We discuss social engineering and cyber security with Richard De Vere, the AntiSocial Engineer.
Hosted by: Jim Preen - Crisis Management Director at YUDU Sentinel
Expert guest(s): Richard De Vere - Director and Principal Consultant at The AntiSocial Engineer
Date: 28 February, 2020
Jim Preen is Crisis Management Director at YUDU Sentinel. He designs and delivers crisis simulations for clients using the Sentinel platform. Along with providing expert guidance on all aspects of crisis communications. Formerly, he was a journalist working at ABC News (US), covering stories including the Gulf War, the Bosnian conflict and the Concorde crash. He won two Emmys for his work.
Richard is Director and Principal Consultant at The AntiSocial Engineer. He has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for some of the UK’s largest companies.
Jim Preen:Today we're talking cybersecurity, and there's no one better to talk to about that than Richard De Vere. Richard, you sometimes style yourself as The AntiSocial Engineer. Why is that, and can you tell us a little bit about what you do as well?
Richard De Vere: Sure. Well, nice to meet you, Jim, and a great intro. The name is one of the questions I get recurrently as well. Why is it called The AntiSocial Engineer? I guess it's a quite simple story. I once did a very impactful pen test at a premiership football club. We got back to the office and the person that I'd gone to the test with, a fellow tester was-- He just had his hands just round his head, just kind of what had happened. He was just in shock. I said, "It's social engineering, get over it." He said, "No, no. This isn't social engineering." and he says, "You're an antisocial engineer."
I really liked that. It went in the pocket for a few years as it were, but it was a bit of a running joke.
Jim Preen: That is now the name of your company? Is that--
Richard De Vere: Yes. I couldn't think of a better name at the very start, and actually, it kind of grew on me, the name, a little bit as well. It explains the company very well. It's what we do. My personality as well is probably a bit ASPD, antisocial. There's a funny play on words in several ways, because I probably look at the name of the company as AntiSocial Engineer, for me, it means we're antisocial in the form of different to the expectations and norms. We want to be different, but obviously we fight social engineering crimes, so I guess people think it's a play on words, solely around there.
Once you start to discuss the fact, it's a multifaceted play on words, I guess it's kind of a good name .
Jim Preen: It's certainly one that people are going to remember, anyway. That's great. We've got a little more about you on the screen as well. Just to say that we've got a few people who've been telling us weather. Graham is listening in from Greenwich, just around the corner from here, Harry is listening in from Reading, and that's 7 degrees and rainy. The furthest away [chuckles] is Mark. I know Mark, he's a great guy. He's a crisis comms guy in Canada. He's just north of Toronto and it's snowing.
Get this guys, we're okay in London. In Toronto, it's snowing at the rate of 5 centimeters an hour, not sunny and not 25 degrees. All right, very good. Thank you very much indeed for that.
Just before we get into my conversation with Richard, I just want to launch a poll for you here, just to sort of take the temperature of our audience. I'm going to launch the poll now, and hopefully you can see this and just see where we are. Have you ever been the victim of a hack? I just really mean anything, it could be a full-blown cyberattack or data breach, or it could be just having your credit cards cloned. Any kind of hack. Have you been the victim of that?
That's quite interesting. [laughs] I can show you now that, in fact, everybody has voted very very quickly. There you go. I think you should be able to see this. You should be able to see the results now. It's very much 50-50. Half of people have been the victim of a cyberattack and half haven't. Do we have any statistics Richard on how many people have been a victim or is this too vague a poll for that?
Richard De Vere: Well, statistics are quite a funny thing when you look at cybercrime, obviously, we assume everyone wouldn't report the crime. Some people simply just don't know they've been a scam. A common stat from the NCSC is over 3.8 million people a year just in the UK alone, but this is from the ONS. How we gather them stats is in big debate, still.
Jim Preen: Right, and I suppose you
Richard De Vere: scam, you don't know you've been scammed. It doesn't get reported, so we will never know the full story.
Jim Preen: My family's just been scammed. [laughs] People were using our Netflix account right across the world. [laughs] Netflix phoned up and said, "Have you been watching Netflix in North America and Birmingham and places?" "No, we haven't," so there you go. You never know. Even Netflix is vulnerable, but they soon sorted that out.
What I want to do now, Richard, is ask you this question, which hopefully everyone can see on their screen. This is a very personal story for you. Obviously, we're not going to get into personal details, but it really is interesting. You've written, "After being personally affected by a life-changing cybercrime, I'm on a mission to balance the scales and protect people from the perils of the internet." I think this was when your family had some problems with the internet. You worked very closely with the police, as I understand it, to help out. Could you talk about this, please?
Richard De Vere: Sure. It's something very close to my heart. It's a story I've already disclosed to some close people in its full entirety, but it's very triggering for myself. I'll outline the issue. Basically, I was a completely different person a decade ago. I lived in Australia, for instance, and an event happened which completely changed my life. I guess 10 years ago, I was a much younger person, a bit more naive to the ways of the world. I was very much of that personality of shaking the fist at the police, "Why don't you do something? Why don't you catch the criminals?"
I guess I was very similar to a lot of people kind of mixed up on crime. They feel this kind of anger towards the crime, this kind of bodyless figure, and I really wanted to do something. It was around that time-- Because this incident shook me so much, it was just around this time, I couldn't think of a better way to spend my working years. I just couldn't think of a better industry, a better trade, a task to better people than what I'm currently doing, and I did that. It was a bit of an adventure. It started as a trauma [chuckles] and it ended as a bit of a magical adventure.
The outline was, it was powerful enough for me to probably self-learn and start that journey of self-learning. I was in a very different trade. I always knew I wanted to be the person I am today, but it was a very hard journey to get there. I could see the finish line and I was kind of clever enough to know the steps between where I was and the finish line. Still, it required a lot of training. Nobody wanted to give me training, so I had to start a small business to gather some on-the-job skills as it were. I had to teach myself.
I self-taught obsessively day and night. After a while, building on my lifelong skills-- I've always been a bit of a nerd. Building on them skills, I got to a point where I felt comfortable applying for a job. I reached out to a local cybersecurity company, a very high-- It was a company, that still is, in very high esteem to a lot of people, and they gave me a shot. I was up against graduates, I was up against people who had spent many years studying cybersecurity. I think it was my determination, my personality, but in that interview right there, I got the job and I couldn't believe it.
I knew that was the very start of the journey still. I was nowhere near the finish line at all. That was the first hurdle, I'd got on the ladder. I got to work with some very exceptionally talented people. To this day, I'll always be forever grateful for what they taught me. These were people that were kind of robbing banks day-to-day, they were texting companies [chuckles] day-to-day. In that environment, I was nurtured and I learned, basically. The boss was aware of my situation and he only went further to help really, a chap called Andrew Mason.
Jim Preen: Great. That's great. That sets the scene nicely for us. Let's dig into this. Let's start, just kind of start in a soft way, you do a bit of acronym and jargon-busting on your website. I think we all know what phishing is. Although I must say, some of the phishing emails I get these days are unbelievably difficult to detect. Would you go along with that, Richard? Do you think they're getting better at it?
Richard De Vere: They are. There's a consistent trend, I think, to become more and more realistic. The days of African princes with really glaringly errors, that's starting to wean out and--
Jim Preen: Actually I had somebody, a couple of days ago, someone in Iran-- No, Iraq, I beg your pardon, in Iraq, who wanted to give me millions of pounds as well because of the ongoing civil war and so forth. They're still there,
these African princes.
Richard De Vere: Sounds like you should check, Jim. You should make sure that was a scam.
Jim Preen: You think it might be real, Richard? Let's just go through this a bit. I'm a bit unclear about spear-phishing. I like the word, but what does that mean?
Richard De Vere: Sure. I guess it's kind of a build on phishing. We all know what phishing is. It's that annoying email that lands in the inbox. It's fairly rare obvious to spot we see some errors there. Phishing attempts normally are quite generic, but when we get to spear-phishing, this is the result of some research. This is the result of some effort. We see attackers involving the mark or the target in a certain situation where it's pertinent to them.
A spear-phishing email, you mentioned you're in London, Jim, a spear-phishing email for yourself could be something tailored to London, maybe a Transport for London receipt or something. When we look at spear-phishing, it's just regular old phishing with a lot more effort and a lot more .
Jim Preen: I see. That's a bit like whaling as well. I know that whaling is to go after high-net-worth individuals. Part of that is finding out all about them, isn't it?
Richard De Vere: Sure. There is a bit of a hierarchy to phishing too. If you start off with phishing, spear-phishing used to be quite unique, but now we can send spear-phishing emails to multiple people, so we can actually get quite good. When we get to whaling, it's very much focused on that person and it overlaps with CEO fraud. The way I look at it, Jim, is phishing is what you do for £20, spear-phishing is what you do for a £1,000, whaling is what you do for £1,000,000.
That's a good way to look at it, I think, because whaling just means there's sometimes an unlimited amount of funds at stake. In whaling attempts, we see not just sophistication in the actual design of the email, but the whole pretext, the whole supporting evidence of whaling is very powerful.
