The Closed Beta Project

How to stay safe while working from home with Jonathan Kyle

April 01, 2020 Lockstep Technology Group Season 2 Episode 2
The Closed Beta Project
How to stay safe while working from home with Jonathan Kyle
Chapters
The Closed Beta Project
How to stay safe while working from home with Jonathan Kyle
Apr 01, 2020 Season 2 Episode 2
Lockstep Technology Group

Hi everyone, my guest today is Jonathan Kyle, our security practice manager. He joins me to discuss what to look out for especially now when almost everyone is working from home. 

Jonathan and I discuss:

  • Zoom bombing
  • Phishing tactics during COVID-19 pandemic
  • Marriott data breach


Reach out to me if you have any questions or topic suggestions for us to cover. My email is ali@lockstepgroup.com


Show Notes Transcript

Hi everyone, my guest today is Jonathan Kyle, our security practice manager. He joins me to discuss what to look out for especially now when almost everyone is working from home. 

Jonathan and I discuss:

  • Zoom bombing
  • Phishing tactics during COVID-19 pandemic
  • Marriott data breach


Reach out to me if you have any questions or topic suggestions for us to cover. My email is ali@lockstepgroup.com


spk_1:   0:03
locks up technology group family Adi had This is a closed beta project. The show where we talk to you I t cybersecurity experts, pioneers and influencers about how we can live and grow in digital age.

