Garrett O’Hara is the Chief Field Technologist, APAC at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
Gar is joined this week by Michael McKinnon, AISA Melbourne’s Deputy Chair. Michael has done it all, he was the CTO as well as the Media Spokesperson and Security Awareness Director at AVG. He worked at HackLabs in governance, pen testing, ran security awareness training and red teaming. He worked at Pure Security providing C-level advice, incident leadership and future proofing security spend. Michael also gives back to the security community with his AISA involvement.
Thanks to Michaels wide range of security experience, there’s very little you can’t ask him about. In this episode we get his perspective on the role and value of formal education and certifications in the world of cyber security, how training has evolved and where it might go, and what hiring managers are looking for. Gar and Michael also talk about the world of SMEs and reflect on the challenge of the supply chain, c-level strategy, the disconnect between business and tech, ransomware trends, incident response and digital forensics.
The Get Cyber Resilient Show Episode #29 Transcript
Garrett O'Hara: [00:00:00] Welcome to The Get Cyber Resilient podcast. I'm Garrett O'Hara and this week I'm joined by Michael McKinnon. He's the Melbourne's deputy chair. Michael and I have actually crossed paths a few times. We met at the AISA conference in Melbourne a few years ago. And this week I stumbled on the fact that I quoted his excellence AusCERT 2019 plenary, The CISO and the Gunslinger, in my plenary, which was the following day, I was speaking on the human side of cyber security. More recently, I was in a cohort of his students for the CISSP course he facilitated [ISC]2 and AISA. And after the first night of that course, I had it in my mind to ask Michael to be a guest because it was very clear he has a deep and broad experience, but also that gift of storytelling and seeing how the little picture affects the big picture.
Michael has done it all, with AVG as CTO, media spokesperson, security awareness director, Pure crisis response with Hacklabs doing governance, pen testing, security awareness training, and red teaming. And now at Pure Security doing C-level advice, incident leadership, future-proofing security spans, and also giving back with his AISA involvements. So there's very little you can't ask Michael about and in this episode, we get his perspective on the role and value of formal education and certifications in the world of cyber security, how training has evolved and where it might go, what hiring managers are looking for. And we talk about the world of SMEs and reflect on the challenge of the supply chain. And that's something that was highlighted in the federal cyber security strategy 2020 release. Michael actually gave me a light bulb moment on that one, where I realized the problem might not be exactly what I thought it was.
We also talk about C-level strategy, the disconnect between business and tech, ransomware trends, incident response, and digital forensics. So it's an absolute whopper in terms of what we covered. So as always, please enjoy.
Hello everybody, and welcome to The Get Cyber Resilient podcast. It's a beautiful day in Sydney today. I'm looking at, at some wind and blue skies as we're recording on a Friday afternoon. And I have the great pleasure to be joined by Michael McKinnon, Asia, sorry, AISA Melbourne Deputy Chair. How you going today, Michael?
Michael McKinnon: [00:02:19] I'm very well. Thank you, Garrett. Pleasure to be here. And I'm in Melbourne, of course. Uh-
Garrett O'Hara: [00:02:23] Yes, you are. [laughs]
Michael McKinnon: [00:02:24] ... It's not too dissimilar weather that sounds like you're experiencing. A little bit of light cloud cover here, but, uh, not a, not a, not an unpleasant day.
Garrett O'Hara: [00:02:31] It's, uh, it is my favorite time of year, I have to say. This bit in between, you know, as we kind of approach spring, those beautiful blue days where it's kind of cold and that suits, uh, my Northern Hemisphere Irish, uh, Irish, uh, makeup. So, uh, yeah, this is, it's definitely a favorite time of the year. So, uh, Michael we, we met, and we'll say met, um, you were the facilitator, I was, I was part of the cohort of your, I think last batch of students, but maybe you've started another CISSP course, uh, since then.
Michael McKinnon: [00:03:00] That's right.
Garrett O'Hara: [00:03:00] Um, so I've, I've actually heard you speak for about 30 hours, I think, but this is actually our first time talking. And, um, yeah, during the course, you had a lot of very interesting stories and, and obviously you're delivering a course like that, so, um, I thought it'd be phenomenal for the, uh, yeah, audience to get to, to hear some of your insights and, um, and your perspectives. Um, one of the things we always like to start with is, is how does somebody get to where they are today? And, um, I did some LinkedIn stalking as you're well aware, as I said before we started, um, but it's always lovely just to get, to get your bio in, in kind of one or two minutes as, as to how you got to, to do what you're doing today?
Michael McKinnon: [00:03:38] Yeah, definitely. So look, my, my career started, uh, many decades ago, um, pretty much in the nineties in the last century. And I was involved initially, uh, my first full-time role was actually with a- a retail chain, a supermarket chain, and I was working in mainframe operations, and I've come a very long way since then. Um, computing and, and the landscape has changed significantly since then. We saw the introduction of, you know, personal computers as opposed to mainframes, we've seen multimedia and I rode that wave through the, the mid to late nineties. Um, and then I then got involved with an antivirus company called AVG that people may have heard of, and that actually company got acquired by Avast in 2016. And I was, uh, involved in building out the Australian operation there with the company that was the distributor there. And really my background then was in web development and I built their eCommerce platform and, and all that sort of stuff.
And what happened was when I built this website, um, it was under attack on quite a regular basis and I had to become really good as a developer to also make sure that that platform was secure. And then I started to really adopt an interest in web application security and then that took me down the whole path of information security and where we are today, which is really cybersecurity. And I've been in the consulting game since about 2012 or thereabouts with a number of different organizations and today I'm the chief information officer of Pure Security and that's my, you know, full-time paying job. And my volunteer work is with the Australian Information Security Association known as AISA, and I'm the deputy chair of the Melbourne branch and this is a fantastic association to be part of. We have a lot of members in the industry that come together, uh, on a regular basis.
Of course, before COVID-19 we were doing this more in a physical sense, and now we do it in a virtual sense. And of course, the, the course that you participated in was the, uh, CISSP, uh, course, which was, uh, really good to have you as, as part of that. And we've won a number of those now. Um, my involvement with CISSP started when I first became a member of AISA, where we had a, um, weekly catch up to study CISSP, and then I did the exam. So for people who haven't heard of CISSP, it's the certified information systems security professional certification run by [ISC]² and, uh, yeah, it's been really good journey since then.