Jim Preen: I suppose Richard, the fact that we allow so much of our data to go online these days, it's pretty easy to build up a piece. I guess what you're trying to do is just give someone a piece of information that feels very private to them, and their response-- My response would be, "Oh God, this must be real because this is something very personal to me," but we let go so much stuff these days, that it must be quite easy just from open-source material to build up a picture of somebody.
Richard De Vere: Sure. Open-sourced-- We call it OSINT, open-source investigation of data, we can collect some really scary information. When we look at phishing emails, social-engineering scams in general, we tend to think like, "It won't happen to me. I'm exempt from this," but when we actually-- I'll put my hands up, I've been very close to clicking a few links, and that's just the nature of the business. I'm a human and therefore I have some flaws with the rest of the human race. One of these triggers can sometimes be an offer. That's what a good phish has, it has that kind of hook and it has that feeling, you have a feeling. For me, I'm a Yorkshireman. Yorkshiremen are very--
Jim Preen: We couldn't tell from your accent.
Richard De Vere: You couldn't tell, we’ll add in the subtitles, Jim. Yorkshireman's very known for being thrifty. A phish that got me last year, very close to getting me was an Argos refund. I'd purchased something from Argos a few days before and a text message follows through saying I'm entitled for a refund, and all these kind of crazy scenarios flow through my head. Maybe the person I purchased the item for didn't pick it up, maybe this is automated, maybe there's been a recall and it's been refunded, I don't know. Maybe I've paid twice and they've refunded one payment.
All these reasons were going through my head and I thought that this was genuine. I was happy I'm getting some money back. Sometimes you have to really zone out and stop and have a second there to think about what's happening. In a good scam, it's quite hard to do and most people don't notice that point to stop.
Jim Preen: Fine, let's close this one out. What's tailgating? My terrible driving, what's all that about?
Richard De Vere: Tailgating, very similar to the driving situation where we're tailgating behind another driver. What we're doing is we're abusing the level of access granted to the person in front of us. What I mean by that is we're stood by the door, we're hovering around the car-park, we're on the corner. Someone comes, approaches the door. They have authentication in the means of their RFID badge, or people know them. Tailgating is very simple, it's the practice of zipping up behind that person and using their access to enter the building as well. Very simple but very effective.
Jim Preen: I suppose that could be looking over someone's shoulder at their computer screen, conceivably, or is that something different?
Richard De Vere: I wouldn't class it all together. Shoulder-surfing is more of .
Jim Preen: Oh, right.
Richard De Vere: One thing you'll learn Jim, there's terminology for everything in this field.
Jim Preen: Yes, I think. What we're going to do now, Richard, is we're going to widen out our focus and we're going to look at the big picture now. This is more serious stuff. My question is as you can see on the screen, how secure are our networks? Is critical infrastructure at risk? There's been lots of talk about Huawei recently and the fuss about their presence on 5G. Is this for real? Can you talk about these subjects please, Richard?
Richard De Vere: Sure, my opinion, like at the least. In this area, I've seen recently there has been quite a lot of-- There's no other way to explain it, it's politics mixed with cyber .
Jim Preen: For sure.
Richard De Vere: The presence of victimizing or making this brand the enemy, it's counter-productive I think.
Jim Preen: Making Huawei the enemy?
Richard De Vere: Sure. Making them the enemy. Their equipment is solidly combined with our infrastructure already, it has been for many years. Tens of thousands of people are using their devices, of all levels and roles and industries. I think that we're missing the point. I hope I can make-- Like as simple as I can make it, if your biggest concern is this particular brand, then you've probably not addressed your risk model effectively. It's a case of-- It's such a high level, we're talking on a political level. It has more relevance to politics than it does to cyber.
All our information is already flowing through Chinese manufacturers and Chinese devices, but why pick out that particular brand and why now? I think that's my biggest problem with it, really. I've seen it in the media a lot and I've not been a big fan.
Jim Preen: What about the question about our critical infrastructure being at risk? We saw what the Americans did to the Iranians with their nuclear program. How secure are our power stations or nuclear power stations? Is there a big risk here or what?
Richard De Vere: Sure, I guess when you're looking at a general level, you can pick out nuclear power stations as a really good example. I posted something last week, where they have consistently viewed their risks, they've acted accordingly. The nuclear industry is like a very beacon to this. There's no other way to explain it, Jim. They have miniguns because their risk of physical attack can be grave. They consistently assess their risk and come with outcomes and preventions.
If it's physical threats, they have everything from police dogs to a minigun. If the threat is cyber, they have very extensive programs of testing, of improvements. It makes great media that everything is broken, the nuclear power stations are just a tap away from blowing up, but we find in real terms this is furthest from the truth. Not every industry is the same, I might add as well. The nuclear industry is probably the pinnacle of physical security and also cyber-security.
When we look at other industries such as oil and gas and we look at even something simple like water distribution nowadays, it's all online, it's all combined. I think we've gone through that period of the initial proofing. If it could have been brought down easily, then no doubt it should have been. Over the past few years, we've made enough enemies online, there's definitely no shortage of them. I think it depends on what side of the fence you live on. It's either a scary risk that could affect everyone or it's a risk that's being managed by someone else. I think that's quite scary as well sometimes. That's quite a human trait, to query things and to panic sometimes.
Jim Preen: Okay, all right. I think from what you're saying or I draw from what you're saying is that we don't need to panic immediately.
Richard De Vere: About everything.
I consistently find every day people panic about the wrong things.
Jim Preen: That's an interesting idea.
Richard De Vere: Personally, I've got more panic in password security, two-factor, than I have in terrorism online, but that's my personal risk and that's my personal views on the matter. Results may vary depending on whether you're looking after pictures of a cat or looking after nuclear launch codes. I guess you've got to look at that risk as well and start from there.
Jim Preen: Well obviously, looking after pictures of my pet dog would be very, very important and I would demand security for that. Seriously, the two-factor authentication, do you want to talk to that for a moment, please?
Richard De Vere: Yes, sure. I guess it kind of gets lumbered down to me to explain what two-factor is.
Jim Preen: I think you better had.
Richard De Vere: Two-factor, it's one of them life-saving devices really, like features. Google launched two-factor many years ago. Last year, they published the fact that about 10% of their customers use two-factor. The magic thing about two-factor is once it's enabled, it's actually very hard to bypass. When we come across two-factor, especially in a company situation when we're testing through phishing, we get really excited because we've got the password, and then we get really depressed because they've got two-factor. Two-factor really does stop criminals, but the thing is it's got a bit of a brand issue.
Two-factor's complicated sometimes. It can be confusing, it can stop you accessing that thing on the go, and people don't like it. People are a bit resistant to two-factor in everything, but like as I said, there is massive defenses and just quite a simple thing. There is a bit of a hierarchy to two-factor. We obviously-- SMS two-factor been in the news quite a lot. It's very easy to--
Jim Preen: That's two-factor?
Richard De Vere: Yes.
Jim Preen: Right. I didn't know. My phone and broadband, I don't think I'm giving anything-- Perhaps I'm giving stuff away here, my phone provider is Vodafone. For me to sign into my Vodafone account, they have to send me a little code on SMS. I must admit, I didn't realise that was two-factor.
Richard De Vere: Yes. It's a secondary step, right?
Jim Preen: Yes.
Richard De Vere: You need the username, and now, you need to have access to the phone to get that number. I guess SMS two-factor gets its knocks because it can be bypassed, it's not perfect, but it's really good to speed up adoption. It takes a few seconds. It not as good as sole apps that do this, things like Google Authenticator, Microsoft Authenticator. These apps do provide additional cover. There is a very clear hierarchy to level zeroes not having two-factor enabled, and quite dangerous. The first level, kind of the silver medal I guess is like SMS two-factor, but the gold medal is that app, it is that one
Jim Preen: Okay. We better leave that there, but that's obviously something that people need to look into, not least of all, myself, need to look into this. Just when we're talking about this, can we just very quickly mention passwords? Passwords drive me around the bend. I can't stand them but I'm aware that we have to use them. Is there any chance we're going to get rid of passwords, and what do you think about using password managers?
Richard De Vere: Well, we've seen many a company try, Jim, and I think it's been the Holy Grail of cybersecurity. If you can design a product that doesn't use passwords and it's just as secure as everything else, then I'm sure you'd be a millionaire in a few years. The point is when we see-- Personally, when I see passwordless solutions, the first thing I do is look for where they're using passwords.
A product that's offering a passwordless future, I'll find within a minute that they're using passwords in about eight, nine accounts. Their technology, although it's advanced and unique and new, isn't adoptable. It's not usable for all of them. Even the companies that are selling passwordless logins don't have great success. That's my view on that.
What do we do in that problem? Back to the square one predicament where we need to manage our passwords, we have that problem. I think a password manager is the only device that can do that securely. Humans, unless you're some kind of prophet, I really don't think humans can remember the complexity that a password needs, and--
Jim Preen: Sorry to interrupt, Richard. If we do that, we write it down in a Word document and store it on our computer.
