Published: October 7th, 2020
Highlights from MapleSec security conference.
Welcome to Cyber Security Today. It’s Wednesday October 7th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
Speakers at the MapleSec virtual cybersecurity conference this week gave out some great advice and observations. Here’s some of the highlights I found:
Penetration tester Terry Cutler told some chilling stories of the many data breach investigations he’s worked on. One company was in such bad shape after a ransomware attack its systems kept getting re-infected after re-installing software on all of its computer systems. It turned out the laptop being used by a technician to help restore service hadn’t been thoroughly scrubbed. It was spreading malware on every computer it linked to. The lesson: After a cyberattack, every computer used for recovery has to be pristine. The same organization had a heck of a time restoring data from ancient backup tapes. The lesson: Practice data recovery before a security incident so problems are revealed.
In another case a Canadian company was hacked by a former employee whose password access hadn’t been revoked when he was fired. The lesson: Make sure when staff leave for any reason their access is deleted.
There was a related case: A company that had leading security on its desktop computers was hacked. Why? Because the IT administrators forgot to change the default password that came with the system. The hacker figured out which brand of protection the company used, found the default password on a criminal website and used it. The Lesson: Default administrative passwords that come with all software, switches, Wi-Fi routers and the like have to be changed.
The last case involved a small company that was hacked. It spent only $100 a year on cybersecurity. Why? Because the owner didn’t believe his firm was big enough to attract hackers. So didn’t want to spend on good protection for the firm’s computers. Instead they used free anti-virus software. Ultimately the cost to recover from the hack was $40,000. Ironically, it was an insurance brokerage. The Lesson: No firm is too small to be hacked.
Many of Tuesday’s sessions dealt with cybersecurity awareness training for employees. This training is important because mistakes made by staff are a leading cause of data breaches. But what makes effective awareness training?
David Shipley, CEO of New Brunswick-based Beauceron Security said a good awareness training program takes into consideration the legal and regulatory obligations your organization faces, establishes a baseline of what staff are doing wrong — for example, what percentage regularly click on phishing messages. The training program is tailored to the organization, and then training is reinforced with regular sessions.
To be successful an awareness training program must be seen to have support from executives. It shouldn’t be seen as a project of the IT department. If you do phishing tests with staff, don’t only praise those who don’t fall for a trick. Also, praise those who warn others when they spot something wrong. And don’t punish those who do mess up a test. This should be about learning from mistakes. Finally, measure progress so you know if the training is working.
Finally, Steve Biswanger, chief information security officer at Calgary’s Atco Group, reminded viewers of the importance of following the basics of cybersecurity. Identify the important data your organization holds, protect systems from cyberattacks through patching software, enabling multifactor authentication for logins, backup data held in the cloud. Most important, he added, is how the organization responds to an attack. There has to be a plan, and it has to be practiced.
Today is the last day of MapleSec. It starts at 11 a.m. Eastern. Registration is free.
That’s it for Cyber Security Today. Detailed versions of these and other stories from MapleSec can be found at ITWorldCanada.com. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon