Meet the 'hacker' protecting you from cyber threats

Garreth Hanley:
This is INTHEBLACK, A Leadership Strategy and Business podcast, brought to you by CPA Australia. Welcome to INTHEBLACK. My name is Garreth Hanley, and I'm the podcast producer here at CPA Australia. Today we're talking to Dan Weis about cybersecurity. Dan is a pen testing practise lead at Nexon Asia Pacific where his day job is breaking into corporate and government computer networks. He's also the author of Hack Proof Yourself: The Essential Guide for Securing Your Digital World. In this episode of INTHEBLACK, Dan pulls back the curtain on some of the surprising tricks that hackers use, and he offers straightforward and actionable advice on how you can mitigate cyber risks and improve your cybersecurity, starting from today. Welcome to INTHEBLACK Dan.

Dan Weis:
Thanks for having me.

Garreth Hanley:
So you break into computer networks, from that description, I'd call you a hacker, but your official title is penetration tester, is that right?

Dan Weis:
So there's lots of different names out there. There's lots of jokes, but usually obviously penetration tester is the official title. There's also ethical hackers or other terms that gets thrown around sometimes as well, but penetration tester is predominantly the main term that's used.

Garreth Hanley:
Okay, so you're an ethical hacker. Does that mean you're one of the good guys?

Dan Weis:
Yes, yes. We use our powers for good, not for evil.

Garreth Hanley:
And you also do something called red teaming?

Dan Weis:
Yeah, sure. So a lot of people have probably heard the term of red team before. Sometimes it's also called a tiger team. You may have heard of that term as well. It is basically where we employ multiple attackers, in this case, multiple pen testers to assess an organisation all at once. So instead of having one person assessing the security of a business, we might have one tester looking for holes or entry points in a company's internet facing systems. While at the same time another tester might be playing diversion and actually trying to distract their security teams. While another tester might be doing social engineering and calling up people or phishing or what have you. So basically it's where there's multiple attackers, or in this case multiple penetration testers assessing an organisation at once.

Garreth Hanley:
So I've also heard about blue teams. What's a blue team?

Dan Weis:
A blue team you could think of as the defenders. So the red team are the attackers or the offensive operators, and the blue team are the defenders, right? So they're your IT/security people who are monitoring for different attacks and trying to prevent attacks from happening. So the blue team are very much on the defensive side as opposed to the offensive.

Garreth Hanley:
So your team are the hackers and the blue team are the defenders. So what exactly happens after you are contacted by a business that wants to test their security?

Dan Weis:
So typically we have a meet and greet with a client just to determine where their high risk areas are, what they're looking to get tested. So for a lot of penetration testing, organisations or organisations looking for these services they've never had a penetration test done before. Companies usually fall into two areas. They fall into those that regularly get it done. They're very experienced with penetration testing and security testing and audits and that sort of thing. And then we have the companies that have never even heard of it until their insurance turned around and said, "Hey, you guys need to get a penetration test." So we have those two type of companies that reach out to us. We will typically run them through a process of what a penetration test is all about, what they're trying to achieve from that, and then we work with them to scope out what that engagement or what we call our rules of engagement might look like for that assessment. If we talking about what penetration testing is all about, for those of you who are new to that concept of penetration testing or a pen test, A pen test is where we perform an assessment of an organisation security from the position of a malicious attacker. So we use the same tools, techniques, tactics that the bad guys use. And the goal of the pen test really is to identify all of the risks, the threats, the vulnerabilities, that overall security posture of the organisation. And then to give them the report detailing what those risks and threats as well as those remediation actions look like. And of course activities they can take to obviously reduce those risks, those vulnerabilities, and to improve their overall security posture, of course, preventing them from becoming the next headline, the next Optus or Medibank.

Garreth Hanley:
So Dan, can you tell us about the tools you use and the tricks that malicious actors use when they're trying to break into computer networks?

Dan Weis:
So firstly, we have a number of specialists in different areas. So we have web applications and mobile apps. We have network and cloud, social engineering, others are specialised in wireless. And typically the way it works, if we are trying to breach an organisation from the internet, we'll typically start with what we call our reconnaissance phase. And this is to gather as much information as we can that'll help us to breach the organisation. This will include information like email addresses, things like social media, enumeration, financials and network information. Basically anything that helps us to breach in. And what happens is we combine all of this information and basically what we call a network attack blueprint. And then we'll use that information from that network attack blueprint to try and breach into the services that they might have facing the internet. So we have that whole technical network set up there, but then we also go down the route of social engineering as well.

Garreth Hanley:
What is social engineering, Dan?