Richard De Vere: Sure. We have a limited memory. We can't just do random strings. This is what passwords need. This is the Holy Grail. We need to have unique, strong passwords. By strong, I mean 20 characters, either a passphrase which is like a sentence. The black bar on the website would be a great password, but not now obviously. The whole point of a password is to make it very long and very unique. Password managers do help with that, it’s baked in.
Jim Preen: Well, I have to say, I use a password manager. It may not be perfect but it is pretty good, I must say. I probably need to keep it more up-to-date than I do.
Richard De Vere: If anyone's listening that is interested in password managers that don't want to make a financial start to that, they just want to dip their toe in the water, there's a really good brand called KeyPassX which offers a free solution. There's also others out there as well that offer a free for home use. People can find success in that quite easily.
Jim Preen: I use one called Dashlane. You only pay about £30 a year for that but it seems to work pretty well.
Richard De Vere: Obviously, someone on a . I'd rather see someone using a password manager of-- I guess we say in the industry, we say of popular nature or a successful or a leading brand of password manager. Whatever you want to pick, whatever flavor is up to you, but as long as it's a leading brand, then we can almost assume that it's been there, it's been tested, it's been used.
Jim Preen: All right, good. Well, let's just move on a bit. That's interesting stuff. As a general point, why do people get involved in cybercrime? Is it just an easy way to make money? I remember when the TalkTalk thing broke. We discovered they were teenagers who were doing it in Northern Ireland. What's the deal with cybercrime Richard? Do you have any insight on this?
Richard De Vere: Sure. I'm going to say a very boring answer, but it's the same reason we start wars, Jim. It's power, it's fame, it's money, it's other reasons. Back to human nature, I think cyber is a new thing, the last 50 years, but I think the medium has changed but the people haven't. People have always tried to one-up each other in different ways. I think cyber is just that great medium.
When we look at cybercrime now, there's a massive financial interest. People can be rewarded for their crimes, they can get that feeling of power when they take down a big brand or something or make an impact. I guess it's all traditional reasons we'd assume it is. I don't think there's anything crazy in that field. It's normally in the hierarchy of money being up top and the main reason, kind of financial reasons followed by emotional reasons such as anger, jealousy, these kinds of things.
Jim Preen: Perhaps you could've gone into cybercrime, Richard. Now, there's a thought.
Richard De Vere: I'd probably make more money to be fair, but it's not as a rewarding life. I guess it's what triggers that person, it's what drives that character. For me, the money was not even a consideration. It literally came as a byproduct of being an obsessive person. The money wasn't my drive, but I think for a lot of criminals, it is. I think that's the main reason.
Jim Preen: Well, we do know that people make a lot of money out of it.
Richard De Vere: It can do. Obviously, the success stories. We see the Lamborghinis on LinkedIn, we see the selfies with the masks on and stuff and we see all that. We don't see the sleepless nights, we don't see the negative bank balances, we don't see the downsides. We always see one side of cybercrime and it is the glossy, sexy side that people like to see. We never see the criminals when they lose, the people that are starving because their scams aren't working. We never see that side of it.
Jim Preen: Their Bitcoin account is raided and somebody's was the other day, I saw it on the news. Anyway, let's move on. This next question, I guess we've gone on for a while on this, but let's keep this tight if we can. When you do your pen test and stuff, assuming people know what pen tests are, when you're testing a company's cyber capabilities, what are the common mistakes that you find? What can people do to protect themselves better?
Richard De Vere: Absolute basic, Jim. Every single time. Every single time, the basics, despite being maybe a 10-man band from Sheffield or a multinational global conglomerate, they literally fail on the basics. This is where the biggest danger is. What I consider the basics is good password management, making sure their equipment is updated, making sure that people have enough education. We're using these very complex machines now to go about our life,
has anyone trained people, has anyone trained their staff? Sometimes these are some of the biggest risks we see. People love to obsess on some of the more complex stuff, especially some of the social engineering scams, because the social engineering scams can be quiet thrilling. They can be quite exciting for people, and they think that social engineering is the biggest risk. I guess it comes down to being more of the basics really. Social engineering works because companies don't do the basics.
Jim Preen: Richard, you're slightly losing me here. When you say social engineering, could you just unpack that a bit for me, please?
Richard De Vere: Sure. Let's take the most common social engineering attack, which is a phishing email. Let's say like a company is being targeted with a phishing email. There's some very common defenses that would stop that. Things like DMARC is a really good thing. Things like staff training, .
Jim Preen: What is DMARC?
Richard De Vere: DMARC is a combination of DKIM and SPF. It's basically a set of technical checks that's going to stop malicious emails coming inbound, spoofed emails coming into your infrastructure, and also to an extent, protect your customers as well. I won't try and run DMARC into this, but one thing I will say is there's lots of information about that. There's a company called Global Cyber Alliance. They're very good at sharing information around DMARC, get involved and listen to the DMARC information.
It's absolutely essential if you're concerned about phishing, either for yourself as a business, or your customers receiving phishing emails from you. DMARC is the way forward. It's quite a simple technical prevention, but we find companies don't adopt it. Again, this is what I mean by the basics being covered. This is how we get success as pen testers. We exploit the basics.
Jim Preen: Okay.
Richard De Vere: Sorry for disappointing Jimmy. It's not the briefcase full of gadgets, it's not the fancy mustache that's not been spotted. It's the absolute basics of a company that allow people in.
Jim Preen: All right. I tell you what, I'm going to-- Thank you very much for that, Richard. I tell you what I’m going to do now just quickly, I'm going to launch another poll because this interests me. What is my next poll? Here we go. I'm going to launch a poll. Hopefully, you can see this. I'm interested to know, people who are listening, do you have a specific cyber plan or playbook?
In the wonderful world of crisis management, of which I'm a proud member, people are somewhat moving away from generic business continuity plans, although they definitely still have a place, to using like cyber playbooks, terror playbooks and so forth. I'm just interested to know whether people do use a specific plan or playbook. Is this a world you bump up against Richard? I guess you do a bit, don't you?
Richard De Vere: Sure. With our customers, we work with them to design this playbook. In a way, we simulate attacks, so it's a case of the client company would have a particular concern such as terrorism, such as cybercrime. We'll simulate that scenario on the back of our testing, they'll definitely work towards a kind of playbook. It's tailored advice. When you say about BCP plan or business continuity planning, it is kind of-- Not outdated, but it's quite hard to cover these niche risks, stuff like phishing, like a physical attack.
I found some great success in those companies are going to benefit when there's a problem, there's a difference between a well-prepared company that's going to come out strong from the other side and a company that's going to fold, and it is that prior planning. The largest companies, I won't name them, but the big four accountancy companies, et cetera--
Jim Preen: You just named them, Richard. [laughs]
Richard De Vere: The big four accountancy companies, they would have plans such as, what happens if a phishing email struck, what happens if ransomware-- What happens if someone attends the building? What happens if someone makes a phone call, et cetera. These are quite useful scenarios. We can look at a risk before it happens, and we can actually plan to come out like on the good side of this before it's happened. Prior planning as per usual, it pays.
Jim Preen: Okay. I do think it's interesting. I get in trouble with some business continuity people because obviously they're very keen on their business continuity plans for good reason too. When it comes to terror or cyber, there are very specific things you need to do, and if those pieces of information are buried in a big, big plan, they sometimes can't be found easily and just end up not being used. I am a bit of a fan of the playbook, I must say. I think it's a more modern approach. I guess you guys have been seeing this, there's my little poll that says 60% do have to have a plan in place, so that's good to see.
All right, I'm going to get rid of that. Let's just move on for a second. I want to ask this, internet of things, now I'm a bit cynical about this, Richard. I think it's you lot, you cybersecurity lot are just trying to frighten us with our smart fridges and our smart toasters and so forth, saying that we're all going to be hacked through our toaster. What's the real deal here?
Richard De Vere: I think it's quite common in life, isn't it? The truth is somewhere between the two extremes. I think in IOT or internet of things devices, we're very much in that field. Look, I'm as paranoid as the next tester. We're obviously-- These are the enemy, right? These are the listening devices that we're buying to put in our houses. The question you should be asking yourself, Jim, is, do I have them in my house?
Jim Preen: Yes. I've got Alexa, so I suppose I have.
Richard De Vere: We use Google Home. I think that we have to go with cyber. We shouldn't use it as a kind of us and them. It should enable our lives and it should empower us. I think, is the technology empowering you? Is it making your life better, is the question people should be asking. Now there's going to be a trade-off. If we take a smart speaker, something like an Alexa or Google Home, et cetera. There is a trade-off, right? They're going to get your data, they're going to get your search requests.
If there's a search request made by that speaker, it's going to be logged by that company. Now, this is where we fork in the road and this is where a lot of the security community have problems. The very fact that you've searched for something is now on a log by the likes of Google or Amazon and this is terrible, but they tend to use this information just to sell you more stuff, just to target adverts. Me, I'm going to get adverse regardless, and it's a case of these adverts want to be a little bit more tailored to me.