Garrett O'Hara: [00:06:03] Yeah, it is. It's phenomenal. And, the, the course was, um, interesting, and I know you guys said it, uh, many times, it's, you know, it's so broad. A huge, huge mention of, of information, and I'd be very keen to kind of get your thoughts on the value of that type of training and you know when you think of what a, you know, a good security professional looks like where that sort of fits into their makeup?
Michael McKinnon: [00:06:27] Mm-hmm [affirmative] Absolutely. I think the, the term security professional can be misleading and it really has a number of different angles, which I, which I find fascinating. If you have a technical background, then you probably look at security in a certain way. If you've come into the industry through a business or managerial role, or maybe as a business analyst, you probably a- approach it more from a governance and compliance, um, side of, of things. And so there's really, uh, that term security professional can be misleading because it, it sort of tries to label us all in the industry, but it doesn't accurately describe what our talents are. And of course the problem here is that the knowledge you need to have, or the knowledge that, that hopefully a lot of people have is, you know, it needs to be very, very broad to be very effective in cyber security and what the CISSP certification does is it doesn't, it doesn't aim to take you down every rabbit hole, but at least you know where all the rabbit holes are and that's kind of how it works.
Um, and it gives people that awareness of you know what you don't know and you know that it exists, and then you can seek out specialists and professionals who deal with that particular area or domain of cyber security. And that's a really important aspect of how to understand, you know, what a security professional should actually know about as well.
Garrett O'Hara: [00:07:44] So that's a really... A light, a light bulb has just gone off in my head because, um, if, if there's one thing that that course did, it's highlight exactly what I don't know and which turns out to be an awful lot of stuff and there is so much in, uh, so much it, but, um, yeah, it was such a great experience. How have you seen the training and certification type stuff evolve over your time in the industry? So you kind of mentioned you've, you know, you've gone back to, I think, you said the, the sort of '90s.
Michael McKinnon: [00:08:11] Yeah.
Garrett O'Hara: [00:08:11] I'm guessing things have changed a lot over that time.
Michael McKinnon: [00:08:13] Yeah, definitely. And, um, with certifications, I guess, uh, it's become more important as cyber security, information security has really become sort of, uh, a more broadly recognized craft. I guess, there were quite a lot of years there where you were either a hacker, uh, which is to say you were a technically founded, you know, based security professional and even in that domain, um, there weren't a lot of s- security certifications available initially. Um, there are groups and certifications likes the CEHC, Certified Ethical Hacker Certification, there are things from an organization called Offensive Security that have a thing called OSCP, is kind of their, their, uh, main certification. So very technically based. In the audit space, uh, there are organizations like ISACA that have, uh, a lot of really good certifications, um, CISM, C-I-S-M, for example, CISA, C-I-S-A. There's a bunch acr... You know we're all about acronyms in this industry, let's face it. Right?
I often use the term, um, you know, you have to know your TLAs and TLA stands for a three-letter acronym. Um, and of course we have FLAS, they're four-letter acronym, but the joke is kind of lost in that regard, right? Because it's only a three-letter acronym so. But, um, ISACA is this other organization that are there. So then you've got [ISC]² who do CISSP and CCSP and a bunch of other certifications. So essentially have, you know, have a collection of these certification bodies. Um, and certainly that has started to become much more popular over probably, um, over the, over the, you know, last decade or so. Has been really... If you want to be recognized as a cybersecurity professional, you really gonna need to have that, particularly where, um, you work with penetration testers, they need to have OSCP essentially as sort of the minimum entry level now into the industry. Um, and the CISSP is kind of recognized as, as one of the gold standards for, particularly in the United States where the department of defense kind of recognize CISSP as, you know, meaning something really good as well.
Garrett O'Hara: [00:10:13] Yeah, absolutely. And, you know, you've mentioned a lot of TLAs and FLAS, and you know, there is a huge amount of, of options out there. Where do you see, I suppose you could call it formal learning, like what's the evolution, um, given the, you know, plethora of options that are available now? How do you see that evolving into the future?
Michael McKinnon: [00:10:32] Um, yeah, I don't know actually. Um, I guess I just focused on the CISSP stuff and don't worry too much about industry trends for, for, for training, you know, longterm. Um, there was some interesting news that, that came out. I can't remember the official name for this, but there's a part of the UK government, or there's a, there's some sort of education, um, research group in the UK that recognized recently that CISSP was the equivalent of a master's degree in terms of the, um, sort of, you know, level of knowledge you would need to, to pass the exam, which is extraordinary when you think about this, right? And of course, a lot of people jumped up and down and said, "Well, how can a three-hour exam, you know, even match a master's degree? That's just absurd." Um, but I guess what, uh, this group in the UK are saying is that they recognize this because to study CISSP and to pass the exam, it is a decent amount of effort. And then, and the sort of, you know, the sort of person you need to have is someone who's diligent enough to be able to do that study and get to, you know, you know, ge- ge- get to pass the exam, um, in that way.
So, um, yeah, it's, it's an interesting one. I think, again, it comes back to the fact that the industry you're working is so vast and, you know, whether it's a vendor certification and there are just no shortage of those or whether it's getting a certification from a, a major body, um, the challenge is how do you keep up? Which certifications do you need and how does it- it help your career at the end of the day?
Garrett O'Hara: [00:11:59] Yeah, absolutely. So yeah, like as you say, there are a lot of options there in terms of certifications, qualifications, and people could go do a master's, they could do CISSP, um, and then there's all the vendor type qualifications. What, what do you think is appropriate for people, you know, as they, they go for maybe certain roles? I mean, you've obviously built teams, and, what, what do you look for in terms of qualifications? And then what's the balance you're looking for in terms of formal learning certifications, and then maybe experience? And, and, you know, it's obviously a question that may be nearly impossible to answer, but, uh, keen, keen to get, get your thoughts. [laughs]
Michael McKinnon: [00:12:35] Absolutely. Look, I think, I think, you know, anyone can get a certification if they study ha- hard enough, but then now there's some certifications that require experience and that's when experience trumps that, that education side. Um, I think when you're hiring a team and given the sort of skills gap shortages generally seen in the market, um, you know, you can get into situations where you just have to take people with experience over, over some certification or some qualification, you know, formal qualification because, um, if you can, if you can hire good people with a good attitude and they have the experience, you can always get them the certification as part of their role, right? So, um, but if you are, if you're in a situation where you have a bunch of candidates applying for a single role and they've got the experience and the certification, well, it's no, it's no easy, you know, it's an decision, you know who you're gonna get, right?
