Cybersecurity 101: Educating yourself and your leadership team


Caroline: Hello everyone and welcome to today’s Diligent webinar. Today’s topic is Cyber Security 101 Educating Yourself and Your Leadership Team. We are pleased to welcome our presenter today, Al Percival. This webinar is live and interactive. You’re encouraged to participate by posing questions to the presenter which is located in the chat box below on the bottom left-hand corner in your screen.


If you’re experiencing difficulty hearing the sound during the webinar, please dial the 1-800 support number listed in the chat box. Thank you all. I’d now like to pass you over to the co-host, Kate Ellis from Diligent, to begin.


Kate: Thank you, Caroline. Welcome to Diligent’s first webinar in Asia Pacific. I’ll be your co-host today. Just a little bit about me. You can ignore a couple of things that are on screen there. They’re not all true. We’ll most of them are. I’m your marketing manager here at Diligent.


Now we’ve designed a series of webinar topics over the coming months, that supports our audience in elements of their home and work lives. This one in particular it’s to help like-minded people to understand the pitfalls that many of face when dealing with security for our home and [inaudible 00:01:09] computers. How we can prevent being a victim of cyber crime.


Our host today is Al Percival, our managing director of Asia Pacific. Al has over 25 years worth of experience in the IT industry. He’s led the development of one of the largest retail solution implementations in Europe and pioneered the use of that. Throughout his career, he’s been engaged to speak at numerous events talking about industry security. We’re very fortunate to have Al with us at Diligent and he’s been with us for over 12 years now.


During his initial engagement with us, he’s been the head of software development and has run operations at our head office in New York before he returned to this side of the world.


Before I hand you over to Al, I’ll just cover off a few things of we’re running the webinar today. It will be running for a total of 50 minutes which will consist of a 40-minute presentation, with survey questions throughout, followed by a 10-minute Q&A. We do recommend that you do participate and get the maximum out of this time that you’re spending with us.


The call, as you know, is being recorded and will be available for download. We’ll be sending the email download to you after the call. If you’d like to follow up with Al or myself after the call our details will be available on the screen at the end of the presentation. I’d like to hand you over to Al.


Al: Thank you very much, Kate. Today’s topic as we’ve already mentioned is top 10 cyber risks and what perhaps we can do to protect ourselves against some of the threats that are out there in the wild.


I want to start with I guess a bit of good news. The whole problem of cyber security was actually solved 25 years ago. By a guy who came up with a couple of very simple rules as to how to protect yourself from any form of cyber attack. Real easy, don’t buy a computer and if you do buy a computer don’t turn it on.


Obviously, that’s a very tongue in cheek comment and he wasn’t being serious. I think there’s a kernel of wisdom in this, is that we can’t actually protect ourselves 100% from all risks when we are interacting online. Everything we do, of course, does have … It’s true with daily life as well. Everything we do does have some element of risk attached to it. What we want to do today, is have a look at how we can reduce those risks and how we can avoid some of the traps that people fall into when working online.


To help us, we have a bit of a cast of characters who I’d like to introduce you to, to start with. We have a couple of people who work for a fictional company called MyCorp. We have Alice who’s the CEO of MyCorp. She is assisted by Bob her executive assistant. Now Bob is an interesting character, as we’re going to see in today’s presentation. He’s got a bit of a thing for buying shoes. He’s got a website he visits quite a lot called ACME Boots and Shoes.


Unfortunately, what Bob doesn’t know is that this particular website was developed by a few people who didn’t really know a lot about internet security. Unfortunately, they’ve left a few security holes. Which of course, our good friend Charlie at the bottom of the screen there is going to exploit. In doing so, Bob is inadvertently going to perhaps open up some threats for MyCorp and for his boss as well.


I think we can all feel a little bit sorry for Bob, but then he does do a few things that perhaps he could learn to protect himself against such attacks.


We’ll start with perhaps everyone’s favorite topic, passwords. I think we can all sympathize with the guy in the cartoon there who, of course, has got so many passwords in his brain. It’s clogging up everything else. I think we all feel a little bit like this sometimes in that we’re always being asked to remember passwords. Sometimes it just becomes too much.


Let’s look at our good friend Bob and perhaps how Bob might fall victim to one of the challenges around passwords and trying to remember different passwords. Here’s our good friend Bob. He’s on his lunch break. He wants to go buy himself a new pair of shoes. Of course, where does he go? He goes to his favorite website, ACME Boots and Shoes. Of course, as we’re saying ACME Boots and Shoes, has got issues other than just this rather poor design there.


Unfortunately, just as Bob goes back to buy his shoes, the first thing the system’s going to ask him to do, it’s going to ask him to create an account on the website here. We are all very familiar with this. You are just about to go through your purchase. Of course, it says please register to continue. You got to put an email address in and then of course, it asks you for one of these passwords.