I don't think this is the risk that people should be concerned about. I do think data privacy is very important. I don't think the Google Homes and the Alexa are the enemy that become the whipping child for data privacy problems. I think there's much more than that. If you're concerned with the data privacy of your Google Home, you're concerned with the data policy of Google. If that is a problem, if that isn't to your liking, do not sign, do not buy the devices.
I guess people have to ask themselves that question because we see the horror stories. People are listening to search results in Germany. Amazon technicians are listening in to queries, Siri is recording everything, but is it just the medium of the 2020? [chuckles] Is it any different to the stuff of yesteryear? People have to ask themselves what it matters to them, like is it making my life better or is it making it worse really? How I use the device, it makes my life better, like assists me, and I think, the risks, they're to be debated, but it's not really a concern for me, Jim. really paranoid about this, but I'm not.
Jim Preen: All right, well that's good. It's quite reassuring that you are not.
Richard De Vere: Well, to say on the flip side of this, Jim, we have had problems such as the Mirai attack where internet of things devices have been compromised. They've been bought into a big botnet, and-- IOT security has a bit of a reputation for being abysmal. When we step out of the Amazon and the Google ecosystem, we can go into devices made in foreign countries and made on a budget. I think this is the bigger risk.
I'm going to leave this just on this point, if you're concerned about data privacy, chill out around Alexa and Google and Siri, but do explicitly ban products that are made in a few days by some startup abroad and they've not got any considerations, any safety preventions. Nowhere to reset the password and make it safe, chuck them away. It's a personal preference it boils down to.
Jim Preen: All right. Okay. Good. I haven't
had any questions recently, guys. Anybody out there want to pop some questions to Richard? We've only got about 10 minutes to go. If you've got any cyber questions, please butt in and ask us a question. Just moving on a bit to more government-related things. You talk about in your writing about regulation to combat fraudulent communications, what regulations would you like to see and what can the government do to combat cybercrime?
Richard De Vere: That's a really good question. It would make me the happiest man alive if there was some support from the government, I guess. What I mean by this is, I was in a meeting with a chap from the Met police. It was a time where people were very dismissive of regulation. I spoke to this chap and he explained how he'd bought in regulation to stop printing fraud. In the 1980s, people producing money, people producing currency, fake documents, needed materials such as paper and inks, and the regulation that he bought in solely himself helped to reduce this kind of fraud.
I was excited by this, that there is some light at the end of the tunnel. I do think regulation is what's going to stop the problem or what's going to reduce it. What I mean by this, Jim is we can get too much regulation. I'm going to pick out an example here of, China. In China, you cannot spoof a text message. It's impossible. Their government has controlled that situation to the point where it's not technically possible to spoof a text message, which I find quite exciting in a way because, in the UK and other countries, we don't have enough regulation. It's too easy to do basic things like spoof a text message.
I think it's a bigger problem, Jim, and I don't think regulation alone will combat this, but a mixture of regulation, enforcement, proactive measures. I think it's getting to that tipping point where we need to do something. If my idea of regulation is the only one that's on the table, then maybe it's time to address it maybe, or just review it. There's only one way forward, but I do think it will be successful. What harm can it do?
Jim Preen: You complain about the government not doing enough, but we do now have the National Cybersecurity Center, how are they doing? What's your take on them? Are they worth their pay? Are they available-- Can organisations approach them for advice? What's the deal with them?
Richard De Vere: Yes is the short one, Jim. I think it's great progress. I've personally had my own disagreements with them and not saw eye to eye with everything that they've said, but I think it's definitely a step in the right direction. I think we lacked that space for a long time as a nation. We didn't have that authority figure when it came to cybercrime. As a young tester, when you see an issue, I didn't know where to report that issue. It's only in the past couple of years that we've seen this kind of support and this kind of collaboration from industry.
It's not perfect and they can be quite dismissive around certain things, but the big effect that they're offering I think is quite good. One thing I will plug is a service they run called CISP. CISP is a service they run basically to share information. It's the cyber information-sharing platform. They have good success as well. On a personal level, there's a chap called Ian Levitt, who brought a lot to the table. He did bring a lot of good things to the organisation.
Jim Preen: Okay, all right, good. Just one thing though, just blowing our own trumpet at Yudu Sentinel, one thing that we do, which I think is quite good, and I've done it at other companies before, but we use Slack to send information to each other. You know Slack? I assume you do, Richard? It's quite useful. It's like Yammer. We have a Slack channel that we use where people can put-- If they get a phishing email, then you post it up there so that it's shared with everyone. Everyone can see the kind of area that we might be attacked, any new phishing email. It just keeps people on their toes, I think.