Garrett O'Hara: [00:13:26] Yeah.
Michael McKinnon: [00:13:27] Um, because the certification is ultimately the validator, the sort of the independent validator of that person's experience and po- and potentially a capability.
Garrett O'Hara: [00:13:34] Yeah.
Michael McKinnon: [00:13:35] And if we look at specific types of roles, if you looked at a penetration tester for example, uh, you're gonna look for the OSCP, the offensive security certified professional, um, certification. If they have passed that, what that means is they have passed a 24-hour hacking exam, where they have a 24 hour window to hack into, I think it's about five systems, and they have to submit a report within 48 hours after completing that, that has to pass a certain minimum standard. So when you employ a, a penetration tester who has that certification, you have some independent way of verifying, "Well, at least they've done that." At least we know they can write a report that, that, that makes sense, that, you know, technically, you know, checks out.
So that becomes a really strong way of, of, you know, trusting that appli- applicant for that particular role. In governance, compliance roles, and sort of general cyber security advisory roles, um, you know, experience, how you present your soft skills, those things are generally gonna win out even over a certification, but again, if you're choosing between multiple candidates, the one with the certification is generally gonna be in front at that point.
Garrett O'Hara: [00:14:48] Yeah. So a com- uh, a competitive advantage. Something has just going off in my brain there, which is that the- there's no gimmes, or maybe there is, but certainly not in CISSP and some of the things you've mentioned there in terms of, you know, passing these exams. And I know there's other, I call them areas where there are courses you can go to and you can get certifications, but really the, the passing and the certification is, is, it's sort of a tick box exercise and I've been to those courses, so I'm kind of speaking from experience.
Michael McKinnon: [00:15:18] Mm-hmm [affirmative]
Garrett O'Hara: [00:15:19] And, um, it feels like in cyber, we don't have that luxury because maybe the stakes are just that a little bit higher.
Michael McKinnon: [00:15:26] Mm-hmm [affirmative]
Garrett O'Hara: [00:15:26] Is that a fair comment? 'Cause like what you've just described there at 24, 24 hours to, you know, to, to penetrate systems and produce reports, like that, that seems pretty, like a pretty high bar.
Michael McKinnon: [00:15:37] Absolutely. Um, you know, as you were talking in, I was thinking of your classic enterprise, you know, level. Um, sometimes you'll see organizations have a learning management system that, that they subject every employee to the regular OHNS training questionnaire or whatever and, you know, you see some of these, it's like you answer these 10 questions on what, you know, um, safety in the workplace and, uh, and then you go, you know, here, here, next, next, next, next. You go, okay, you know, check my score. And it says, you got eight out of 10, maybe just go and review your answers for these other two questions, right? [laughs] Um, and so you know, that's not a really good way of educating people, right? That's the checkbox scenario that you talk about. Um, the challenge with cybersecurity for me is that in order to be a really effective cyber security professional, there is this huge element of experience, which, which comes into play. And it's the war stories, it's the learning from having dealt with, you know, critical cybersecurity incidents, for example, which I've, I've had some recent experience on and getting better at doing that. Um, it's it's being able to, um, really put your shoes, your, your feet in the shoes of the customer or the, the effected people and understand, you know, how they look at this and what their challenges are in, um, security.
And the other thing is that in order to be a good cyber security professional, you also have to be a really good IT professional, which is to say, you need to have a certain level of understanding at a very advanced, in a very advanced way to understand IT systems in general, so that you can then think about all of the security implications that apply to those IT environments. If you don't understand IT environments, you have very little hope of understanding information security. So, you, you, you almost... We're at the very top of the stack in terms of, we have to have all of this knowledge, all these layers underneath and knowledge before we can even study and really, get, get really good at information security.
Garrett O'Hara: [00:17:39] Yeah, it is, it's an interesting intersection. I'd like to talk about this a little bit. Um, the, the type of people who are good in this industry, it feels like these days, are that rare breed who are they have the technical chops, but then they've got the-
Michael McKinnon: [00:17:53] Mm-hmm [affirmative]
Garrett O'Hara: [00:17:53] ... the sort of people skills. It feels like has become much more of a, um, I would say, requirements, you know, as you kind of navigate... especially as you kind of get into senior roles like yourself where you, you, have to navigate politics, you have to understand customers. It's not enough to be good technical, actually, you have to be a little bit of a politician, and a salesperson, and a marketer-
Michael McKinnon: [00:18:12] Exactly. Right.
Garrett O'Hara: [00:18:12] ... and, um, and a storyteller. A little bit of maybe a shift, um, in the conversation. So obviously we, the Australian cyber security strategy 2020 document got released a little while ago and, um-
Michael McKinnon: [00:18:25] Mm-hmm [affirmative] Finally.
Garrett O'Hara: [00:18:27] ... yeah, fi- fi- finally. [laughs] I'm glad you said it. Um, but one of the areas of focus in that, um, document was around the support for SMEs, and it, the language in there, when I read it, it seemed fairly loose, um, but it's a very, I think it's fair to say, a very important focus area. And, you know, when we talked about it, and this was one of the things I think we covered in the CISSP course, is that everything is so connected these days, you know, digitally, uh, that sort of global interconnection. And, you know, supply chain is a concern, you know, the organizations that are small, but providing services into la- larger organizations. I mean, if they get popped, then potentially larger organizations, um, are ganna to be victims too. What are your kind of, I suppose, broad thoughts, and like, and again, might be a really difficult question to answer, but how do we even start to solve that security problem of, of supply chain and that kind of digital interdependence?