Just like Bob here, Bob is thinking, “Oh good grief, what do I have to do now?” I can’t just remember a new password just for this website. I’ll just reuse another password which I’m very familiar with.” Which in this case, of course, is his work password the same password that he uses to log on to his corporate network.


All well and good, Bob buys his shoes, takes them home. Perhaps it’s a gift for his wife or perhaps for himself. What, of course, he doesn’t know is that meanwhile in the background, our good friend Charlie has been busy. Charlie has just managed to break into this website ACME boots and Shoes. He’s downloaded the database from the backend of the website. In there, he’s found a whole load of email address and passwords.


Now, in there, he notices we’ve got a user called Charlie is a very bright guy, although he’d probably be too bright to work with. Because the first thing is going to look at is to say, “Well I wonder if that password that Bob has used on ACME Boots and Shoes is the same password that, of course, he is going to be using on his corporate network.” Lo and behold, what does Charlie find? He finds, of course, that he can then break into MyCorp and retrieve all the information.


Poor Bob, just because he was in a bit of a hurry, had opened up a big security vulnerability into MyCorp by reusing the same password or multiple sites.


It’s a big issue. We all have this. We are all dealing with this day to day. We all understand the problems that we’ve got. We are all being asked to remember far too many passwords. What do we do? We create passwords which are relatively easy for us to remember. We use children’s names. We use pet names. We use our partner’s names or perhaps middle names and so on.


Because we have to remember so many, we don’t try and create a unique password for every website or every system we have to log into. Of course, we reuse the same password. Then, of course, we all know that we should be changing them on a regular basis because we were told to do so. Of course, if we do change then what happens? Of course, we can’t remember them.


What can we do? Of course, we understand, perhaps in the back of our minds that this is creating risks, but as Bob has just discovered it can really create vulnerabilities for yourself and for your organization and for your business.


I’ve got a few tips here. For each one of the ten cyber threats that we are going to be talking about today, we are going to perhaps give a few tips and tricks as to what you can do to try and avoid these traps for yourself.


The first I think we need to think about is, is think about all the sites and all the systems that you are using a password to log into. Make sure that for those really important sites never, never reuse passwords. I know this is an easy thing to say. What I’m going to do today is hopefully show you a couple of tips as to how you can avoid this trap of reusing passwords.


We all understand the idea of a secure password. We have to create passwords. We’ve got uppercase and lowercase numbers, symbol, punctuation marks etcetera, but it is quite important. The reason being, of course, is that simple passwords are easy to guess.


The bad guys who are out there have created huge databases of passwords that other people have used. When they are trying to break into a site, of course, they use these databases and they just all the passwords and they see which one is working. I can guarantee that a fair number of them will.


It’s quite important that we try and create unique passwords. Again we’ll touch on how you might do that in a second.


Then finally, of course, we do need to make sure we change our passwords very regularly. We can see for example if we go back to Bob, if he changed his network password. Then, of course, when Charlie came in to try and break into the MyCorp network he wouldn’t have been able to because Bobs’ password would have changed. Since, of course, he created the account on the ACME website.


A couple of other tips here that might be useful for you. There are tools out there called password managers. Again I’m not going to talk in detail about them. I’ve just named a couple you might want to look into. Dashlane and LastPass are both popular solutions out there can you can use to manage your password. These create little lock boxes where you can store your passwords. Access them when you need to do. They can, kind of, auto-populate on web forms and things, for you as well.


We are going to look at a couple of techniques for creating secure passwords, which are hopefully a little bit more memorable. I will just say that if you have a number of websites. Perhaps not the ACME Shoes or perhaps that had credit card information in. That there are sites, you registration sites for example, maybe there is email lists that you belong to.


Reusing passwords for those is okay, as long as you are aware of what information you are storing there and you understand that that password could be vulnerable if a website is hacked.


If someone breaks into one website where you use a particular password, you can assume perhaps all those other sites are also going to get broken into. If you think to yourself, well there is nothing in there that’s going to be … There is no credit card information. There is no banking password. There is nothing in there which of risk to me then you might say, okay maybe its okay for those sites to reuse the same password for them.


Let’s just look at a couple of tips here. How you might want to create passwords which are genuinely strong and this is a popular technique. I’m sure a lot of you will have perhaps seen this already.


You can see here for example that what we’ve done is we’ve taken two words, in this case password paradox. We’ve basically substituted all the vowels and some of the other letters for numbers. Password paradox in this case becomes P, we substituted four for three. We substituted 3 for S and so on. We get P433w0rdP4r4d0x.


Now that’s a nice strong secure password. Of course, not is it the easiest to remember because you have to remember well did you put a four for an A. Did you put an S or a 3 for S etcetera, but it can be quite a useful technique that a lot of people use.