spk_0:   0:20
I want to talk about a lot of people going virtual, uh, remote working and, ah, the utilizing different, um, service is such a zoom just very popular nowadays would are the threats that you see that are being exploited, including fishing one people utilizing the his virginal meetings. Such a zoom. Sure. So specifically with virtual meetings, you need to know what you're doing. So you know, if you're in school or if you're doing company meetings or if you're having client meetings or whatever you're doing, you need to understand what access controls exist for that platform. Just because you're using zoom doesn't mean it's necessarily secure. So you may be using SSL or T O. S or some form of encryption to create the channel. But access controls the whole another mess. So, you know, zoom bombing eyes, something that's popped up a lot this week and last simply because, um, and what that is is basically when somebody who's not supposed to be on the call, is able to join or basically take over a call because they can. They have permissions to do so either you you have, like, a link to join a meeting or something like that. And people could just jump on the meeting because there's no access control on the beating lake. Um or er, you know, they share permissions. People share things you don't set. You know, attendee, permissions, people could just jump in and talk. Um, zoom specifically has lots of different access controls you can place on beating security. So those are things like, um, setting who conjoined meetings, setting what AA membership they have inside the meeting. So if they're just attendees, can they speak? Can they raise their hand? What can they do? Can they share? Um, there's lots of things you can do to lock down permissions first to join the meeting. And then once you're in the meeting, which you could do with the meeting s so you can set things like passwords for people to join the meetings. There's there's a lot of things you can do in your settings when you're setting up these different uh, particular virtual service is that allow you to reduce that amount. So you know you can. You mentioned fishing before fishing. You know, I kind of wanted to cover. Yes. Zoom in, Zoom. It's a problem right now. Um, but it is for everything. So, you know, specifically yesterday the FBI created a warning about Corona virus related scamming. So this is not just in one particular fashion. It's It's just anything in general. So anytime you have any kind of of event around the world where people get interested in something scammers air going to immediately jump on that and this is no different. In fact, it's not only no different, it's far more intense. The amount of scams that have popped up that that are Corona virus related is absolutely massive. So specifically, there are several subjects that the FBI came out yesterday and wanted a warn, uh, American users about There's there's five particular subjects that are being used in almost every single scam right now. If you see him, they're generally not good. So the 1st 1 is CDC documents of leaks that that claim to have breaking information. Um, the only place you should go for CDC information is CDC dot gov and I guarantee you on their home page. There is a link to see any information that you could possibly imagine that's public for the Corona virus. So don't click on links. Don't open documents specifically with the, uh, email, any kind of warning or anything like that from the CDC specifically. So that's that's one thing that they're warning about on the subject side. The next thing is, is fake Corona virus experiences. So another thing that's that's extremely common right now that you see a tactic from scammers is people trying to scare and fear monger, utilizing a tactic that basically lies about experiences about you. You know, though, this is what it's actually like to have Corona virus. It's really bad if you open this will tell you what it's actually like. Um, so that's another subject. 1/3 that's popping up this week, for sure, is financially so. The third subject is financial aid and government assistance on aisle kind of go through how these get delivered after I get over the subject's forthis fake treatments. That is a massive scam right now, people trying to convince others that there are treatments for the virus and they're using that as a subject to get you to open something or click a link or something like that. Equipment sales. That's another big one. So quick. Here, go here to this website. We have masks. We have told the paper we have all this kind of stuff. Come here and you can get what you need. So those were the five subjects that are being warned about specifically and scams. Now, what are they asking you to do? Um, specifically, here. They're asking you to do things like quick links. So this is this is common in, uh, fishing. Everybody. Everybody knows about this in the past. I'm gonna share with you right here real quick that I've that I've seen. There's the 1st 1 so you can, you know, kind of start back over here. So this is this is the 1st 1 I'm talking about here, which is the malicious link, but they're trying to get you. So there you can see it's it's a you know, dear, whoever this is, we're closely monitoring the situation. Um, it's an updated list of new cases around your city. Are available here. So CDC, um, you know, see where? Yeah. Yeah. So that's the center. It there. You never know where these air coming from. Don't click on links. Just don't click on a link. If you want information from the CDC, go tor browser type in CDC and click on usually the first link that's there. Which is CDC duct of than on their home page. They're gonna have information that you need. Don't click on this. You can see several things in here that they're looking for specifically to try to get you to click on it. Don't Don't go. Don't go to any of these links. Don't click on links. Go navigate yourself to whatever service you're trying to get to. Whether that's d A J s or or CDs here, something like that. So links. Um, just because So, let's say you know, you click on this link and you go to what looks like CDC website. It may not be they can either clone website and make it look very similar. Or you can use eye frames, which is basically a window to another website. So basically I stand up a website, um, that has an eye frame, which basically allows you to see the real CDC website through my website. And you're still visiting my malicious website. So just because you appear to go to the right place does not mean you do. Instead of clicking on a link, navigate to the website in your browser. The next thing is open documents that could pull up one of the other documents there. Pull up the not the one you just had, the one the other one there just kind of want show no one that produce they had been. Do that one. Then the other one. You gotta pull both up. So the other one is documents, documents, you know, often contained malware that they can contain other programs inside of them. This is this is a particular link. That seems to be a doc. You sign, um, link, You know, signing up for a cure or solution again. This is so you can see the thing here. Here, you need to sign up. My going here to get to sign up, to be treated in time or something like that. Probably not. Riel. It's probably