Michael McKinnon: [00:19:19] Yeah. Absolutely. Look, small to medium size enterprises are an enormous challenge. And when you're looking at this from that government lens, and you're thinking about, uh, the pro- prosperity of Australia as a nation, and you think about all of the private sector, you know, organizations that exist in Australia, for example, um, you know, I don't know what the exact percentage is, but it's, you know, a vast majority of businesses are small to medium-size enterprises. Like, it's like 90 plus percent, or even more a- are small businesses in this country. Um, those small business owners, uh, and many of those businesses might even be just one or two people, and then you've got a bunch of companies that exist between that sort of two employee to maybe 50 employee mark. Those business owners, they've got a lot of stuff to have to worry about and cybersecurity is a bit further down the list than if you were running a large ASX listed organization, and you, you're in, you're in a, you know, maybe you're even in financial services and you're regulated by APRO and other, other regimes that really scrutinizing everything you do because you hold vast amounts of, you know, personal identifiable data and all these sorts of things. But there are plenty of small businesses that are suppliers into those larger organizations that also have thousands or hundreds of thousands of perso- records or personal identifiable information.
And so there's this challenge that you've got the data, if you just think about the data and where it lives, there are lots of small businesses that have access to quite large volumes of data, but they don't have the resources, or even sometimes the desire or motivation to really protect that data the way it needs. So that's sort of the, the problem statement at that highest level. And so then the thing is, well, how do we bring those small owners? How do we make them care about this problem, right? Now, the ones who get hacked, the ones who get whacked with ransomware and realize what's at stake, they, they get it, right? It's very hard to communicate to business owners who've never been impacted by this just through sheer luck that this is something they need to deal with.
Um, many years ago when there were earthquakes in Christchurch, I had, I was working for an organization at the time where we were helping organizations with backup of data, so you know, backup strategies, backup technologies, that sort of thing. And I remember going to Christchurch, um, sometime after those earthquakes and, and I was having meetings with business owners and they're like, "Oh, you know, we've, we've got to do, you know..." They, they were really keen to work out their backup strategies because they had experienced firsthand the impact of that data loss, yet, you know, in Australia, when we were seeing similar types of businesses, they just no, no interest because they, they, they couldn't realize that this could happen. The same way now through COVID-19, we, we think of like pa- pandemic is a one in a hundred year event. It's never going to happen. Like, you know, the, the notion of, of quantifying risk being in one in a hundred years is like, well, it's never, it's not gonna happen. It's unlikely, but it happens every hundred years. Um, but you just don't know which year it's going to be. And so then it's, well, how much effort you put in?
So anyway, coming back to the small business owners, how do you get, how do you get them to care? Uh, and I think that is an extraordinary challenge that, um, I, I still am not confident anyone has the ultimate solution on.
Garrett O'Hara: [00:22:44] Yeah, And to, to riff on that, so if you get them caring, I think you, you kind of mentioned this as you started talking around, around this part. The resources, because that's the other concern I think that is fair to say. And you mentioned, you know, as an SME, you might not have, well, the sort of technical or security people, obviously in-house-
Michael McKinnon: [00:23:05] Mm-hmm [affirmative]
Garrett O'Hara: [00:23:06] ... or potentially the funds to pay for technical or security, uh, experts.
Michael McKinnon: [00:23:11] Absolutely.
Garrett O'Hara: [00:23:11] And one of the things I noticed in the sort of strategy document was there was language around sort of uplifts and helping. Would it be, would it be a crazy idea to somehow fund or provide some sort of funding, um, for SMEs so that their security is uplifted with the view to benefiting everybody? Um, almost like, you know, like universal healthcare, but universal security care or something, but, you know, some way to, to help those very small organizations so that they aren't the vulnerability to larger organizations?
Michael McKinnon: [00:23:46] Yeah. I think that, again, looking from that government perspective, you know, what are the levers that they can pull to make this sort of stuff happen? Yes, maybe it is a, a payment of some sort in some sort of mo, you know, monetary incentive that if your business can pass maybe like a cy- cyber health check or something like that, that you could, uh, be awarded some, you know, some fee, you know, some, some levy or something like that that would, um, that would make life easier for you. Um, there've been a number of schemes that have sort of been rolled through in the past, but the uptake has always been quite low. Um, and again, it comes back to that problem of, you know, how do you make them actually care? But it's not, but you got to put yourself in the, in the, in the shoes of a small business owner, they're worried about where their next big customer is coming from. They're worried about, you know, staff issues. They're worried about a whole bunch of other stuff. You know, cash flow, how are we going to survive the next month? Like, you know, cybersecurity for them is just not... It's, it's a hard sell. It really is a hard sell.
Um, you could go down the path of, of some sort of regulation on small businesses and you could say to a certain extent with the Australian privacy principles, where if your business has a turnover of greater than $3 million annually, then the privacy laws are going to apply to you. And that's to say that if you have a data breach, for example, that is where the private information, um, will represent serious harm to those affected then you have to, um, notify the government of that breach. But the problem there as well is that for some of those smaller organizations that fit into that category, they, it's usually around reputational damage. Now, if you're a small business, your reputational damage actually may not be that great because you may, you may, not be that well-known in the first place for it to really matter. So again, motivation is a, is a, is a difficult, um, thing to deal with.
Garrett O'Hara: [00:25:34] Yeah, it's definitely complex. I was on a, a, I was part of a panel yesterday and, uh, so this isn't my idea, but, um, I'm one of the people on there talked about how, um, in the finance industry they've done a reasonable job of supply chain and, and uncovering potential vulnerabilities to things like credit scoring and the comment was around, and it almost reflects exactly I think what you've described as a cyber health check, but coming out of that, you get essentially like a score and that score then reflects the potential risk for an organization if they were going to choose to use you as a supplier. And I thought that was-
Michael McKinnon: [00:26:10] Hmm. Definitely.
Garrett O'Hara: [00:26:10] ... and I thought that was quite an interesting idea.