The other technique which I quite like is where we create a password from a meaningful sentence. If we look at this example here, what I’ve done here is we’ve taken a sentence which perhaps is meaningful to Kate here. Kate we know from her introduction quite likes cats. When Kate was 12 years old maybe she had a cat called Jasper.


Kate would create a sentence which says, when I was 12 years I had a pet cat called Jasper. Then we take the first letter of each word within that sentence. We can catenate them together. We include the punctuation mark in this case a comma and we create a really, really strong password out of it.


Of course, that sentence has to be one that you can remember. Generally, speaking you can create a number of sentences around a theme. Whether its pets. Whether it’s … I was just going to say former boyfriend, girlfriends or anything else that you can create a good string of sentences that you will remember. That you can reuse in different context.


All right now we just had a poll question we were going to ask here, just out of interest. How many people have actually reused passwords in perhaps occasions where perhaps they should have and used multiple passwords?


I can see we’ve got a couple of answers coming in. Yeah, so we can see that 85% of everybody has reused passwords on multiple sites. I’m sure we could run that on any population out there on the internet and we’d see the same results. It’s very tempting, it’s very easy. I’d like to say it’s not always wrong, but you have to do it with care. Make sure that you are not reusing passwords on anything which could be sensitive or secure.


The second thing we are going to look at. Again this one that a lot of us are familiar with is what’s called phishing. Phishing attacks or also known as spear phishing attacks.


Again to help us illustrate what the threat is here, our good friend is Bob. This time Bob has received an email just in his regular inbox at work. It’s from the IT department or looks like it’s from the IT department. It says, they just launched an new intranet with lots of exciting new features. They’ve got a nice hyperlink on there that Bob can just click on to launch the new intranet where, of course, he is going to enter his user name and password.


What Bob didn’t notice, of course, was that this wasn’t really from the IT department at all. It came from an external source. When he clicks on that link, it’s not going to really take him to a new intranet. It’s going to take him to a dodgy site, who knows where, where of course our good friend Charlie is going to waiting to collect Bobs’ user name and password.


Because Charlie set up this fake internet site, once again he’s managed to collects Bobs’ details. I think Bob and Charlie are going to get to know each other quite well through this process. Now, of course, he’s got the details and, of course, he can’t break into the MyCorp network at night. Of course, once again he can steal all the information.


Phishing is quite easy to avoid. We are all probably familiar with the spam emails that come through, that look like they are from your bank. You’ve got to be constantly aware from emails that might look like they are coming from legitimate sources that you are familiar with, such as IT department or other organizations that you deal with.


A couple of quick tips to protect yourself. Number one, if you are not sure, don’t click on the link, that simple. If you get an email and you say, “Well hang on a minute. I’m not sure about this.” Just call up the person that send it to you and say, “What’s this? Did you really send this? If it’s an IT department, really they should probably not be putting links in the emails in any case.


The other useful thing you can do is just hover your mouse over the link. Whenever you hover your mouse over it, it will show you where that link is really going to. If doesn’t actually look like its coming from where it should be coming from. Look for things like numbers of strange domains. At the end of the web link it will often have like a .ru or something at the end of it. That would indicate it’s probably not a real hyperlink that you want to be clicking on.


When in doubt, don’t click and certainly double-check in all cases, in any case. Just because your name was on the email or the communication, always again double-check. Don’t assume that it’s going to be legitimate. That it’s actually going to be a real link and it’s not actually a phishing attack.


All right, number three, the watering hole ambush. Who knows who lies in wait, out of sight. Just like our goats here who are very aware of the fact that watering holes can be dangerous. On the internet we have much the same thing, as the crocodile that lies in wait in the river or the lake waiting for an animal to come down and drink. On the internet we have much the same threat.


This time again, remembering that good friend Charlie broke into the ACME Boots and Shoes website. While he was on there, he is kind of the crocodile in this scenario, he didn’t just steal all the user names and passwords from the site. He also dropped on a little virus there, dropped a piece of software also known as malware.


He was quite sneaky about it. Because he put on the website in a way that every time somebody visits the website, that virus is going to be downloaded and installed onto their computer. Again some very, very sophisticated technique for doing this which the bad guys know.


Our good friend Bob once again, hapless Bob. He’s doing his best, but he can’t stay away from this website. Next time he visits to see what’s going on, what shoes he might want to buy from ACME Boots and Shoes. That little virus that Charlie planted on the website, without Bob knowing about it, is now being downloaded onto his PC. Of course, once it’s on his corporate PC, it’s really no big deal for that to start then spreading around the network.


The virus is going to spread onto servers, onto different computers around the network. The next thing you know his boss, Alice, is asking some pretty serious questions. About why suddenly a whole lot of information that was confidential, is now on public websites and being disseminated. This kind of attack, it is quite common. It’s kind of a little bit harder to guide against.