Dan Weis:
For those of you who don't know what social engineering is, social engineering is otherwise known as the art of deception. Is basically where an attacker, we'll try and convince people to do things right, to click on a link, to open an attachment to give out some other sensitive information as well. Some of the tactics that we might use, things like vishing, which is voice and phishing, and that's your typical calling up of a staff member. Calling up IT is really awesome as well and imitating a legitimate user as an example, of course, phishing and spear phishing or a combination of both. And also physical access entry options as well. Many of our testers have a wardrobe filled of different uniforms that we use to try and physically gain access to an organization's office. So we have trader uniforms, we have courier uniforms, cleaners, methods that we've used in the past as an example, which are not technical related are things like delivering of goods, delivering of donuts to the tearoom, getting access that way. Hanging out with the smokers at the back of the building, then just tailgating them in that back door as they all go back to work. Our goal, obviously is just to get into that office environment so that we can plug in a device that we can remotely connect to later on.

Garreth Hanley:
So are you saying that a high-vis vest can be as important as a laptop for a hacker?

Dan Weis:
Absolutely, absolutely. And even things that people don't generally consider, things like USB keys as an example. I know we're very much in a new age where everything's online and all that sort of thing. But free USB keys as an example, work really, really well. We've had many engagements where we've dropped a whole bunch of them in a car park and within a day or so we've had two or three sometimes even five plugged in, which of course provided us entry point into the network. And even delivering a free USBs, we've done a lot of deliveries of free USB to say reception and masquerading as salesman. And I said, "Hey, here's some freebies if you like it, maybe you want to look up our website and buy some product." And of course, they hand them out to their employees, their employees plug them in, and then that gives us our entry points as well. So obviously technology is key in our engagements, but also exploited into human error, which is often the weakest link yields us a greatest success.

Garreth Hanley:
So do you find that sometimes you have more success with that physical access and social engineering rather than just hacking into their systems with a computer?

Dan Weis:
Yeah, it varies from organisation to organisation. For the larger organisations, it can be a lot easier to gain physical access, if it's a geographically large office as an example. But if you're talking about, say, a very small business which only has a handful of people, then physical access is going to be very, very difficult. And in which case the best option there would be a network path or via phishing or something like that. So it's about gauging what's the best method of entry point for every engagement.

Garreth Hanley:
We've heard a lot about some massive data leaks lately, and the government's obviously very concerned about it as well. Is this something that all businesses need to be worried about or is it really something that you only see happening in the big end of town?

Dan Weis:
These days, cyber attacks is an issue for every business regardless of size or industry. Obviously, high profile breaches like Optus, Medibank have brought it to the forefront of people's minds. But the same risk, threats and vulnerabilities that apply to big business and government obviously apply to small and medium businesses as well. I'd argue that small and medium businesses are more at risk due to the simple fact that they just have more to lose. Big businesses can often weather a data breach and they've got sufficient budgets to cover incidents and to continue on. But for small businesses as an example, this could mean at the end of their business. So we often find that small businesses are targeted and their environments are also used as a launchpad to attack other bigger organisations in an attempt to avoid detection. So if I give you an example, people will say a hairdressing salon, they would just collect people's names, phone numbers, maybe an email address to reserve some bookings. Now, if this data is exposed, people will firstly be targeted with phishing emails and smishing attacks, so those dodgy SMSs that come to your phone. They may then follow through and give out their credentials or access to their devices via that method. That information from the hairdresser salon could also be used, say for identity theft purposes in conjunction with other attacks. So every business holds data of value in one respect or another. So obviously everyone is at risk and is not immune by any means.

Garreth Hanley:
And you're seeing a range of these attacks where attackers might be collecting information to commit another crime or attacking a business directly, and sometimes they're using the compromised computers to launch other cyber attacks. Is that right?

Dan Weis:
Exactly right. There's attacks that are with a goal of obtaining information, so information is high value. But a lot of the time we find that smaller organisations are breached so that they can use their network infrastructure to launch attacks against bigger organisations. So they've got bigger fish they're trying to catch. And so the smaller guys are just used just to avoid detection, just to hide and remain stealthy.

Garreth Hanley:
And people are still falling for these tricks, Dan, I mean, are free donuts still getting you through the door?

Dan Weis:
Absolutely, absolutely. Everyone loves free stuff, right? It's a, it's as simple as that. And they'll continue for the long term. We're not going to see that go away anytime soon. There are a lot of new things that we're seeing on the horizon as well in the cyber attack space. As an example, we're seeing a lot more adoption of artificial intelligence, AI now by attackers.

Garreth Hanley:
How's that changing things?

