Ross Marston highlights what to look for and what you, your staff and your company can do to minimize the risk and reduce the impact of a cyber attack.
Cyber risk is the new OH&S, business leaders must take a risk management approach as it’s not a technical issue. What's a military term 'OODA Loop' got to do with cyber risk?
Ross is the Founder and Chief Security Strategist for Business Intelligence Security with over 30 years experience protecting companies against cyber attacks and educating businesses, large and small, government and private about reducing cyber risk.
Stephanie: Our guest today is Ross Marston, the Founder and Chief Security Strategist for Business Intelligence Security. Ross has been in cyber security and the network engineering industry for 30 years now. And his work with all manner of businesses from governments, large corporations, to small local businesses, and everything in between. He currently spends his days running his cyber security consultancy and his separate IT cloud services business.
I love how Ross describes the cyber security industry as perfect for those that find accounting just too exciting. And Ross has shared with me that he’s also a surf lifesaver in Noosa Heads.
Ross: Retired now, but yes.
Stephanie: But you started to tell me a great story, Ross, that I think was quite allegorical for our conversation about cyber security. And tell me about the question you’re often asked when you’re a lifesaver at Noosa Heads about sharks.
Ross: Are there are any sharks in the water?
Stephanie: And what’s your response to that question?
Ross: Absolutely yes. Yeah, it is, actually, an excellent allegory, isn’t it? That there is constantly sharks in the water. We used to tell people that there was two types of businesses. Those that have been hacked, and those that will be hacked. But that’s long since changed. Now, it’s those that know that they’ve been hacked, and those that don’t yet know there’s sharks in the water.
Stephanie: There’s sharks. Just before we get on to it, tell me what your real response though was when people said that there’s sharks in the water.
Ross: We tell them to dip their finger in the water and taste the water, and if it tastes salty, that there’s sharks in the water.
Stephanie: I love it. I think that’s great, that’s perfect. Just what you want to hear from your lifesaver.
Ross: That’s exactly right. Confidence inspiring.
Stephanie:… Yeah, perfect. Yeah, great. Every time I leave the country for work or holidays, whenever I’m out of Australia, without fail, our financial controller will get an email from ‘me,’ in inverted commas, saying, ‘Please wire $100,000 to this account. Can’t talk now, I’m going into a meeting. I’m very busy. Thanks, Steph,’ what’s going on there?
Ross: If you’re publishing where you are or people know where you are on social media, then the bad guys, we call them MTAs, malicious threat actors. But the MTAs are just keeping an eye on that and looking for opportunities to do a bit of social engineering and try and move everyone into an emergency phase. Social engineering’s all about trying to exploit what the military calls the OODA loop, the O-O-D-A loop, which is the observe, orient, decide, and act. What social engineering is all about is trying to get you to eliminate those middle two elements of orient and decide, and just go from observe to act, so that you make rash decisions.
So they create a sense of urgency, or they create some sort of imperative that you have to do something without really looking at what’s going on. That’s what social engineering is all about. Confidence tricksters have been doing this for an awful long time. Now, anyone in the world gets the opportunity to do it directly for people like yourself. Those types of attacks are called whaling attacks where they’re aiming at the big fish. We see it day in, day out of people trying to exploit those sorts of vulnerabilities. And the other side of things is that in many of those instances, there can be people actually living in people’s email systems and observing what’s going on. We see that happen an awful lot too.
Stephanie: Well, that’s really interesting because I don’t really use social media except for LinkedIn, and I would never say where I am. So does that mean that they may well be looking in an email of mine saying, ‘Well, I’m off to San Diego.?’
Ross: We may need to take this conversation off online. Yeah, I can’t say for sure.
Stephanie: So tell me about someone actually living in your email system. It sounds awful. But anyway, tell me what that is.
Ross: Yeah, and it can happen so simply. All it needs is one poor password or one poor security practice from someone within the organisation, and that can give an external, a MTA a foothold into your system. And from there, we call it lateral movement when they can move within your system, it becomes quite easy because as with confidence tricksters have evolved, it’s all about building up confidence. So if someone has your trust and they’re used to communicating with you, then it’s a very simple process for them to exploit that trust. So it’s all about just trying to exploit that process and that trust to get people to make rash decisions and do things that they otherwise wouldn’t normally do.
Stephanie: I like that analogy you’ve used of a confidence trickster.
Ross: It’s the same thing. It’s just the modern version of confidence tricksters, except now they get to be spread across the world and they don’t have to be face-to-face with you anymore.