Here is a few tips that can be useful as well. The first one is I think again, one that I’m sure we are all familiar with, is making sure that your web browser is kept up to date. If you have an option on the security setting … It’s not all browsers that have them. If you have an option for security settings whether it’s a work or home PC, make sure it’s always set to the high setting. Because those settings will prevent a lot of the nasty software that you automatically download it.


It’s usually browsers which haven’t been set to the highest setting which are vulnerable. It’s quite easy to make sure that you can keep your setting high, avoid the threat.


Again you will have obviously policies for different organizations as to what the browsing policy is. I think it is good practice, to perhaps not visit kind of lesser known sites. If you are on Amazon or other sites, they are probably pretty safe. Some of the smaller sites, perhaps run by companies, like Boots and Shoes company are the ones who are most likely to be attacked or having the watering hole attack planted on them.


Also browsers and Google are very good at keeping an eye on sites which have been compromised. If you ever see a warning, sometimes for example if you are using the Chrome browser by Google, it will pop-up saying this site doesn’t look safe. That’s probably because Google has detected that it’s actually being used for a watering hole attack. Again if you go through Google links, Google and Chrome is going to be quite good for warning you as to what is going on.


Now we are on to threat number four which I’m calling zombie apocalypse. Now these aren’t the kind of zombies which are trolling the streets looking for brains. These are zombie computers and they are also known as botnets. You are probably familiar with that term. They are in the news quite a bit because botnet are the bane of all internet service providers and email providers. Because botnets are responsible for something like 90% of all the spam which is sent out.


We’ve all got spam emails. They arrive in the inbox every day. Normally spam filters are pretty good at filtering them out, but the clog up the internet. They clog up servers and it’s just a nuisance for everybody. Botnets can consist of literally of hundreds of thousands of computers. They are always growing. The law enforcement agencies are trying to take them down. Unfortunately thanks to people like our friend Bob, here again, the networks are always growing as well.


Botnets are usually created because again computers haven’t been updated. Of course, software, as we all know, have security vulnerabilities sometimes in it. Of course, we are always trying to patch them. We are always trying to make sure that the computers are secure. Of course, the bad guys are always looking for new weaknesses.


Here we’ve got Bob who is a busy guy. Alice is loading task after task on him. He’s been asked by his IT department to update his work PC. A bit busy and, of course, he doesn’t have a lot of time to do it. He goes, “Well, do you know what? It will wait for some time when I’m not so busy.” Of course, he forgets and the IT department will have to go push him has hard as they should.


Of course, what’s happening is that the bad guys are now getting opportunity to break in because Bobs PC might have some weak software in it which leads to vulnerability.


No great surprises that Charlie is on the case again. When Bob has gone home for evening to try out his latest pair of shoes, Charlie manages to find an unpatched computer in MyCorp. He adds it to his botnet. Of course, not only is he putting malware again on Bobs PC which of course creates all the problems we saw before. Now Bobs PC is now going to be used to send spam emails. Once Charlie has again broken in he can probably add all the computers in there as well.


MyCorp is a big organization. Their IT department might not even notice that a few PCs have been added to the botnet. Of course, they will be implications for this because it will mean that every single email sent from MyCorp will now be marked as spam. Because the systems which track spam, use the domains that they were sent from and the IP address of where they were sent from. They then assume that every email sent is going to be spam.


Bob is not going to be very popular with his IT department. Never mind Alice, his boss, as well.


Again what can we do avoid it? Again not too difficult. Just make sure that keep your PC up to date. I know for example, we are all familiar that Windows XP, was a very popular operating system for many years. Windows XP is, of course, no longer supported by Microsoft. I am aware if you look at the statistics. There is a lot of Windows XP computers out there still. You know older PCs people going, “Well whatever. I don’t have time or I don’t want to bother kind of updating if it’s an older PC.”


Of course, those PCs might be connected to other networks which will have sensitive information on them for example. Really they should be updated or disconnected. Even some more modern operating systems such as Windows 7, Windows 8, even Mac operating systems, of course, do need to be kept patched or they can be used to join botnet.


If you have what are called administrative privileges, which is of course, when you have kind of the super rights on the computer. Then those rights can also be used if a PC is connected to a botnet to do nasty things and add additional malware and nasty things on to the computer as well. It’s always a good idea not using the administrative account on your PC, except for example when you need to install new software on a computer.


Okay, number five, public exposure, apologies for the cartoon there. This is, of course, danger when we are out in public. Perhaps we inadvertently reveal things that we perhaps shouldn’t.


Here Bob again, he’s a working guy. Like the rest of us he likes to take a break. Maybe likes to head down to the coffee shop. Perhaps do a bit of work from using the free Wi-Fi, of course, in his local coffee shop. Of course, again his nemesis Charlie is one step ahead of him.


Charlie is already sitting perhaps in the corner of the coffee shop. Because it’s an unencrypted network on the coffee shop, as free Wi-Fi normally is. If Bob is not careful then, of course, any information that he sends over the web, over the free Wi-Fi in the coffee shop, can be listened into by Charlie.