a scam actually didn't scam. I guarantee it because it's something that works. Um, so this is probably a malicious document or a link, you know, this is again. It could be Dr Science could be taking you, you know, claiming to be Dr Signed to take you to another website or something like that. So pull up the other one since you, which is another document there. So there, you see. Like, ah, this is another one, uh, at who 10.2 days pc dot com. You know, safety measures. Please go through this, open this document and go through it for safety measures. And you can see your safety measures is, um that said the document they've got there and they want you to download and open this document and then whatever that is, it's likely a malicious program that's attached to that document that's gonna run us. It is. You open that document, usually with your permissions. We're trying to elevate them, So don't click on the documents again. Go navigate to whoever you're trying to get to the W h o DHHS, CDC. Wherever you're trying to go, navigate to it on your own browser and get there as opposed to opening a document Ah, in an email or something like that. The other thing they're trying to do is either confirm or give information out. So this, specifically is, has been targeted and seen. A lot of the third subject, which is financial aid or government assistance on dhe. This in particular, is where they're gonna ask you to confirm your information or to get your check we need. You know they'll even call sometimes. So you know how the scams air delivered is the third subject here, which is what are they doing to get these to you? The most common is obviously emails. I mean, it's it's millions, if not hundreds of millions of e mails a day. I mean, this is just It's so common, another common one that people don't really realize. A lot of social media posts eso just because it's in social media. Facebook does not mean it's not malicious links. It does not mean it's not a malicious document because it's in Facebook or some other social media platforms. That's another place that's really common because everybody knows that it's a common watering hole, you know, watering hole attack where you know, you know where a lot of people are gonna be there and their guard's gonna be down in some cases. So if you don't don't click on stuff just cause it's in your social media platform and it's not in an email, phone calls is another one. So, uh, fishing, which is voice phishing, is another common tactic here, which and I bet it's gonna increase now that literally, you know, vast portion of the United States is supposed to be getting a check from the government. Or however that's gonna work. Um, you know, you be aware that people who call you and say they're from the I. R s and federal government probably not. Um, they're not gonna call and ask you to confirm your Social Security number and all that kind of stuff in order for you to get your cheque. Don't don't do that. Um, don't confirm credentials or P II. Anytime you get redirected to something to confirm credentials and stuff like that, it's just dangerous. Um, re navigate yourself to wherever you want to go, instead of clicking links and opening documents. And don't give anybody your credentials or your your personal information over phones or anything else Just because they know things about you does not mean that they are who they say they are. So you get rid of it. Get rid of that there. Um and then finally, snail mail So people don't think about this, But scams still do. Come through the mail on. And now that it's affecting literally everyone in the world, you know you're going to see an increase in all of these forms of scamming across across the world. So that's gonna be from everything from the snail mail to email to social media posts, phone calls. All of that stuff's gonna increase. We and everybody knows everyone's terrified right now. So scammers are going to take advantage of that fear and then pray on that, using those tactics that we that we just mentioned. So we're definitely going to see an increase, not a decrease here in this kind of activity. So if you were a business, what would you tell your employees to look out for? Is that the links one day see it? What user and user education would you give out with E b? Be suspicious of everything. So you know, a lot of the time when we perform fishing tests, they're only not successful because sometimes and sometimes I still are a lot of the time. Some of the things that stops us, though, is that you're the recipient. The victim is in the same office as the person we're trying to be. Um, and that in particular, is not possible right now. So, uh, you know, if if you were able to go down the hall and ask, you know, whoever you think you're talking to, why they asked you a question, it's not actually them that can stop attacks. Now, you can't do that basis to be very, very suspicious. Um, you know, I said this on the podcast the other day or that thing we did the other day. We're living in a hacker's paradise now because everybody's online and they're all doing their jobs online, and all the I T departments had to scramble to make this happen on time. We know that all the bad guys know that one, not a bad guy, but but still all the bad guys know that. So that's you have to keep that in mind if you have any of these. If you had to basically put a lot of these remote working things in place. As a business, you really need Thio. Look at your controls that are in place for security. What port service is did you open? What are you using for authentication remotely or using V P ends, You know, all that kind of stuff. We we went over in that other, uh, podcasting theater. The presentation that we did that would be good for other people to go look at, um, a cz an individual. You need to be using a VPN. You need to be using good credentials. You need to be using, uh, good authentication practices. But be be skeptical of everything to get redirected toe, provide your credentials, think twice, make sure that you're not giving people information. Even if they sound like the right person. You just need to confirm sometimes specifically a lot of these organizations that are remote finance or HR personnel s O. We saw the last several years we've seen a massive increase in business email compromise, and it's, you know, call. We get every single week from somebody that's been a victim of business email compromise, and now even more so that all these finance and HR departments are working from home and they're not close to each other and don't have, you know, there quickly trying to respond to things like changing direct deposit changes or wiring money transfers, paying invoices. You need to have processes in place where multiple people look at, approved that stuff before it goes out the door. Because, you know, it's gonna be hard to catch a lot of that stuff now. So just because, you know, we talked about specifically Corona virus threats. Just because that's the popular thing right now doesn't mean any of the other cyber crime is going to decrease. It will not people increase? Um, I don't know. If you saw this morning, the merry odd disclosed that another breach was discovered. What could what? Obviously didn't do anything that they should have done. But what could have done that to prevent