They can be absolutely anyone, unfortunately. They’re generally termed in the media as hackers because that sounds a lot more scary and dynamic, and it sells a lot more papers. But they can be anyone from people who are just to have some sort of agenda, some political agenda. They can be just common thieves, just trying to steal money. They can be nation-state actors. They can be people just trying to make a statement.
That’s why we call them MTAs, it’s just a malicious threat actor. It can be anyone. And it can be anyone from the 14-year-old kid sitting in his bedroom through to very, very organised nation-state actors. As you may have seen in the media recently, even our political parties fell victim to a nation-state actor actually compromising their systems. So it can happen from the smallest to the largest, unfortunately.
Stephanie: Yeah, clearly. So for a midsize business in Australia or New Zealand, what would be the most common kind of attack to look out for?
Ross: Business email compromise is huge. So social engineering combined with business email compromise, that’s the biggest threats. There’s certainly other genuine hacking and genuine things like that going on, but business email compromise is certainly the people living in your email system, as we said before.
Stephanie: Sounds like an awful bug or something, yeah.
Ross: It is awful. The average length of time that someone lives in a system before the company finds out is 18 months.
So in 18 months, as you can imagine, quite a lot can happen. And most of the time, these guys spend just observing what’s going on. We had a client recently, who their systems had been compromised, someone was living in it. And the attacker had negotiated an entire contract with a third-party, a known, trusted third-party who they regularly do business with. They negotiated a whole new deal with this client, based on the fact that they were trusted. The only reason that it got found out before money actually changed hands, was that the client actually rang… Sorry, our client-
Stephanie: The contractor. Yeah.
Ross:… Yeah, actually rang the contractor up and said, ‘We just want to check. This is a different bank account than what you normally use… Should we really pay this $700,000 into this account?’
The answer of course was, ‘Huh? What are you talking about?’ It wouldn’t have been picked up if the client hadn’t actually just questioned the payment.
Stephanie: So we’ll get to… Just kind of parking it, but I want to flag that for when we get to well, what should you do about as a business? But one of the things is having really good practices, doesn’t it? Because-
Ross: Yeah, policies and procedures in place is imperative, and they cost nothing.
Stephanie: But not just about cyber, but about sort of financial and governance practices because-
Stephanie: … in my situation, my financial controller isn’t wiring any money anywhere just on a quick email from me saying I’m in a hurry, do it.
Ross: Yeah, you have to have processes in place that they will happen no matter what if you have those in place. Although of these fall under cyber crime and socials, but really, they’re just common business risk practices.
Stephanie: Yes, which are like them. We will get to that in a moment. I’d like to explore-
Ross: We’re going to tackle a lot of things there, aren’t we?
Stephanie: No, well, we’ve got plenty of time. What I want to explore a little more is the kind of attacks. What about a ransom attack? How common in that in Australia and is it-
Ross: Yeah, very common.
It’s quite devastating too because ransomware attacks, they normally come in through email, so it’s not a compromised email account, they would normally come in through someone clicking on a malicious link that gives way to the attacker being able to install some software on their machine. Once that software’s installed… Because a lot of IT firms and companies protect against the outside coming in, so they still have a moat mentality, we call it, of going, ‘No one can breach our moats, so everything’s okay.’ Whereas, most attacks happen from the inside out. They might be from a malicious insider.
Stephanie: But that’s like a phishing, is that what that is?
Ross: No, so phishing is the exploratory stage of trying to get the compromise inside, but what the attacker’s trying to do is just get access to the inside of your network. And once they’re on the inside, they know that most businesses aren’t that protected from the inside to move laterally within the business.
Stephanie: Right, I’ve got it. So what you were talking about before then, is someone inside clicking on something that takes them outside, and the potential ransom. And what might that look like? What kinds of things might a team member click on?
Ross: Look, it can be anything. It takes us back to that OODA loop scenario that we’re talking about, where the attacker is just trying to get you, some people call it clickbait, but whatever it is, it’s something that would interest someone to click on, and it normally involves and also are, ‘Hey, click here,’ or, ‘Log in to this account,’ or-
Stephanie: Or, ‘Australia Post, we’ve got your parcel ready. Click here.’
Ross: Correct, yeah, ‘Your parcel is ready. You’re going to be sued. You’ve got traffic infringement. A Russian lady desperately wants to meet you.’ And on and on it goes.
So it’s basically anything to try and entice you to click on the link. The link is then malicious, installs some software on your machine. Once the attacker has access to your machine, they’re inside your network. And you’re no longer trying to protect from the outside in. You’re then living in the network.
Stephanie: And that’s where a ransom attack could happen.