Now again even if you are using … We all understand obviously secure sites, like banking sites, will always have like a https symbol on them. Even that doesn’t necessarily guarantee safety. Because the bad guys they are smart enough and got enough tricks that they can actually intercept using secure communication over unencrypted Wi-Fi network.


Again a few things that we can do to help ourselves and avoid any issue when we are in public Wi-Fi. Number one, of course, just think about what you are connecting to. For example we probably want to avoid connecting to things like banking sites or anything where you might have sensitive information. If you are connecting to a work network, your IT will probably give you what’s called a VPN, a virtual private network connection.


Sometimes you can also connect your work email over what’s called web mail where you just connect it to a web browser. My recommendation would be to avoid doing that and always use the VPN connection that the IT department gave you. Also again, watch for warnings on Google. If connections are being intercepted again, sometimes the browser can detect that. It will pop up a warning telling you that the connection might not be all that it seems to be.


Just out of interest we had another poll question here, which was just basically how many of you have ever connected to a banking site over a public Wi-Fi connection? Are we able to bring that poll question up?


All right, well the good news is, it looks like people are fairly educated about this. I’m pleased to say that the majority of people, 78% saying they’ve never done that. That’s great to hear. I know it’s very tempting. Definitely it’s good to see that the people are well educated on the risks there. Although the latest says … It looks like its coming to about 70, 30%, saying 70% no, 30% saying yes they have. Again good to see that majority of people are aware of the risk. Certainly it’s something to avoid whenever possible. Good stuff.


Number six, social exploitation generally known as social engineering. This is again a risk we all face and very easy to be complacent about. The cartoon I’ve got there is a cartoon back from the early days of the internet, very famous New Yorker cartoon. On the internet, nobody knows you are a dog. The message here is, when you are talking to somebody it’s always hard to be sure 100% with a phone or internet connectivity, are you talking to who you think you are talking to?


To illustrate the point, again our good friend Bob is about to fall victim to a very easy scam. He is going to be called by Charlie again, who is going to be pretend that he is Dave from IT. Again Bob I think he might have learned his lesson from some of the earlier mishaps that he’s fallen into. Despite the fact that Dave is sounding a little bit strange Bob, of course, hands over his user name and password.


Now that’s a very simple example. Of course, it’s quite easy to extract information from people. We’ve all got LinkedIn profiles, Facebook pages. If you are particularly high profile you might well have a Wikipedia page about you. It’s quite easy to collect a lot of information about individuals. For example, at some point a lot of websites and systems will have password reset options. Where, of course, you are asked to answer a couple of security questions.


Even if someone doesn’t know your password they may well, through social engineering, be able to get the names of, perhaps your mother’s maiden name is perhaps the classic example. This kind of information really isn’t that hard to get if you are determined.


If for example you use your pets name as a security question well, it doesn’t take a genius to perhaps call up your home address. Pretend to be someone offering a special offer on pet food and extract the names of your pets from whoever is answering the phone. These kinds of threats are relatively not too hard to exploit.


There is a few things again that we can do to protect ourselves against them. First one, of course, golden rule I’m sure no one would ever do this, although you’d be surprised at some of the horror stories out there. Is it doesn’t matter who asks you, you never ever disclose your password to anybody else. It doesn’t matter again whether it’s one of those simple passwords or one of the complicated ones. It doesn’t matter who is asking. The answer is no. Because the IT department, of course, they can reset passwords.


Anyone who wants information from you, it’s always worth just double-checking whether … It’s as simple as phoning them back on the number that you know they should be on or perhaps verifying email address through other methods. Just always double-check who somebody is before you give away any kind of sensitive information.


Finally again, when people start asking kind of questions and you think, well why do you need to know this? Again there is no harm in just being a little bit coy, about what information that’s handed out. Again it can be very hard to guard against all these kind of vectors and attacks. Certainly until you know who somebody is and you know that you can trust them, there is no harm in perhaps being reasonably cautious about what information you hand out that could, of course, be used for a social engineering attack.


Cool, all right, now coming back to the backend of the threats here. We’ve got a few here that perhaps we are a little less aware of on a day to day basis. One of the classics out there is email. Email has been the cause of so many breaches over the last few years. Much information has been leaked from email. It’s something that we all probably need to be a little bit more cautious and a little bit more careful about using.


As again, our good friend Bob, unfortunately the slide here has got a little bit screwed up here. Again you can probably see what’s going on here. Alice has asked Bob to send out this month’s board papers to the chairman. Chairman is probably travelling around somewhere. Bob is just thinking to himself, “Well how else can I get these very quickly to the chairman. Well I’ll just send them to the chairman personal email address, whether its yahoo or Google or whatever it might be,” because that’s a quick way to get them out there.