Michael McKinnon: [00:26:11] Absolutely. There's, there's a lot of those ideas developing, and certainly from that, um, they, that mid market, enterprise market, um, has certainly been focusing very heavily in the last couple of years on the notion of, of assessing your vendors, you know, going out to your suppliers, sending them a questionnaire and saying, "We wanna know about how good you are at, at handling your security?" And we've seen in our, in our daily practice at Pure Security a massive uptake of that kind of business coming to the door. You know, people contacting us and saying, "Hey, I'm dealing with some big, you know, company, I'm only a little tiny supplier and they're sending me this Excel spreadsheet with about 50 questions that I don't even know what ISO 27001 is. Uh, what is this thing?" And so, you know, certainly that is, uh, I think one aspect that is definitely having an impact, um, on some small businesses, because they're finding now that they can't actually get, and maybe that is the ultimate solution, right? That it's, uh, it's driven by the fact that you won't get that business from those larger clients, unless you can comply and demonstrate your, um, applicability to their cybersecurity expectations that they're putting on you.
Garrett O'Hara: [00:27:21] Yeah. And even, I mean, the potential then for, uh, you know, providing services at a premium, you know, if you've got the five star rating, uh, for cyber security, you know, it almost becomes, I don't know, like good wines where they win the accolades. You know, its, it's the badge that makes people, makes people buy your service.
Michael McKinnon: [00:27:39] Exactly.
Garrett O'Hara: [00:27:41] Um, look one of the other things that strategy documented did talk about was the kind of more broad community awareness and I think it sort of fits in with what you're talking about there, the care factor of SMEs, but maybe more to a cert- certain level. And it's been a massive topic, I would say in Australia over the last few years, certainly in cyber security and the amount of conversations I've had, you know, around cyber security awareness training, behavior change, whatever you wanna call it. And, um, I think it's fair to say, actually, the problem is exactly what you've described with learning management systems, where a lot of, you know, security training is gimme, you know, gimme questions and they're very obvious answers, tick boxes. The compliance team get a, you know, 90% completion rate and everyone feels happy, but actually nothing changes. Um, so we know it's a problem, but if, like, if you had a, a magic wand, what, like what are the ways you go about tackling that problem of the, the human aspects of, of cyber security? What's the better way?
Michael McKinnon: [00:28:38] [laughs] The perennial. You know, so when we look at, uh, cybersecurity information security, there's a trump card that you can always apply that always wins in every risk-based scenario and it's called social engineering. It's we can always play the social engineering card and it's always going to win given the right context and the right scam. You can trick someone into doing something potentially. Right? Whereas, we could put, we can put technical controls and other controls around different parts of the business that will severely reduce, you know, that from occurring and, and sometimes can be really, really effective, but humans we're vulnerable. We're vulnerable, right? So this is, we have to acknowledge that, that there is this vulnerability that is always going to exist no matter how much we try and invest in, in security awareness and so forth.
Um, I deliver a lot of security awareness sessions with a lot of organizations and, um one of, a few of the slides that I leave into my presentations, which I'm still, I'm still continually shocked with the lack of basic knowledge that a lot of people still don't have. And I'll give you one example when you are on a mobile device, a tablet or a smartphone, and you, let's say you get an email from someone and the email has a link in the, in the text of the email that you can click on. Um, do you know... So it might say in the email, click here to see more or do this thing, do you know how to actually view where the link goes to? And this is a question I ask the, the, the students in the security awareness. Do you know what it is? I'm putting you on the spot now [inaudible 00:30:15]
Garrett O'Hara: [00:30:15] This is terribly embarrassing.
Michael McKinnon: [00:30:18] [laughs]
Garrett O'Hara: [00:30:18] Um, I- I- I suspect if you kind of hold your finger on the link then potentially it pops up some things or-
Michael McKinnon: [00:30:22] Spot on. Spot on. Okay, good. You've, you- you- you- you've redeemed yourself right there. Well done. Um-
Garrett O'Hara: [00:30:29] I should have said depends on what device.
Michael McKinnon: [00:30:30] ... [laughs] So look, on, on, on Android, iOS, all of the, all of those mobile devices, all you do is you press and hold your finger on the, on the screen, and it will pop up, um. some additional information that will show the link that that, that's going to send you to without actually visiting that web page. And you can also usually copy, uh, the link contents itself, you can sometimes add it to a reading list and those sorts of things. And I'm, I'm amazed that there are many... Just such a simple function that has existed from day dot in these smartphones and tablets and people still don't know that basic functionality, um, is quite extraordinary. And it just goes to the heart that most of us, when we're using technology, we just wanna get, we just wanna get our jobs done, right? And security, we don't need to, we don't want to click on links, we don't want to hover over things and see where they go. We just want to get our lives done online in the most easy way possible, but that's, that's, that's where we get exploited by the adversaries. That's what they take advantage of. They take advantage of the fact that we just want to, uh, build, um, a habit into the way we use technology and they're exploiting that anytime they can.
Garrett O'Hara: [00:31:48] Absolutely. It was a guess by the way. I feel like I, I have to own up. It will just kill me to pretend that I knew the answer to that one, but that's an absolutely top tip for people who didn't know and it sounds like many people don't. You've obviously got a very, very broad range of IT and security and management experience. What's the, what are the trends? Like where do you see cyber attacks heading in, you know, the next kind of few years or, or even decades out?
Michael McKinnon: [00:32:14] Hmm. I think I've been observing a trend that is now... Over the last few years, I've been observing a trend, which unfortunately now is becoming realized. And that is that, uh, well, let's, let's start from the basics. We know that IT is hard, right? Computers are hard. Security is harder. And the larger your business is the harder it, it gets, right? And then you start to have to introduce layers of governance and, and, and procedures and ways of, of auditing your effectiveness of security controls and things. So, so small business, it's pretty easy if you do some basic things, as the business gets larger and you end up as a, as a, with thousands of employees, you've now got thousands of points of entry into the business. So it's you have this notion of an attack surface which grows as the business grows as well, which you kind of have to deal with.
U, so, so there's, there's just a lot of challenges, um, around how you deal with that, with that growth. Um, in terms of that trend, the problem is you then get this disconnect between the people running the business from the boardroom and the people who are tasked with configuring the exchange server or, uh, making DNS record changes, or, um, m- making changes on a website or, or building an application or a core system or something like that in the IT environment. And so there's this disconnect often between what one part of the business thinks is happening and what the other part of the business is doing, or what even they think is happening. And the really unfortunate part is then as you have businesses moving into cloud environments, you have a situation where the configuration of those cloud environments is, is critical to the operation.
So what you could do when you had your on-premise equipment is you could pretty much get away with a pretty shoddy operation 'cause everything's kind of protected behind a firewall, it's in your own network. You don't have to worry too much. As soon as you put everything in the cloud, it's the configuration of that cloud environment that really governs how secure it is and also who has access to it. Um, so you've got challenges that exist there. Now, coming back to this trend, it's notion of like what we've seen happen is ransomware has really kicked up now in the last six months or so, um, because the attackers have gotten to a point where they can really abuse a situation of, of misconfiguration in many cases and sometimes it's just organizations not even patching or keeping some of their equipment up to date. And there's a, I think, vulnerability that's discovered, the attackers get in very easily, and these guys can sweep the internet and find vulnerable infrastructure pretty rapidly.
So they, the- the- there's lots of low-hanging fruit still out there, open for attack. And so as a business, you need to, you need to get moving on this pretty quickly and realize that if you don't, and, and if you look at the new stories of, of organizations, I mean, they're getting larger and larger. These organizations who are getting hit by this sort of activity. Um, more, more disturbingly, um, the trend that I would like to think isn't a trend, but is, [laughs] if you like, is a case that happened in the U.S. I'll give you, I'll cite a specific example, an organization called CWT, which is a travel organization that had a publicly announced, um, um, ransomware infection and they, this organization, so they're called CWT, they paid four and a half million US dollars in ransom after a ransomware case with the assurance from the criminals, that that data would be deleted permanently.
Now, what also happened as part of this case is that the negotiations between CWT and the, uh, ransomware criminals was held, was conducted, I think, on some sort of semi-public forum and someone stumbled across it and suddenly there's screenshots appearing on Twitter of this conversation between the, the, the victim company and the ransomware criminals, to the extent that it's like a business transaction, right? And so, you know, we've been resisting this for a very long time. We say, we say don't pay the ransom under any circumstances 'cause you motivate these criminals to do even more, but some businesses are finding themselves in a position where they're, they're paying. And they're, and, and disturbingly in a couple of recent examples, it almost seems like they're happy to pay. [laughs] You know, and then my, my question here is, has ransomware become a business service? Like is this the world we want to live in, or should we keep resisting these criminals, uh, as much as we can? And it's a disturbing prospect.
Garrett O'Hara: [00:37:15] It really is. And the monies changing hands are substantial, um, like dramatically increased over the last few years. And I've, I've watched a few of the recent cases, you know, there's the fitness company that, um, got popped a few weeks ago, the, um-
Michael McKinnon: [00:37:30] Mm-hmm [affirmative]
Garrett O'Hara: [00:37:32] ... Garmin breach, and, and there was questions around did they pay the ransom or not? And so I think it was something about one of the incident response. I think it was the third party came in and happens to know how to, you know, decrypt the data. And then there was questions around, well, was that a cover? And there's no comment on whether it was or not. It was, it was really just a conversation that I saw happening in, uh, I think, it was on LinkedIn, but then it was called out, that it's actually potentially illegal to pay the ransom-
Michael McKinnon: [00:37:56] Mm-hmm [affirmative]
Garrett O'Hara: [00:37:56] .... depending on where, you know, attribution goes. Mind-blowing, like the complexity involved-
Michael McKinnon: [00:38:02] Absolutely. I've, I've spoken to lawyers on this a number of times and, and I've, and I've, I was provided advice, and again, I'm not a lawyer, so I have to, you know, ask, ask lawyers, you know, "Wha- what's the real story here?" And I've been told exactly the same you have, that certainly under Australian law, there is, uh, some indication that paying the ransom is essentially being party to a crime. And, and so you don't wanna pay the ransom, right? And so when I've done incident response with, with my clients, and sometimes they've said to me, "Should I pay the ransom?" I'm just like, "You know what, don't involve me. I don't want to know. You do whatever you do. You deal with your lawyers on that." Um, now, I don't believe I've had any clients actually pay because we've always been able to work out some way of restoring their business back, um, to some reasonable shape in, in many cases. But, um, yeah, I mean, if you're facing a situation where you're going to go out of business, unless you pay this money and it's pretty much a given, then what other choice do you have? And I think that's really unfortunate. I think it's really sad that businesses find themselves in that predicament.
Garrett O'Hara: [00:39:08] Yeah, it is. It's an absolute shocker. Bruce Schneier talked about it. It's probably a couple of years ago, and I think it might actually be in one of AISA conferences. And he talked about the critical infrastructure and, and watching how this stuff would start transitioning over to that and ransomware would become less, less about your laptop is been locked up, but more about those people sitting in an operating theater that-
Michael McKinnon: [00:39:29] Absolutely.
Garrett O'Hara: [00:39:30] ... essentially might not make it because if you don't pay the ransom it's life, it's not money. And that's a very different conversation.
Michael McKinnon: [00:39:36] Mm-hmm [affirmative] Mm-hmm [affirmative] Absolutely. Bruce Schneier talked a lot about cyber physical systems, the fact that we're seeing the trend of Internet of things, and we're seeing, you know, you're driving around in an electric car and it's got a, you know, a computer and it can run you off the road. And, you know, all these sorts of scary scenarios where suddenly we're interacting in our physical world a lot more with, with technology, uh, and then of course the dependencies that has. You know, that's really, um, an important way of, of understanding and looking at the problem too.