Dan Weis:
We're seeing attackers use AI as an example to perform password or brute forcing attacks with AI gathering data or fingerprinting the targets and then generating passwords and then attempting them on different systems. We also see things like images and videos such as deep fakes you probably heard about or listened to in another podcast. We're also seeing a lot of malware out there that's now using AI. So I foresee a big increase in these AI attacks moving forward. But on the same token, we have security companies such as endpoint protection companies. We used to call them antivirus in the old days. They're now using AI to detect and stop malware, and we're seeing things like SIEM tools, and SIEM stands for Security Information and Event Management. These tools are used for detection and response, and they're all powered by AI now as well. However, we've got AI coming along, but the same old issues that have been around for a long time and are still in play, they're not going to go away in the foreseeable future. And this includes of course, things like phishing, spear phishing, calling out people, compromising of weak end user passwords, new vulnerabilities, non patch systems, misconfiguration, all these sort of standard vulnerabilities we've seen pretty much forever in the pen testing space.

Garreth Hanley:
So Dan, why are cyber attacks still happening?

Dan Weis:
There's many factors at play when it comes to why cyber incidents are happening. If we went back say five to 10 years, and one of the biggest issues was a lack of investment as an example from organisations. These days, for the most part, it's a much different story. Organisations are now starting to cater costs in their annual budgets to cover cybersecurity and risk mitigation, which is awesome, although for most organisations we assess budgets are often still not large enough. But another reason is simply people, people are people, right? And often they don't adapt and improve like technology does. It often comes down to end user education with most people just unaware of what they should and shouldn't be doing. This includes the basics, things like not reusing passwords across systems, not using weak passwords, limiting the amount of information published online about themselves, awareness with regards to indicators of phishing emails, people responding to SMSs, not using multifactor authentication, what we call MFA, and just a general lack of common sense. But on the same token, you can also have educated users who just slip up. Mistakes happen and we're all human. You may have someone as an example who's just had a baby, they've got a newborn, they've been up all night, the baby hasn't been sleeping, they're tired, not concentrating for a split second. They open that email attachment and that's all it takes. So businesses, they really need to remember that it doesn't matter if you have all the security technology in the world, if your staff are not educated, incidents are still going to happen. And we often find that organisations that have very fortified perimeter defences, we're talking about technologies like firewalls and intrusion prevention and endpoint protection, all these different things, they can still be bypassed. They just fire a simple email that manages to get through all of their email filtering and bypasses all those technological safeguards. So another example is these days most organisations, they've adopted MFA for their users, which is awesome, but if users are just accepting those MFA, what we call push requests, anytime they pop up on their phone, even if they didn't initiate it, then MFA protection doesn't work.

Garreth Hanley:
Work. It sounds like education is one of the reasons why these attacks are still happening. Are there any other reasons, Dan?

Dan Weis:
The next biggest issue we generally see is visibility and response. Most organisations just have no idea an attack is underway until it's too late, and we find this on nearly every engagement. Organisations just need to assure that they have the visibility into cyber attacks that are underway so that they can take action before it becomes a major incident. We talked about seeing briefly before, which is one of the methods that organisations can use to gain visibility, but for smaller businesses it can be just a simple as some minor configuration changes from their IT team, which will then provide them some degree of visibility. And they can also turn on say, cloud features like Microsoft 365, which has various alerting built into that. Obviously another adoption is companies can outsource this sort of stuff. They can get a managed SOC service as an example where an organisation is paid to basically provide over watch over their organisation.

Garreth Hanley:
Can you explain what a SOC service is, Dan.

Dan Weis:
So a SOC stands for Security Operations Centre. So it's basically a bunch of security professionals that just sit there monitoring and watching your network and responding to any alerts or issues that come up.

Garreth Hanley:
Right. So they're cybersecurity professionals for hire who watch your network, is that correct?

Dan Weis:
Exactly right. They watch an act. Yep.

Jackie Blondell:
If you're enjoying this episode of INTHEBLACK, you might like our Excel Tips podcast each week. Our resident Excel expert, Neil Blackwood CPA, brings you tips and tricks for Microsoft Excel. Search for Excel Tips in your favourite podcast app or check the show notes in this episode to subscribe. Now back to INTHEBLACK.

Garreth Hanley:
Dan, I think I've read somewhere that sometimes attackers are in computer systems for three or four months before they complete the attack. Does that sound about right?