Of course, these emails systems, they are not designed around security. It’s really quite easy to intercept email traffic and to retrieve information that you may think is confidential, because you just send it to a personal email address. Of course, our good friend Charlie really had no trouble at all breaking into that email stream and retrieving whatever documents were sent to that particular channel.


Again email is, again just to reiterate the point, not a secure communication channel. I think the first piece of advice is when it comes to email, if something is confidential, you know corporate email addressed internally, of course, are protected by the company firewall. Once you send it outside the corporation, outside the company then, of course, all that security is stripped off. It’s almost kind of … Imagine like a postcard that if someone picks it up and chooses to read it, they can read anything that’s included in that communication.


Of course, the other threat, of course, is that emails can be forwarded so you send an email to somebody whether accidentally or deliberately, they may forward that email. Of course, personal email is doesn’t have the same level of security as your corporate email. It’s always a good idea, not using personal email for work purposes.


We just had another survey question I might just throw in here very quickly. Around how many people have accidentally forward an email or sent an email to an incorrect recipient? You know how easy it is, you type in, you auto-correct on the email. Then, of course, it’s then sent on to somebody else.


Do we have a survey question? No maybe we don’t have that survey question. There we go. I will put up my hand up here and say that I’ve certainly done it and I think you have as well Kate. Yeah.


It’s quite common. About 66% of people are admitting to that. The other 33% either aren’t submitting to it or generally haven’t. I won’t [inaudible 00:34:34] any judgment. It is very, very easy to do. Of course, can be embarrassing and cause security issues as well. Cool all right, thank you for everyone who answered that.


The next issue we are going to look at is browsers and browser beware. Again I’m sure a lot of you are very familiar with some of the threats around browsers. This is similar to some of the other threats we’ve looked at. Here again our good friend Bob back on his favorite website again. This time the ACME Boots and Shoes, they put a little kind of animation on there. Which is using a technology I’m sure we are all familiar with, called Adobe Flash.


Bob is being asked to update his Flash plug-in. He’s not going to ask any questions because he really wants no issues. I don’t know how many pairs his bought the last couple of weeks, but his cupboard must be getting fairly full. Of course, Flash and similar plug-ins often have security vulnerabilities as a result of insecure coding.


Of course, these kind of vulnerabilities make it really easy for our good friend Charlie to again intercept the connection stream or break into the website or … Bobs’ computer through the weaknesses on this browsers plug-ins and so on.


Browsers these days are actually getting pretty secure, but it’s the plug-ins which often create the issues like Flash and Adobe Acrobat. There are blogs, there are reports and there are government lists of vulnerabilities on these pieces of software. Now we can’t be expected to be tracking these lists on a day to day basis. The question is, what can we do to protect ourselves against these kinds of browser plug-in threat?


Again this will depend, very much, on what you view is on whether you are looking to reduce the risk. If you are sometimes disabling the plug-ins is the only real way to actually protect yourself against these particular threats. Again maybe it’s your home computer that you are kind of going, “Well do you know what I’m going to take the risk because I liked having the capability of viewing video and animations and so on.”


Of course, again just as we had with some of the previous ones, the biggest thing here is just keep your web browser up to date and always keep the security settings at the highest level. That way you should protect yourself against a lot of these types of risk.


The one thing I’d also say which I don’t have on this list there, is if you are ever asked to download a plug-in and you don’t recognize the name, when in doubt just say no. Because if you are not sure then the chances are … Things aren’t going to come to a stop when you don’t download a plug-in from a particular website. Generally speaking just be super cautious whenever you are asked to download anything off a webpage you are not familiar what it is and where it’s come from.


Number nine, file sharing failure. This is again similar to the email is what happens and how do you communicate with people perhaps external to the organization, without risking corporate information and corporate secrets. Again, sorry it looks like some of Bobs’ speech bubbles have got a little bit messed up here. Much the same as before, this time Alice wants to actually access some files when she is out of office. Perhaps from her home computer or some other computer.


Poor Bob, of course, he’s been down to a bit of a problem here and the files are too big. Again, we are all familiar with this problem where the attachment is too big and you can’t email it. Bob is going to use a piece of kind of external service called DropDrive, which is a file sharing solution. Which, perhaps he uses for exchanging photos with his family and things like that.


He is very familiar with it. What he is going to do is he is going to upload these papers, these confidential papers onto DropDrive. Then Alice could hopefully access them when she is out of the computer, when she doesn’t have her work computer with her.


Unfortunately again DropDrive might great for sharing family photos, perhaps not so great when you’ve got confidential information. A lot of the file sharing solutions out there may have been designed for convince, but they certainly haven’t been designed for security in mind.


Again, if Charlie has got his eye on trying to extract these files out of DropDrive, he knows the weak points in there. Because there is websites which publicize the weak points on the file sharing solution. Of course, he can then break into DropDrive, extract the confidential papers which Bob has uploaded there. Then he is going to sell them or publish them or do whatever he likes with them. Poor Bob again has just opened MyCorp to security risks once again just by trying to do the right thing.