I think is quite useful. It's what you were saying about sharing information. That's the way we do it at Yudu, is we share any kind of phishing attacks that we see. I'm just going to say that. Tim has asked a question which I can't answer, but maybe you can, Richard. Is Cyber Essentials, a good indicator of a secure organisation?
Richard De Vere: Really good question. Cyber Essentials is the go-to scheme in the UK. Look if you're going to get a certificate and think you're going to be safer because you've got this piece of paper in your hands, then you're probably not. If you're going to look at Cyber Essentials as a process, but you can look at some key areas and work on them and build to the point where you can get accreditation for Cyber Essentials, then I really do think it is a worthwhile area.
I have to speak very highly of them because again, a bit like the NCSC, there was a big void before Cyber Essentials. The companies that wanted to do something didn't know what to do. They haven't got time to contract over a hundred different companies to get bits of information and doing it their way, doing it their way.Cyber Essentials was that kind of overarching scheme that it needed. The first point, anyone that's curious about Cyber Essentials, just go on their website and look at the checkboxes. Compare that to your organisation and start to think, "Would I be safer with some of these checks being done?" If you are then brilliant, work towards that process.
They have a very minimal level. The first one is the self-certification. That's something you can do with a form, a few hundred pounds or a minimal fee. You send that off and you've got the certification. The goal, really for an organisation is to build upon that process to the point where they can get accreditation from a third party. I think that's the one companies should be aiming for, to be honest, because it's not just a self-certified certificate, it's the fact that that's been independently audited. It's definitely a good check for a company.
There's very few that compare with it. If you're starting off in the cyber field, at least look at Cyber Essentials. You don't have to apply. You can still read the website, take the tips and do them before even applying. That’s what people miss. It's a bit like ISO 27001. You can bring in some of the factoring points, you can learn from that experience without getting the accreditation straight away.
Jim Preen: Okay, all right, Richard. Thank you. Thank you very much. I hope that's useful to you, Tim. We're coming towards the end here now. I want you to get the old crystal ball out here Richard and gaze into it. What do you see? Where's all this going? What does the future hold? What trends do you see emerging as far as cyberattacks go and as far as cybersecurity goes?
Richard De Vere: Of course, Jim, it's going to be what's on the Gartner Magic Quadrant and the Forrester waves. I actually think it's going to be the same, Jim. I'm trying to be a pessimist or sound like I'm depressed in my trade, but I think it's going to be pretty much the same as last year, but worse. It's going to be a case of what's going to work. We've seen this trend over the years where technical defenses are getting harder and harder. It's coming down to the human element, and however we can target humans, the better.
Whatever mediums we can use, such as text messages, such as phone calls, I do think social engineering will increase. That's not my magic ball, working at full optimisation, but it's a case of I do think cybercrime is going to get worse. The only thing I can say to that is a positive trend over the past few years, endorsed and supplied by the ONS. I think if you're going to book that trend, if you're going to disagree with the fact that cybercrime is going to rise over the next few years, you best bring a good mathematician because the stats show otherwise. I hate to leave it on that pessimistic note Jim, but that's my predictions for next year. More scams.
Jim Preen: Okay, that's good. This is not an original thought but it holds true for all that, I think the responsibility for cybersecurity no longer just lies with the IT department, it's a boardroom issue as well and the chief executive needs to be up to speed on this. Now, a lot of chief executives are not in the first flush of youth and grew up when a computer took up a whole room. While they're not going to solve the problem, they do need to know the questions to ask, right?
Richard De Vere: Yes, 100%, yes. You don't have to be a young person to understand and keep safe online, if anything, the opposite. Use the kind of attributes as always. Use your attributes to do what you can do. If you're just an aged
businessman that's made all this money in business in very traditional fashion and you're stuck with the cyber risk, then it's just a consultant away, very much like any other business problem. I think age is a bit of a top out where we-- I'll tell you now, we've assessed large organisations with different age groups and they don't click more. Old people don't click more. They are not really interested. 21 to 50, there's no discernible difference in the click rate.
Young people click because they're haphazard, they're in a rush. They’re familiar with technology, they trust everything. Older people that aren't familiar with technology tend to click because they don't understand the scenario or they've been duped by a new fangled technical measure. That's my thoughts on that one.
Jim Preen: All right, Richard. Well, I think we're going to wrap it up there. Just to say, thank you very much indeed for really fascinating stuff and a great conversation. Thank you for that. I hope everyone has enjoyed that. I'll be running another webinar next month, so watch out for that. I'll be sending out details shortly, but in the meantime, Richard thank you very much, and it's goodbye. Bye-bye now.
Richard De Vere: Bye Jim.
Jim Preen: Bye-bye.Back to Resources