware of. The internet was not designed with security in mind. If it was, nobody would have spam.

We’re backfilling. There’s a lot of things we do on our email – all our clients’ email servers use the latest, greatest stuff recommended by the Department of Defense and NIST Cybersecurity Framework or the Department of Commerce. We implement them on the servers. But so far, outside of government entities, a lot of companies are just now picking that up. Our clients, no matter how small, if they get email through us, we’re putting security – we’re helping secure that email, both from them being a victim or them looking like an attacker, because that’s actually one of the bad things about email. You can look like an attacker, and somebody can accuse you of attacking them when in reality it wasn’t you. Then you’ve got the whole trust issue. How do you prove to them it wasn’t you?

But at any rate, that’s my prediction. I hope I am wrong, but I don’t know. I just think it’s coming. Just like the pandemic. No one saw it coming. No one realized how it was going to impact everybody’s lives, but I just think it’s going to be something similar to COVID.

Anyway, enough of me being on a soapbox. [laughs] I’m not paranoid, by the way. I just live in this world. [laughs] I see it all. I wish somebody had some questions. Mary, you don’t have a question? I can’t believe that. Comment, Mary?

All right. Well, thank you, everybody, for showing up and attending. I hope it was worth your while. That’s why we do these. If it wasn’t worth your while, let us know. All feedback, good or bad, we welcome because we want to make these better for you as well. That’s it. Thank you very much

KINDSEY: Thank you.