Dan Weis:
Yeah, that's really common. And that's again, back to that detection and response because organisations don't have visibility that they're actually in there. Then of course, how you are supposed to respond or stop that attack. So in a lot of the engagements we perform, we get tasked to, and if we breach into, say somebody's Microsoft 365 account and we've got access to their mailbox as an example, we'll create an inbox rule to hide any email communication that we're sending around. We can spend days and days just sitting in that user mailbox accessing data, and there's nothing going off anywhere. They've got no visibility to any of that. And that's why a lot of these breaches happen in networks and happen for a long period as well, is there's just that lack of visibility or response. If there's no systems to detect them in the first place and not to look for these anomalous behaviours, then there's no way they're going to be able to reduce that threat or at least get them out.

Garreth Hanley:
And are there tools or ways of identifying these people in the systems before they become a problem?

Dan Weis:
Absolutely, and that's back to the SOC and SEAM components that we talked about before. These are the technologies that companies can consider putting within their network to amalgamate all the sources, all the data from all their different systems they might have, and then it does behavioural analytics across the top of it to give a picture of, "Hey, this user who normally works nine to five in Australia, all of a sudden I'm seeing a login from China at two o'clock in the morning. Something's not right here." As an example.

Garreth Hanley:
That sounds like at least one quick win for businesses who are looking for upgraded protection. Do you have any other tips for large or small businesses?

Dan Weis:
Yep. So there are lots of ways that businesses can improve their cyber resilience and security. These are things like making sure you've got some cyber insurance coverage in place, a simple thing, and most insurance policies might come with a standard sort of 1 million management liability cover. Usually it's nowhere near enough in the event of a breach, but just obviously having some separate cyber insurance cover is a good idea. Making sure that their regular training and phishing of the staff, it is perfectly okay and recommended to phish your staff every single month. Organisations should also adopt what we call a micro-learning approach, which encompasses short sharp training each month rather than the once or twice a year long one-hour sessions, which just don't work. People forget about them after a couple of weeks. And organisations also need to consider IT specific training for their IT teams on cyber threats as well. The next point is probably around educating of the users on cyber risks at home. And this includes the basics, how to create passwords, how to use password managers, using different passwords, using MFA, restricting content online. Things like the basics, thinking before you click on opening emails, not making payments without verifying, keeping things up to date. These are all sort of standard what call hygiene practises. If people are aware of these risks and these threats when they're at home and they're employing these measures at home, they're much more likely to bring them into the workplace as well. So providing them both training for work and home is a really good idea. Next up would be ensuring that the organisation has an instant response plan, and that's something that's tested annually at a minimum, and that allows the organisation to quickly and effectively respond to a cyber event. And this is what we call being cyber resilient, and this also ensures that they're prepared to be able to respond to that notifiable data breach obligation that are inforced by the OAIC. In the same token, making sure that you've got that visibility and response capabilities we talked about earlier is obviously key. The next point I'd recommend would be ensuring that the organisation is sufficiently funding cybersecurity and that your IT guys are doing the right thing as well. They're putting in all the necessary security measures and technologies available to them to prevent a breach from happening in the first place. And these are things like locking down systems, enforcing MFA, there's technologies like application whitelisting, hygiene stuff, cleaning up accounts and groups, applying updates to systems, patching vulnerabilities, backups, all these standard controls they really should be doing by default. Good framework for organisations to benchmark against is the ACSC essential eight, which is the top eight mitigation controls, and they stop around about 90% of breaches. And you can obviously access those via the ACSC website. The next one is obviously regular penetration testing and remediation as well. So once a year is more than enough for most organisations. And also a consideration is making sure that your pen test team are doing attacks like social engineering and other avenues which are generally missed a lot of vendors. And most importantly actually remediating fixing the issues from your pen test. And we often find organisations engage us to do a pen test, which is great, but then they don't do anything or don't remediate all the issues and risks that we flagged. So if you're not remediating the issues, the risk profile is basically staying the same, basically voiding that pen test. And the last point is probably just around getting educated. I know it sounds really basic, but just staying abreast of the latest cyber news and attacks and events that are happening around the globe. And this is both for IT and for regular folks. This includes things like following newsfeeds, there's various websites, even LinkedIn as an example, is great for security news. Sites like ACA News, obviously the ACSC, cyber.gov.au. We've got Scamwatch as well, which is another great service. And the last point I'll touch on is if you obviously suspect that you've been hacked or you've had your identity stolen first up for businesses, your first point of call would be contact your IT or instant response provider. Then they'll generally reach out to the ACSC, which is 1300CYBER1. And then they'll put you in touch with support if you don't have any cyber insurance coverage and give you that post breach assistance. Or you might also just go, "Hey, we'll go straight for our cyber insurance." For individuals, your best point of call if you suspect that you've had your identity stolen or your accounts are hacked or something like that, you can reach out to an awesome government funded service called ID Care, just idcare.org. They really do some amazing work, and their job simply is to help people who have been hacked or had their identity stolen or a form for some other scams that are out there.