it the second time? Haven't I think this is the second time in two years? So it says, um was access to the end of February using the log in credentials of two employees at a franchise property. So here there's several problems. One, uh, do those people at franchise properties need access to 5.2 million guests. Data information? I don't know. Maybe they do. The first thing is you need to do you need to investigate whether or not people actually need access to the data that they have. So access control, principle of least privilege, which is, you know, if people won't need access to something, they don't get access to it. You need to make sure that's in place. You need to do entitlement reviews where you're reviewing whether or not people actually need it or not. This is something we see almost every single day. You know, I the b the primary thing we do in penetration testing I would, you know, I would say, is abusing some form of permission. You know, whether that's lateral movement, escalation, privilege, escalation, whatever that is, it's because something has access rights or something to something they should not, whether that's a process or a person, it looks like in this case you have two people on. They used their credentials in order to gain a lot of this information, so, you know, they may have been doing all their controls correctly. They may have put a lot of controls in place to do this. But you know, that cartoon that everybody in this industry is seen for last couple of years where you got all this crazy equipment and Dave in the other corner, whose human error, Um, you know, in this case, they may have had plenty of controls, but if those people have access to that data and they used the exact same password for Facebook and Instagram and my fitness Powell and lengthen and all this crap that they use exactly for work, it's the same password which we find very regularly. Um, you got access, you got access to everything that person has access to. So, you know, in this case, it's looking like it was two employees of a franchise place, and, you know, they have access to what they have access to, and you're able to export trade data because that, you know, another thing I see here is the FBI led the investigation of the data theft. Investigators suspect that the hackers were working on behalf the Chinese military state Secretary of State security, which is the rough equivalent of the FBI and the CIA. Okay, Just because you're a big organization, you get hacked doesn't mean it's always a nation state, and there's nothing you could do. This may be true. It may be true that it was a nation, you know, Chinese military intelligence service that was performing this, But something that I see to way too often is that people use that as an excuse off we could we could have done anything. There's no way to stop the Chinese intelligence service or the NSA, or there's no way to stop any of these guys. So there's no reason to try Not true, um, often the way that these places exploit things. So getting to people's Loggins is not a zero day that you can't protect from Okay. Now bring the Chinese military service may pay those people. You know, that's That's one thing that's different about Intelligence Service's that is very different from most normal hackers, which is that if they can't find a way in, they'll just buy their way in. You know, that's that is true. However, you know it's it's much easier in most cases to just find someone's credentials on any number of the however many 1,000,000,000 records that have been breached out there and just find that they're still using the exact same password that was listening. The breach. So, you know, using the excuse up it was the Chinese and North Koreans, or it was the, you know, the end of the day or whoever it was, there's nothing we could have done. Not true. You definitely can do a lot of things to protect yourself, even though yes, they're our nation state actors out there. So the bones on thio like very few specific things that you can actually do to prevent most of those things, which is education of like what people should click on or not click on in this case, actually, be very careful. What? Ah, the sender's email address or you are all says. And most importantly, like for his security and cybersecurity goes, is access control. I am I right. Access control is a massive piece. I mean, there's there is no cyber security framework out there that does not involve some form of access control. Um, and that's and that needs to be incorporating the principle of Lise privilege, which already covered You're just Ah yeah, that's a That's a buzzword. Um, sure. Would you call it in your size? Zero Trust is the year that you never trust anyone who's trying to authenticate and you never give, you know, So it is kind of a. It's a version of enforcement of the principle of Lise privilege. It's a kind of a buzz word, kind of like single pane of glass. And you know, other things that the industry uses that you know. It's one of those bad words that all the engineers stopped listening when people use. But it's just it's just a way to say that, you know, you don't trust anyone doing anything at any time. You're only given access to what you need, which is good, which is a way to enforce the principle of police privilege. It just needs to be done everywhere. So yes, access controls is vitally important. Patching the vulnerability, scanning vitally important backups vitally important. Um, in specifically this case where you're talking about fishing, business, email, compromise and all that kind of stuff, you need to have people processes in place, too. So those policies and procedures, or where you're going to stop things like business email compromise. Um, you know, you need to have programs in place. Users don't only need to be trained not to click on things and open documents and provide their credentials. They also need to be trained on how to respond when they do. Even the best of us will make mistakes from time to time. So the bullies also need to be trained on what to do in the case. They do that. You know what happens if they do give away their credentials? What are they supposed to do? So then you'd be trained on that, too. Awesome. Is there anything else you want to talk about? The beating cover regarding this topic? Everybody be really Ah, You know, just make sure everybody is as paranoid as I am while you're working from home. Which means don't trust anything or anyone. Yeah, I know. You got to do your job. Everybody still got to do their job. Just just be careful, because right now it's it's gonna be It's gonna be bad for a while with cyber crime. Um, I'm sure that a lot of it's happening right now that you have no idea is going on, so be careful. Ah, and reach out for help. If you need help, reach out for it to some organization. Reach out in some organization that can help you, um, be the right policies or course backups or increase your, you know, entitlement review or whatever

spk_1:   21:46
you need. You ask for help. Thank you for listening. Close. Better project. Hope you've enjoyed this episode. If you did, please review by share with your friends and colleagues. Closed Beta project is produced and hosted by me. If you've any questions, please visit our website blocks that dot com until the next episode.