File sharing failure, what can we do to avoid over sharing information. Perhaps, the answer is just avoid these solutions unless they’ve been given the big tick by the IT department. A lot of services, and don’t want to name them by name, but a lot of services don’t have particularly strong security. Some sites will allow you to remember passwords, things like that which, of course, can open up vulnerabilities.


You can’t control … Once you’ve uploaded a file to a file sharing solution, you can’t then stop what happens to it. That file can be extracted, forwarded, accidentally attached to an email, sent on.


The general advice would be if something is confidential and the IT department has not given it the okay. Best to avoid using file sharing solutions for anything which is secure, anything that’s confidential, anything that you need to protect within your organization or your personal information as well.


We’ve come to the last one which we’ve called mobile mayhem. This is, of course … We all use mobile devices, everyday, all the time, phones tablets etcetera. Again, great devices, fantastically convenient, really mobile, great when you are travelling. Also has to be used with care because, of course, it can also create security risks for yourself and your organization.


This time, again, it’s Alice who is just asking Bob. Alice has got herself a new android tablet. Alice is going to say to Bob, “Can you put my board papers on the tablet, so I can access them when I am travelling wherever I’m going for my trip, whether it’s a holiday vacation or a work trip.”


You know what Bob is going to do, he’ll say, “Sure no problem.” Perhaps he puts them on a USB stick or he emails them to Alice’s email address so she can then retrieve them and save them on her tablet. On her new birthday present tablet for example.


Of course, who should be watching what’s going on, but Charlie. Alice accidentally leaves her tablet just sitting perhaps on the tablet in the coffee shop for five minutes. What would go would in a situation like that? Maybe she leaves it perhaps in an airplane seat pocket or back of a taxi, doesn’t really matter. It really doesn’t really doesn’t take long for someone, for who knows what they are doing, to extract files from certain types of tablets.


Here for example Alice has left it in the coffee shop and Charlie grabs it. Within five minutes he’s managed to extract the files off it. Because again, security vulnerabilities, lack of security around the data stored on that tablet has then opened up big security risk. Once again Charlie has managed to extract confidential information from MyCorp.


I feel sorry for Bob and Alice. They are trying to do the right thing. Obviously we are all trying to get out work done. In doing so, of course, sometimes … I think we can all learn something about following best practice and making sure we keep information safe and secure.


Just final I guess things to remember about use of mobile is, avoid emailing confidential papers to mobile devices. If you are going to use mobile devices, make sure that you are using applications on them which have been designed about for keeping data super secure. Not just storing, just in the file so you can open them up in PDF [viewers 00:43:10] and so on.


Also if you are using mobile devices, just make sure you control the information on them. That might mean, for example, making sure that if a device is lost or stolen, can you remotely delete information? Can you lock it down so that nobody else can access that data if that device is misplaced or stolen?


That brings us to the end of our top ten security risks and some of them tips that we can perhaps do to protect ourselves against some of threats.


I’m going to just conclude by talking a little bit about Diligent and perhaps what we can do to help you with some of these risks, if anything here has kind of caught your eye. Diligent is, of course, a company which specializes around keeping information super secure particularly for boards and leadership teams.


The Diligent boards product, which has been engineered here, for the last 12 years to provide and exceptionally high level of security, really resolves a lot of the problems that we’ve talked about today. By keeping information locked down, but keeping it accessible. For example Alice can access her papers on her tablet when she is travelling. Without risking that information being compromised if that tablet is misplaced.


We avoid issues of sharing files. Of course, we can lock down information so that’s not vulnerable to password attacks and so on as well.


We are up on our time. Actually we are a little bit over our time. We started a few minutes late. I just want to make sure, now we have a chance at the end for questions and answers. Kate is going to just moderate questions. Please now type any questions that you want raised. Just type them into the chat box and I’ll be happy to answer them for you.


We are just [inaudible 00:45:06] a question here. Hang on, just having a technical issue with the question.


We just got one question coming in just on tablets here. As to which tablets people think are most secure. Certainly in our experience … I mean I mentioned android and perhaps that’s a little bit unfair. I mean they are very popular tablets.


Certainly, in our experience, the iPad. Of course, Apple just did a new announcement today on a new model of iPad for professional use. Certainly in our experience iPads have been designed … Because it’s what’s called the closed ecosystem, iPads are actually much more secure platform than I think some of the other tablets. Also the Window tablets are pretty strong built in security into them as well.


All right, any other questions Kate?


Kate: Yes there is one more coming through, bear with me.


Al: Just about two seconds. The question is, what were the password keepers that we were mentioning? I was just reading … Kate is handwriting the questions down from her console here.


Kate: Yeah just in reference to the, I believe its regarding the passwords and where we can store them privately.