Garrett O'Hara: [00:40:05] Yeah. This is a rabbit hole I'd love to go down. I'm just looking at the clock. I'm gong to mention one thing very briefly, which was there's a guy called Sean Carroll. He's a physicist at Caltech, but he has a podcast called Mindscape, and-
Michael McKinnon: [00:40:18] Mm-hmm [affirmative]
Garrett O'Hara: [00:40:18] ... but he had a guy who wrote a book on, uh, EVs, so kind of electric vehicles and, you know, what's the reality, where are they heading? And on the podcast, they were talking about, um, the ethical implications of, uh, EVs and automated driving specifically with the idea of what's the decision-making criteria if a car-
Michael McKinnon: [00:40:40] Mm-hmm [affirmative]
Garrett O'Hara: [00:40:40] ... uh, it's like the trolley problem, if you go this way-
Michael McKinnon: [00:40:42] Absolutely. [laughs]
Garrett O'Hara: [00:40:43] ... kill one person, or this way, you're going to kill five. And then they talk about the potential for almost heroic actions. So if you get AI to the point where they understand some of these threats to other people, is it okay for a self-driving vehicle to, you know, essentially-
Michael McKinnon: [00:40:58] Mm-hmm [affirmative]
Garrett O'Hara: [00:40:59] ... hurt or, um, kill a person who is potentially dangerous to [crosstalk 00:41:03]
Michael McKinnon: [00:41:03] Absolutely. I've, I've seen this, I've seen this, and I've had these sorts of discussions with my own friends about, well, you know,is the person who bought the expensive electric vehicle going to win out above the person who bought the budget electric vehicle model? You know, or, or maybe the person who pays more for their insurance is gonna, the car is gonna say, "Oh, well, this person, you know, can afford to live better than this person." You know, there, there's very interesting discussions that come about that. Just coming back to, um, what you were referring to with Bruce Schneier as well and, and sort of coming back to that trend as well with ransomware is that as, um, we see more cloud adoption, you know, it might not be the patient laying on the operating table and whatever, but it might be your organization's Microsoft 365 account gets hijacked and suddenly all of your SharePoint data gets encrypted or you know.
So I think we're lucky at the moment, we haven't, we've seen little sort of tiny examples of this maybe starting off, but my real concern is that we've often used the cloud as an excuse to move our stuff into what is perceived as a more secure environment. Will the threat actors get to a point where they become really good at cracking into those environments and how do we deal with that?
Garrett O'Hara: [00:42:17] And that's a huge problem. Like that's a seismic event, right? If, it something like 365 gets popped, um, yeah, it's not like-
Michael McKinnon: [00:42:25] Well, not even that, it might even be Microsoft themselves, but it might be the fact that they get hold of my global administrator account. Um, they're able to change, you know, lock me out and basically lock you out. You know, and then it's like, well, you know, can Microsoft help? Hopefully they can, but are there, are there other things that the threat actor could do to make my life really hard? Maybe I just wanna pay a small amount of money 'cause it's easier to pay them that then contact Microsoft and get the problem resolved.
Garrett O'Hara: [00:42:53] There may be a comment around, I'm gonna let that one go. Slide, slide straight past.
Michael McKinnon: [00:42:58] [laughs]
Garrett O'Hara: [00:42:58] Um, yeah. The, the other thing that you've probably seen is the evolution of ransomware. So it's not just locking files with the idea of leakware, and which is-
Michael McKinnon: [00:43:06] Yes, particularly.
Garrett O'Hara: [00:43:07] ... absolutely nefarious because your backups don't really have... If, if the issue is X villain publishing of data, backups, great for operational recovery, but not a whole lot of help if it's gonna do that reputation damage, what are your thoughts there?
Michael McKinnon: [00:43:22] Yeah. So look, this has been really, I guess, the more disturbing trend of ransomware. We used to look at ransomware as a malware event. You know, we classify incidents and we say, well, ransomware, it's a malware infection. Um, you know, all they've done is, uh, you know, encrypted some files. We have some backups, we restore, we move on and we, and we lock them. We close the hole and, you know, job done, but now the ransomware criminals get in, they run some specific tools that actually now look for some chunks of data, maybe off a file server or something like that, some finance files, whatever they can find, exfiltrate those and keep a copy. And then in their ransom note, they say, not only have we now encrypted all of your files and locked you out of your, your servers, but we've also stolen some of your data and you're now facing a data breach.
So when we now classify a ransomware event, it's not just a malware infection, it's now a malware infection and a data breach. So we now got two things we have to deal with. And so this is, you know, this is what they're calling double extortion and it's hopefully to try and persuade you, you know, give you another reason why you need to pay them because now it's not just about, and that's that CWT example I referred to earlier that it's, it's not only did they get the ransomware, but they also got their data, some data stolen. And then they've got this issue of, well, I've then got to report this to the authorities. I've got to deal with all of the customers that may be affected by this, but if I can pay the criminal some money and they give me an assurance, like this is absurd. Can I really trust criminals if I pay them money? [laughs]
And this is what I'm saying, it's like a business transaction. And then we have to trust that they have actually deleted the stolen data and that they won't, it won't just resurface, you know, two years later. Uh, you know, really, is there any guarantee when you're dealing with someone anonymously that that's actually the case? Like this, this is where my mind is blowing around this, this sort of situation. Um, but that double extortion has, has really become the reality now, and if someone says to me, "Oh, yeah, look, it was just ransomware." There's no more, it was just ransomware. It's now ransomware and you probably are facing a data breach as well.
Garrett O'Hara: [00:45:27] And what happens? I mean you, who knows how good the data governance, uh, controls that the attackers have, how good they are. So if they get the data stolen from them, you know, there's nothing to say that, you know, whether they, even if they wanted to or not, somebody else has stolen the data depending on where they've stored it. So, uh, it's a nightmare.
Michael McKinnon: [00:45:48] Exactly. Right. And, and, and these ransomware groups often use very shady, um, file service, file sharing op- operations, where they know that they're dealing with some obscure file drop organization where they can publish the files. And you're absolutely right, you know, those, those operators behind those sites can sometimes be very shady as well. So there just are no guarantees in my opinion, that, that once the data leaves your network or the systems you have control of, you really are on very thin ice, in terms of, of a data breach. You've suffered a data breach, you've got to deal with the consequences.
Garrett O'Hara: [00:46:28] Yeah. And so I think this, I'm just looking at the clock, this is probably the last question I'll get to ask, but one of the, the things you talk about in your videos, but actually during the CISSP course, you had somebody, uh, who works in digital forensics come on and kind of explain the complexity-
Michael McKinnon: [00:46:44] Mm-hmm [affirmative]
Garrett O'Hara: [00:46:44] ... of what, you know, digital forensics, uh, actually looks like. And I'll be honest with you, that was such an eye-opener.
