Author: Rick Elder
I had the opportunity to attend two cybersecurity conferences this fall. The first was GrrCon 2019, which was held in Grand Rapids on October 24th and 25th. The second was the North American Cyber Summit on October 28th in Detroit.
GrrCON is an annual conference provided to the West Michigan community that focuses on cybersecurity and hacking. Some of the best minds in the cybersecurity field and in our community come together to collaborate, present and engage on solutions as well as information pertaining to IT security.
Additionally, the North American Cyber Summit is a similar conference aimed at informing and problem-solving with great minds in the tech field. While some of the information presented pertains to professionals in the IT field, many valuable security presentations and discussions were had that are relevant to everyone. Here is a distilled version of what I learned and what I find relevant for business owners and end-users alike!
What you Missed at GrrCon
Many advanced techniques were presented at the conference, although at one point a presenter mentioned that the basics are still not being covered. He pointed out that advanced methods of hacking, shown by a previous presenter are not needed when traditional, easier methods still work most of the time. Oftentimes there is no cyber ninja magic, just a basic attack brings many of the wins. Users are still using simple passwords such as “Spring2018”, companies have poor password policies, and end-users have a lack of security training. These issues lower the bar and increase the likelihood that a criminal can get into your network.
Having a false sense of security on the perimeter was another message discussed several times. Firewalls are great, they have a job and do well at keeping people out. However, people need to be reminded that in today’s world, there are so many more ways to get in than to “storm the castle”, and additional defenses should be in place. One such defense foiled a simulated attack (Pen-Test) because software alerted when, “Bob from Accounting’s” machine was doing something that an accountant should not be doing. When “Bob” was trying to telnet to the Netherlands- this type of odd situation alerted the security department and then was able to stop the simulated attack.
Quick Stat — Using Amazon cloud servers and using MANY, MANY GPUs (virtual video cards processors), it is possible to achieve an unbelievable stat of 22 Trillion password guesses per second. A potential hacker is able to break any Windows (NTLM database) 8-character password in a few minutes. Review your password policy!
Even with the improved software and people in the security department, it really comes back to the end-user. Do they have security awareness training? Are they empowered to know who to call if something is not right? Most people see hacking in the movies as this complex super technical event but I will reiterate; that is often not the case.
However, generally most people just want to help, so if the hacker asks, (under false pretenses) a user to do something, most of the time, the user will comply. The hacker is playing off of human nature to get an employee at a company to perhaps divulge information or click something. This style of hacking relates to physical security as well. If a “criminal” is able to project a sense of belonging and an air of confidence so as not to raise suspicion, they will most likely succeed. In both situations mentioned, do employees know who to contact if something seems suspicious? Was there notification of the requests? Do the employees feel empowered to question the person doing suspicious things? My colleague Sydney wrote an awesome blog expanding on this topic, make sure to check it out.
Finally, at GrrCon I watched some of the security professionals do in-depth simulated attacks and how they were successful either through the firewall, through a phishing scam or physically breaking in and stealing systems and installing malware on unlocked terminals. With the red (attacking) team and a blue (defending) team, the simulation displayed the potential issues that could arise for a company that falls victim to a security breach. It was not enough that the red, attacking team was able to find flaws and then disappear, but it is desperately needed that the blue (defending) team to understand the risk and methods that the red team used and exploited. For individuals and business owners alike, this was a poignant reminder that the best preparation for cyber attacks is knowledge of attack-techniques as well as potential weak spots in their defensive security.
Things You Missed at the North American Cyber Summit
Similar to GrrCon, people need to make sure the basics are covered. Is the patching up to date? Are you keeping track of your assets? Keep security simple for the end-user, otherwise, people will go around the desired method.
During a panel talk, one of the key points is to know your data. Know your data before an event happens. Know how important your data is. Know the impact if it’s unavailable for a time, if it was modified incorrectly, or if it was destroyed altogether.
A subsequent thought to learning all of this could be “all this talk of machines being breached or hacked won’t affect me, I’m just a small business.” While it seems logical that larger companies contain higher risk, the fact remains that 43% of all breaches involved a small business, totaling an 81 Million dollar loss in 2018. So, small businesses will continue to be hit, as criminals see small business as a lucrative and oftentimes, unsuspecting target.
How can you reduce your likeliness of becoming a target?
Change Culture. It takes 7 years to effectively change a culture, so if your company is at the beginning of this journey remember- it’s better late than never.
- Stayin up to date with security tests and help your team understand why security policies are changing, why security tests happen.
- Predictability – Train your end-users to be security ninjas! We have an awesome partnership with KnowBe4 and have been using it for the past few years.
- Communication, short concessive communication of updates.
Both conferences were quite different in the way they were presented, but many of the same themes. It does not matter if you are a small business or a large enterprise. Making sure basic security strategies are followed is at the core. Once those have been put into place, companies can investigate more advanced ways to help secure their data. People/companies sometimes take their data for granted, until it’s unavailable.