Al: On the password keeper. There are a couple of applications. The one that I’m most familiar with is called LastPass. These like I was saying, they run a bit like a locked box. They allow you to access your password from your phone and also from your PC. Effectively what happens is the passwords are themselves encrypted inside the lock box. It means that when you need a password for a website, you can retrieve it.


It will also create the password for you. It creates a super strong password, which again you can then use as appropriately on the different sites that you need to kind of create passwords for.


Which is more secure, VPN or terminal server sessions? There are not kind of mutually exclusive. You could run a terminal server session over a VPN connection, which is actually probably the recommended way to access kind of corporate network solutions.


Both will provide obviously encryption, but if you want to be super secure I’d ask you to run your terminal server session over your VPN connection. Rather than … Again that will obviously typically be specified by your IT department. Who will set up access to the network. Through something like Citrix connection which again can then be encrypted over a VPN connection as well.


Kate: Thank you All. I’ve got another one coming through. It says, if we really have to access our banks, at cafes or coffee shops, using the available Wi-Fi. How can we protect our data?


Al: Okay, I guess the answer would be if you really have to, I think one thing I would say is don’t use a phone. Don’t try using a phone. Use a, again I don’t want to be too much of endorsing browsers, but I would something like the Chrome browser. The reason I mention Chrome is that because it’s built by Google. Google have an amazing database of kind of threats. They will often warn you if there is a risk on the connection that you are going to.


Now I can really illustrate it in here. If you are using the Chrome browser, you may have sometimes seen a message saying, the connection that you are connecting to does not look secure. You will also have a message saying, do you want to continue or go back to safety? Is the way that Chrome puts it. That is basically telling you the connection is maybe being intercepted.


If you have to do it, don’t do it on your phone, probably don’t do it on your tablet. Do it on a proper PC using a latest version browser which has got technology in it, which can detect if a connection is being intercepted by a third party.


Kate: Thank you Al. There is another here which is relevant to the same question that you’ve done, how safe is banking over cellular 4G network?


Al: I mean the 4G network is itself encrypted. You do have a double level of encryption when you are accessing over 4G. My own personal view would be, going back to the point there is nothing that’s without risk. It’s certainly a lot more secure than using the public Wi-Fi.


Given the choice between the hotspot and coffee shop and the 4G connection, I would definitely opt to go with the 4G connection. If I want to be super, super secure I’d probably still do it in the private connection from home as well.


Kate: Thanks Al. Just a couple of more which I think we can squeeze in before the end. A question around, is Dropbox secure?


Al: It’s a good question. Dropbox has had … Its public knowledge. I’m not saying anything here that isn’t public knowledge. Has had a number of security issues over the years. Dropbox staffs have always been able to for example view file names of files in Dropbox. Now Dropbox do encrypt the file so the data is encrypted, but we are aware for example that the files are visible to Dropbox staff, and there has been a number of security issues.


For example there has been a recent one where if someone is using Dropbox in a tablet. Then that tablet did not protect the files particularly strongly on the device itself. If you have a Dropbox application on your tablet and that tablet is lost or stolen, those files most definitely could be vulnerable in that situation. Again, that’s obviously something that the Diligent with Diligent board product protects against that kind of threat.


We are aware, and again its public knowledge, that those threats have been made with regards to Dropbox and similar file sharing solutions.


Kate: Thank you Al, I think we only have time for one more questions. Any other questions that have come up, we will answer to you directly via email. This last question is around, just going back to the first, sort of, password paradox. Is KeePass safe to use for office uses, to store their password?


Al: Generally for corporations, I think the IT department would normally prefer that you don’t store your corporate password in anything except your head. Purely because … Generally speaking access to the corporate systems, are usually controlled by one particular password. Your password should normally be set to change every 90 days.


I think these LastPass and similar type applications are quite useful for home use when, of course, you’ve got to remember lots of passwords. You probably would be using that on a home computer rather than a corporate PC. Again your corporation may have a different view. My own view would be probably best avoid it for work use and just use one of the techniques we looked, to create super secure passwords for your corporate use.


Kate: Great, thanks Al. Again any other questions that have cope up, we will come back to you directly, but unfortunately we have run out of time. I hope you’ve all enjoyed the webinar. The recording will be available for download to all the registered attendees and they will receive an email from us with the recording. The next seminar was planned in November. We’ll be actually engaging with an external speaker from Intel Security. If you are keenly interested, we will send out an invite and announcement of the topic shortly.


As I said at the beginning of the call, if you’ve got any queries or questions that you’d like to engage myself or Al, we will also provide our email address so you can contact us directly. I will now pass the call for a last comment to Al, before closing.


Al: Well thank you Kate. Hopefully there was a few tricks and tips in there that will be useful to everyone on the call. It’s been our pleasure to host this webinar today. We really do look forward to greeting you all again at the next webinar event in November. Thank you.