Michael McKinnon: [00:46:50] Mm-hmm [affirmative]
Garrett O'Hara: [00:46:50] Um, and I know you talk about this in, in one of your videos, when you're doing instant response. One of the things that people make mistakes on is actually destroying the evidence that would be required to, you know, sort of figure out what, what exactly happened. Um, what, can you kind of run us through that? And you know-
Michael McKinnon: [00:47:08] Sure.
Garrett O'Hara: [00:47:08] ... I see we've got very little time left, but I'm, I'm just very, very keen to hear your, your thoughts on that.
Michael McKinnon: [00:47:14] Yeah. Like I just said at the outset too, that, um, like forensic specialists, you know, I, I take my hat off. I mean, the- these people are amazing, their skills. I've worked with so- some really talented people, um, in that field and their ability to work in a very precise, very methodical manner, to step through an environment and step through an incident and collect the evidence that's needed, not only in a way that is relevant to the case, but also to be able to handle that evidence and keep a log and a record of how the evidence is kept so that if the case ever gets to court, they can stand up in a, in a witness box and say without a doubt that the evidence has been collected in a certain way that, you know, is just like, you know, there's so much integrity behind that whole process I really admire.
But the reason for getting the forensic specialist in- in- involved, of course, is that you might face, the company might face a situation where you do have to take something to court, or, uh, you know, you're able to take some legal action against who was responsible. And there've been some cases in Australia with some organizations who've had insiders do certain things and that's where you get involved in their. Um, our involvement with, um, well, my involvement with instant response, a lot of the case, a lot of the times is, um, if it's a ransomware criminal, we don't know where they are. They're probably, the- there's no question they're somewhere else in the world. We probably don't really have the time to chase them or to worry about going down that, that rabbit hole, um, but, um, those first few hours in an incident are absolutely critical.
And what happens is, um, I've had clients ring me a day later and say, "Oh yeah, we had some ransomware. We thought we could deal with it, uh, we now realize we can't. Can you help us?" And then I say, "Well, what have you done?" They said, "Oh, well, our active directory control, our windows directory controller got, um, got, you know, CryptoLocker or it got, you know, encrypted and we couldn't do anything with it. So we deleted it and we rebuilt a new one." And then I'm like, "Well, hang on, what, what you deleted it? Do you have like even a backup copy before you deleted it?" "No, no. We just deleted it because we didn't have enough disc storage." And so this is quite a common scenario where the IT team jump in initially and they just wanna help. They just want to get... 'cause it's such an extreme scenario in terms of time pressure, you've got everyone in the business saying, "I can't log into my Windows workstation," and it's because this one server has been impacted or it might be, you know, soften up a handful of service.
And so it's really important that the right decisions are made at that, in those very early minutes and that you don't delete anything at all. You hang onto it. Even if you have to go to Officeworks and buy a hard disc and just plug it into a server and just, you know, copy stuff if you're running out of disc space. I mean, there's no excuse for running out of disc space in 2020, is there, right? So [laughs]
Garrett O'Hara: [00:50:11] There definitely is not. So what you've just described there really points to the importance of, of being prepared, right?
Michael McKinnon: [00:50:18] Hmm.
Garrett O'Hara: [00:50:18] So not kind of waiting for the things to happen and then trying to figure it out on the fly. And I know this is something else you have talked about, um-
Michael McKinnon: [00:50:25] Yeah. Absolutely.
Garrett O'Hara: [00:50:26] ... the, the importance of strategy before the thing happens, um-
Michael McKinnon: [00:50:29] Mm-hmm [affirmative]
Garrett O'Hara: [00:50:29] ... so that there is a, you know, decent incident response. What are the big gotchas there? And this is definitely the last question because I ran out of time and I've got respect yours.
Michael McKinnon: [00:50:37] Well, I think the biggest, the biggest gotcha is, um, is people grossly underestimate the time it takes for a business to recover from, from these sorts of incidents.
Garrett O'Hara: [00:50:47] Yeah.
Michael McKinnon: [00:50:47] And often I'm dealing with the CEO or the CIO of an organization, and they're saying, "Oh, we've got this thing, but we should be up and running in a week or so." I'm like, "Well, do you know, do you know what systems are involved here? Um, do you know what the business impact is? Do you have any prioritized way of restoring those systems in a coordinated fashion that's, that's in alignment with the systems the business needs to have in order to keep operating properly?" And, and often they're like, "No." [laughs] It's like, "Well, you're looking at weeks, weeks of effort here to get this, this back up and running." You know, and I'm talking about organizations that might have sort of 500 plus staff kind of, of level. Um, yeah, it is, it is, you know, it's very easy, but you're talking about building an IT environment that has maybe been constructed over a number of years and within the space of maybe a couple of hours, it has been significantly disrupted. That's a situation that requires a lot of effort to get out of.
Garrett O'Hara: [00:51:51] So we've definitely hit time and I know we've hit the merest fraction or slather of the stories and the insights you have because I know, um, speaking as somebody who's listened to your voice for 30 hours, um, I know there's, there's lots more to, to mine and to well there, but really want to thank you, um, Michael. It's an absolute pleasure to have gotten to actually have a two way conversation [laughs] and-
Michael McKinnon: [00:52:14] [laughs] Thank you.
Garrett O'Hara: [00:52:14] ... uh, to, to get to ask you a bunch of questions. So really appreciate your time. And yeah, thanks for joining us today.
Michael McKinnon: [00:52:21] No problem at all. Thanks so much for having me on. It's a pleasure.
Garrett O'Hara: [00:52:30] Huge thanks again to Michael for the insights and for his time. It was a real pleasure to speak to him during that interview. That AusCERT plenary I mentioned in the intro is on YouTube, just search for The CISO and the Gunslinger with AusCERT and it's a really excellent talk. As always thank you for listening to The Get Cyber Resilient podcast. The back catalog grows every week, so do dip into those, and also subscribe, like, share, let your friends know, and let us know of people you want interviewed or topics that you want us to cover for. For now, keep safe and I look forward to catching you on the next episode.