Ross: Correct. And so then they install some ransomware. What the ransomware does is encrypts, which just means changes all your files so that they can’t be easily read, and it does that with a mathematical process that you don’t need to worry about, but it encrypts it in a manner that they’re no longer usable. So the ransomware is, ‘Hey, pass us some of Bitcoin,’ or actually, what a more common one these days, or a very common one that’s going around at the moment is, ‘Pay us in Apple cards or gift cards.’
Stephanie: iTunes cards.
Ross: Yeah. Well, money laundering. And-
Stephanie: Oh, is that what it’s-
Ross: Yeah. It’s perfect money-
Stephanie: I always think, ‘How many iTunes cards can you need?’
Ross:… Perfect money laundering. It’s just turn money into something that they can change for something else, it’s just money laundering. Bitcoin or other crypto-currencies and I won’t go into the whole crypto-currency thing… but, ‘Pay us this money, and we’ll decrypt your files for you.’ And those ransoms can range from a few hundred dollars to several million. There’s been a number of very high profile cases in recent times that have been millions and millions of dollars.
Stephanie: And have you worked with many clients that have been through an attack like this? And survived it?
Ross: Yes, most survive it. For most, they’re unprepared and it’s a horrible experience that doesn’t go the way that they’d like it to go. So generally, people will survive it unless they’ve got no backups or nothing in place. But if they have no plan, it is infinitely more expensive than they have a plan already in place that’s tested and the world’s nice and shored up.
Stephanie: Anyone who’s listening to this conversation is now either on the edge of their seat, unplugged their computer, or never going overseas again. So how about let’s turn the conversation now.
Ross: Let’s go positive.
Stephanie: So, Ross, you’ve been doing this for 30 years, what should a business owner or even an individual, what should people do to protect themselves?
Ross: Start with the ultra basics. If people had good password hygiene in place, then you’re miles ahead of the general curve. So good password hygiene. The most important thing with that is if you use the same password in two different locations, you’re in all sorts of trouble. It goes massively downhill from that point. So every password needs to be unique, and ideally, over about 12 to 16 characters.
That means, you can’t remember most passwords. That’s great, we don’t want you to. Use a password manager. If you’re using a password manager… And there’s a ton of good ones on the market. There’s LastPass, there’s 1Password, there’s Dashlane, there’s a bunch of them. Any of the top name ones are very good. If you’re doing that, you’ll never remember another password and yeah.
Stephanie: Okay, so good password hygiene and use a password manager.
Ross: Yeah, let’s start with those ones. If you’re doing those things, then you’re a mile ahead of the curve. And if you’ve got everyone in your business doing the same thing, then there’s no weak holes, because there’s no point in having three immensely fortified walls and the other one being completely open to the world.
You’ve got to have practices across your entire business. Probably the main thing is that the business leaders, whether that’s the board, the C suite, whoever it is, they need to take personal responsibility that sub-security is what we’re going to pay a lot of attention to, and propagate that throughout the entire organisation because-
Stephanie: And I like what you, say, compare it with OH&S, because no one leading a business is going to ignore something that could lead to… it’s risk, isn’t it?
Ross: Yeah, it’s a 100% business risk issue. It’s not a technical issue. And if you’re thinking about it from a technical standpoint, you’ve missed the boat completely. It’s not a technical issue.
Stephanie: Tell me about that.
Ross: Look, it’s purely just a business risk issue. And anyone… You’ve had a couple of excellent speakers on recently that talked about innovation and how to innovate in your business. We’re talking about the same thing here. Most innovators have a very innate ability to go, ‘Okay, if we go down this track and that doesn’t work, we know we can head over here. We know that we can do this.’ They have a plan B, they have a plan C.
Stephanie: They’re somewhat risk-averse-
Ross: They are generally very risk-averse.
Stephanie: … which is kind of the irony, isn’t it? Yeah.
Ross: Yeah. And so genuinely innovating in your business means that you want to be considering and mitigating the risks where you can. And that’s exactly what we want people to do. Cyber risk is huge. Warren Buffett described it as the biggest threat to Western economies, or to world economies, sorry.
Very, very real risk, and it doesn’t need to be. It’s only a real risk because everyone’s kind of going, ‘Well, we hope the nerds have got it under control.’
Stephanie: Yeah, I’ve got IT people, they’ll do it.
Ross: Yeah, we hope the nerds have got it sorted out, we don’t have to think about that.
Stephanie: So I’ve heard then, and I really like that the idea of leadership from the board… and from the leaders in your-
Ross: And an understanding of what those risks are.