Garreth Hanley:
Thanks, Dan. It sounds like there's a lot of help and resources available and CPA Australia has a cybersecurity resources page on our website as well. We will leave links to all of these resources in the show notes for our listeners. So check the show notes if you're interested in finding out more information. Now, looking into the future, what's on the horizon for cybersecurity? You mentioned AI and there's a lot of talk about AI, but I'm not sure how much we understand about its impacts yet. Is there anything else that's on the horizon that's worth mentioning?

Dan Weis:
Yeah, so more and more cyber attacks we all know will continue to happen, okay? And that'll be the most prevalent threat of our century moving forward. More breaches going to happen, more data will be exposed. All organisations need to understand that really a really determined attacker will get into your organisation at some point, and it's your job to make it as hard as you possibly can so that they move on to some other low hanging fruit that's out there. Or at a minimum, you can at least contain that threat. So what's good now is we're starting to see a lot more government involvement with cybersecurity, which is great. And you see almost daily in the news that there's different measures being put in place by the government to help around this. The next point that we've seen is around these new work habits. So since COVID, obviously most organisations are now either hybrid working so partially from home or full-time from home, we anticipate this to continue to be the new norm as opposed to the exception now. So organisations should be considering their home or partial home workforce as an extension of their office network now and putting in measures to protect their data from potentially uncontrolled machines. The classic example is the latest last pass breach that's just happened only within the last few weeks, and that breach happened due to a user taking their workstation home and the machine was then compromised while it was at their home network, and it wasn't compromised via the corporate network. And of course, that in turn led to gaining access to the corporate environment. So I have five R’s when it comes to cybersecurity. First up risk profile, understand your business and understand its high risk areas. The next R is reducing the likelihood of a breach or incident happening in the first place. These are things like training, technical controls, all these things we've talked about before. The next R is around reducing the impact of a breach if it happens. And the next area is responding as fast as possible when a breach happens to obviously reduce that damage. And then lastly, to recover and learn from your mistakes. So there's always going to be new and emerging threats on the horizon. New vulnerabilities come out every single day, that's not going to change. And it's obviously about how we adapt and respond, which is key here.

Garreth Hanley:
Fantastic. Thanks, Dan. Now, I think everybody should get advice from a cybersecurity professional. So while we have you in the room, what are the top three things that people can do today to improve their cybersecurity?

Dan Weis:
The top three for businesses is firstly getting in some training and phishing happening, having a system in play that'll keep those users on their toes. Next one of course is obviously technical safeguards, and probably the most important one is understanding the risk and catering budget and basically taking the position of you will be hacked at some point and that what are we going to do about it? What's it going to look like for our organisation? We do see still a lot of companies that have their heads in the sand. A lot of businesses that have their heads in the sand, they think they're not going to be a target. It's just about people come to realisation that everyone is definitely now a target. It's been like this for a long time. It's just whether businesses want to accept that if they're a small cleaning company as an example, that they will get targeted. Definitely the main ones, technical controls, those end users focusing on that. And of course, getting penetration testing done and just not putting your head in the sand. You know that there's going to have to be a spend to make sure that you don't become the next headline.

Garreth Hanley:
Okay, so understanding the risks and having a response plan, having adequate technical safeguards and education. And the first thing you mentioned there was education.

Dan Weis:
Absolutely every employee has their part to play in the organisation. As I mentioned before, the organisation can spend stacks of money and put all these different technical safeguards in place, but if the users are still doing the wrong thing, all those technical measures are useless. Every employee, it's their responsibility as well as the organisation to make sure that a breach doesn't happen. And let's face it, if organisation gets breached and it's absolute worst case and the business ends up shutting down, well, that's in their worst interest as well because obviously then jobs go and there's various other flow on effects from that.

Garreth Hanley:
That's all we've got time for today, Dan. So thank you so much for joining us.

Dan Weis:
Thanks for having me.

Garreth Hanley:
And just a reminder that you can find links to all of those resources to help you with your cybersecurity in the show notes. You've been listening to INTHEBLACK podcast. If you like what you heard, leave us a review and subscribe on your favourite podcast app. Thanks for listening. If you've enjoyed this episode, help others discover INTHEBLACK by leaving us a review and sharing this episode with colleagues, clients, or anyone else interested in leadership, strategy, and business. To find out more about our other podcasts, check out the show notes for this episode. We hope you can join us again next time for another episode of INTHEBLACK.