IT Cyber Security – Notes from the Workshop

[15.03.19]

Our speaker was Graham Fern, Technical Director, Axon IT.

Graham opened his presentation by stating that he would focus on Cyber Security – as a lack of security creates inefficiency.  The statistics were worrying:

  • 89% of businesses (76% of UK businesses) have suffered a cyber attack
  • 74% of security breaches are from stolen credentials

The Head of GCHQ, Head of MI5 and the Head of the Military had recently stated that criminal and terrorist cyber attacks were a real threat to UK businesses, organisations, infrastructure and our economy.

Graham gave three recent examples of local businesses that had suffered security breaches:

  1. The hackers watched the local company online for a period of time. The criminals knew who was responsible for what, who paid what, and when the key people were on holiday.  As a result they chose well their moment to attack. The criminals provided a convincing scam, and the company handed over £20,000 to the criminals.
  2. Another local company was attacked, which resulted in all of their computers dying (400 of them), which jeopardised their business. All of the computers have had to be rebuilt.
  3. A hacker gained access to a Director’s work email due to a really weak password (ie. Passw0rd1).  The hacker created a folder in the inbox and created a rule so any emails titled payroll, wages etc were instantly diverted to that folder and a copy sent to an external gmail account. The hacker watched for 4 weeks the comings and goings of the business. They identified the process of paying bonuses and wages. At exactly the right time the Director appeared to ask HR & Finance to have their bank details amended for the payment of their wages. The email conversation flowed back and forth with these emails titled as payroll in the subject being directed to the new folder under the inbox which in turn forwarded a copy to the hacker. The real Director was totally unaware of this happening!  Long story short all the communication was compelling and believable, the bank details changed and the Director’s salary and bonus were paid into to a 3rd party bank account which in turn sent the money overseas. Bye bye money……

 

Who are the Threats

Graham discussed who are the key threats to any business’s security.  The main threat being “YOU”.  Our relaxed attitude to passwords creates the biggest threat to our security.  Graham gave examples of often used passwords – and demonstrated that many of them can be broken within nano-seconds.  He also demonstrated that the large proportion of passwords are very simple and obvious, such as:

  • Password1
  • 1234
  • QWERTY

 

He advised:

  • Never use dates of birth
  • Never use words that you’ll find in the dictionary
  • Think of a password as a PASS-PHRASE, and then add a few numbers around the pass-phrase, using the odd capital letter – eg: Graham started with the pass-phrase “As Secure As Poss” – he changed it to: “1234AsS3cureAsPOss”. The 1234 might be a Visa PIN but not a DoB
  • Use slightly different versions for different online accounts; eg. For Amazon add AM to the end; for Linked-in add LI to the end etc
  • Consider using Multi-Factor Authentication – where you need to meet a few different security measures; and use biometrics where you can – such as on an iPhone.

Graham highlighted how easy it is to receive a link where you will input your username and password.  He asked that we only input data into a website whose URL included https

 

The Business of Hacking

Graham also talked us through the business of hacking.  These are multi-million pound businesses, with structure and discipline.  They are organised and very profitable; and this business sector even includes a Re-Seller model.  There are different types of hackers including:

  • Black Hat – criminals, looking for financial gain from hacking
  • White Hat – “good” hackers – looking to help businesses
  • Grey Hat – neither good or bad – they just enjoy messing; because they can
  • Script Kiddie – uses scripts or programmes from others to attack computer systems for mischievous or financial reasons

 

A Script Kiddie will rent programmes and kit from a Black Hat for $6,000 pcm – but earns circa $85,000 pcm.

A Re-Seller can earn circa $400,000 pcm.

 

Types of Attacks

Graham commented that email is the source of all evil.  This is the platform where everybody will be tested – we will all be sent links by hackers – which we need to ignore and delete.  But many people will be caught out.  Graham advised to change the culture in your business so it isn’t so reliant on email – but use other secure messaging platforms like Microsoft Teams, Skype for Business or even WhatsApp instead.

Graham showed us USB sticks which have an inbuilt SD card.  If they are inserted into a computer, they will pull out the data and passwords within the computer.  Graham recommended to never insert an unknown USB device into your computer – even be cautious if you know and trust the person giving you the USB – you don’t know from where they have received the USB device or what’s on it.

Graham demonstrated how a hacker can imitate a wifi hotspot, such as a hotel wifi.  People think they are joining the hotel wifi, but they are joining through the hacker’s piece of wireless kit.  The hacker can then see everything that is happening through the wifi.  Graham’s advice is only join public wifi where there is a password; and only use it for non-sensitive activities, ie. Don’t use it for your banking etc. General web surfing is fine

Sometimes illegally accessing to your computer isn’t about generating money from you.  Using a Botnet a hacker can infect millions of computers.  Their objective can be to take just 10% of each computer’s CPU, so they can create a Super Computer, which enables them to do more by launching large scale attacks – for example a denial of service attack which could bring down an e-commerce web site therefore costing the owner loss of revenue

 

In Summary

Graham summarised with the following points:

  • The threat to your IT is real
  • You should assess the risk (this is a requirement of GDPR & the UK Data Protection bill)
  • Change your passwords to pass-phrases
  • Only enter details onto a website which starts with a https URL and displays a locked padlock
  • If you’re not sure about something you receive, ask the recipient or a colleague
  • Be cautious, the hackers are very smart
  • Report mistakes, so steps can be taken to reduce the risks
  • Use a multi-factor authentication process
  • Do not take part in a Facebook Quiz – this is used by hackers to gather intelligence about you.

And finally – educate your staff, co-workers, family members and friends – to ensure that they, you and your business remain secure.

 

For further information please contact Graham at Axon IT – gfern@axon-it.com

We will be hosting Graham again on 2nd October 2019, for another Cyber Security Workshop.  If you would like to attend please contact us. 

Castletons Accountants

Leave a comment