Stephanie: And then taking a risk management approach to it, which I really like. And that it’s not a technical issue that someone smart will sort out, it’s actually a business issue and so, as a business leader, that’s your job to do that. What else?
Ross: Okay, education comes into a massive part of what needs to happen because we tell everyone that they need to have layered defences for now their cyber security risks. But one of those layers is people actually understanding what their risks of what they do on a day-to-day basis are. So you said exactly what you saw, your CFO regularly gets bad emails saying, ‘Hey, quick. Send us all this money and life will be great.’ People understanding what they need to do to be able to mitigate those risks and what their job involves.
So if you’re a small to medium business and you’ve got a bookkeeper that’s in charge of doing what they do on a day-to-day basis, they have to understand what the risks are to them and to be aware of them. Because most of the social engineering type attacks and things like that, there’s no technology that we can throw at that to stop it happening. And it’s only people understanding what their job now entails. Because the world kind of moved with the technology and how we do a lot of things now, but business hasn’t changed. Business is still the same. You still need clients. You still need to make profit.
Stephanie: Yeah, it’s the fundamentals, isn’t it? You get paid, you pay people, you keep going.
Ross: Exactly, yeah. Life is, from that respect, is very much the same, but a lot of people have taken the attitude of, ‘Because this is a technical thing, I don’t understand technical things, so I’m just not going to look at that.’
Stephanie: It’s two things then. So education is one thing. And that’s really education across the board, isn’t it?
Ross: Education is huge. Correct
Stephanie: So it’s your whole team understanding that.
Ross: Correct. From the top down.
Stephanie: From the top down. And then policies are different. That’s a separate thing as well. What’s your standard practices that are risk mitigation and-
Ross: Yeah, you need to have those in place, so that they’re very, very clear. So if we head back to the issue that you talked about with the CFO before, if there’s no policy in place to say, ‘This is what we do when we are transferring any money. And this is the process.’ We’re talking about people compromising and changing bank accounts on invoices which we see happen almost daily. You’ll get an invoice and the bank details are different because that invoice has actually been adopted by a malicious third-party.
If you don’t have standard practices in place to be able to say, ‘Well, if a bank detail changes, then we question it in a couple of different ways to make sure that this is authentic.’ And if you don’t have those sorts of policies in place… A classic one is an acceptable use policy for users. What are you allowed you to do? What is an employee allowed to do or a guest in your network, or in your business, or anything like that, what are they permitted to do when they are on your network? If those policies aren’t written down, then they don’t exist, and free for all is at hand. So things like acceptable use policies. BYOD policies, bring your own device. If I bring my phone into work and it’s full of malware and horrible things and I’ve got games by the truckload on there, and I connected to your network, and all of a sudden your network’s compromised, do you have a policy governing those sorts of things?
Stephanie: Do you know, when I worked for a much bigger organisation than where I am now, we had all that stuff. And I remember when employees weren’t allowed to look at Facebook on a work computer. The world has changed so much, number one. Number two, I represent and I’m a mid-sized business, so it’s hard to say you can’t have your own devices because more and more in organisations, people have their device, that’s how you operate now. So it’s just back to education, I suppose.
Ross: Well, it’s not only education, but it’s back to the business saying, ‘This is acceptable.’ So it doesn’t matter whether you’re a one-man band, and you just have a contractor bookkeeper come in or a couple of contractors come in, or whether you’re a tec-sized business, or whether you’re BHP, the requirements are the same. You just scale how much you do of it.
So if you don’t have any plan, then you are guaranteed to fail at it. Standard business 101, you have to have plans. And the risks to your business from a cyber perspective, fall exactly in that realm. You have to have a plan and policies and procedures. This is how we authorize a bank account details change for a supplier.
Stephanie: I understand. And that’s basic business practices, but being really tight on it.
Ross: Basic business practice, but they’re the things that we’re constantly having to try and deal with for clients because as I say, I guess people kind of go, ‘It’s a technical thing, I don’t understand technical things, so therefore, I’ll just let that one go through to the keeper.” And so my apologies in advance to any insurers listening, but it is a minefield. And you really do have to read very carefully because a lot of cyber crimes that we identify as cyber crimes, are actually fraud and theft, and they fall under a fraud insurance, not a cyber policy.
Unfortunately, no one wants to read an insurance policy, but you have to when it comes to cyber because you need to fully understand what it is that you’re insuring against. And where the gotcha frequently comes in is a policy will read, ‘We will protect you against this, this, this, and this, provided you have this, this, this, and this in place’. ‘If you had this in place-
Stephanie: Like having locks on your windows for theft or whatever.
Ross: Yes, correct. Yeah, it’s exactly the same thing. If you had those things in place, the risk probably wouldn’t exist in the first place. So you’ve kind of got to carefully read and understand what it is that you’re insuring for and what your requirements are to do that, because there’s been some very high profile insurance claims in recent times that have been turned down because a number of reasons that… So insurance is very important and should definitely be considered, but it should be looked at very closely to make sure that people understand what they’re buying and they’re not just throwing money randomly at a problem.
Stephanie: Yes, okay. I think the social network. Social network, what’s it called? Social engineering.
Ross: Yes. It’s the easiest to perpetrate and if we’re doing a penetration test, so you’ve heard of?
Stephanie: Yes, I understand.
Ross: Yeah, so if we’re doing a penetration test, that always starts with a bit of social engineering to ring up someone and just say, ‘Look, I’ve lost my password and I’m trying to get in. I need to get in right away to pay this, and’-
Stephanie: Can you just change my password?
Ross:… just reset my password for me and tell me what it is. ’There’s a two second bit of social engineering that gets you immediately into most organisations very quickly.
Stephanie: That you probably won’t say right now.
Ross: It’s one of those things that people need to be back to being trying again and so forth, but the social engineering aspect, that’s the confidence trickster part, that’s the part that’s so easy to play on. And again, because a lot of people don’t really understand what’s required of them in their job now, they understand what the old school requirement was, but they don’t understand what is required as far as, now that we do all this in a third-party app that lives somewhere out there in the cloud.
The cloud. A term we just love. Does my job change? And there has been no real training around that and no real understanding of what the requirements are now. So social engineering is actually getting easier and easier because the reason they’re training there for people to understand.
Stephanie: Right, and so the shift in paradigm around work is opening up a whole lot of other things, isn’t it? Other than… Well, you can be flexible and work part-time, or the gig economy, or whatever
Ross: Correct, yeah.
Stephanie: It’s that clarity about what’s my engagement with the organisation and what does that require of me? Whether I’m in a café on wifi, or if I’m sitting in an office looking at my colleagues.
Ross: That’s exactly right and also, what is the requirement on the support staff within the organisation or external to the organisation?
Stephanie: Well, that’s right because I outsource … X, Y, and Z because that’s a modern work paradigm.
Ross: Yeah. Who do we speak to about, what is acceptable information to give out over the phone? I was on the way over on the train yesterday afternoon. I was sitting next to a lovely lady who was ordering her dinner on the phone. I now know her phone number, her street address, her full name, what she eats, and I’m just sitting next to someone on a train.
The way we do a lot of the things that we do now on mobile phones and so forth, have changed things in quite a significant manner that make it so much easier to exploit so many of those things now. And we need to educate people so that they understand what those things were. When the guy used to turn up with the vacuum cleaner on your doorstep, it was a lot easier to know who was a confidence trickster and who wasn’t. Grounds got a lot muddier.
Stephanie: Yeah, it has. I’m fascinated about this stuff because it’s just a whole different set of challenges and risks for business.
Ross: But it is still just standard business risk. and it needs to be thought of in exactly the same manner. It doesn’t need to be thought of in, ‘This is insurmountable.’ It’s quite surmountable.
Stephanie: Well, it is. And that’s what I’ve taken from this, Ross. Start with the basics, which is have a good governance of your business, good leadership, and be training your team with clarity about what their job is and what the boundaries are. And then be owning, as a business leader, owning what the challenges and the risk is rather than saying, as you said, ‘The nerds will look after it, I don’t,’ or, ‘I’m insured, I’m fine.’
Ross: Yeah, that’s exactly right. I mean, most business leaders, particularly when we go in after a breach has happened or something like that, have no concept of what it was that they were trying to protect in the first place.
Stephanie: Yeah, like, ‘I don’t even know what I did wrong.’
Ross: That’s exactly right.
Stephanie: So I love that. And I think that that’s where we’ll-
Ross: It’s very achievable to see.
Stephanie: Well, and that’s the note that we’re going to actually leave it on, that it is achievable, and as a leader, it’s taking responsibility of what’s important to the business. And the third big takeaway, if the water’s salty, there’s probably sharks in it. And Ross, what a practical, interesting, great conversation. Thank you so much for your time.
Ross: No worries, thank you very much.
Stephanie: So that’s TEC Live for today. CEOs are in the business of making decisions and leadership is the art of execution. I’m Stephanie Christopher, and look forward to talking to you next time.