• Profile picture for user Garrett O'Hara

    Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

    Comments:0

    Add comment
Garrett O'Hara

The Get Cyber Resilient Show Episode #25

Content

Gar O’Hara is back again with Dan McDermott and Bradley Sing for the July monthly roundup episode. Brad and Dan discuss the latest in cyber security news including Cosmic Lynx, tax time ATO scams, Australia’s ranking on the most hacked countries list, and WA’s pager system exposure. Then Dan and Gar take some time to dive into detail on the biggest news story of this month, the Twitter profiles hack.

Content

The Get Cyber Resilient Show Episode #25 Transcript

Garrett O'Hara: [00:00:00] Welcome to the Get Cyber Resilient Podcast. I'm Gar O'Hara, and today is our monthly news roundup. Cohost, Dan McDermott will take us through the episode, and as is tradition, he and I start with some reflections on our guests, and our learnings from each interview this month. Regular guest Bradley Singh then joins Dan to cover the latest news, where they talk about Cosmic Lynx. And that's an interesting step change in the world of business email compromise.

Some new flavors of strategies in the attacks there, and some pretty hefty ransoms being chases. The ATO scams, yes, it is that time of year, and as sure as death and taxes are the scams that come at tax times. The guys run us through what they're seeing this year. Then we have Australia's ranking highly on the list, you probably want to rank highly on. The Center for Strategic and International Studies looked at the most hacked countries, with Australia coming in joint sixth place. And the WA had the content of its pager system exposed by a person under 16, so that was a bit of a horror story which the guys will talk us through.

And then we finish out the episode with Dan and I covering the big Twitter story which hit the news mid-July. Outside the attack, it's obviously worrying given what Twitter has become, which is really a utility for communications, and also given who uses it to communicate. So, over to the episode, and please enjoy.

Daniel McDermott: [00:01:24] Hi Brad, welcome back to the Get Cyber Resilient show. Um, our opportunity to review the month that was, of July, in the world of, uh, cyber in Australia and New Zealand. Welcome back to the show.

Bradley Singh: [00:01:35] Thanks for having me, Dan.

Daniel McDermott: [00:01:37] Not a problem. It's, uh, I thought we'd start this month by looking at a high profile attack that's been in the news lately. Um, a Russian based cyber gang called Cosmic Lynx, who have, uh, targeted many multi-national organizations across a number of countries, um, using business email compromise. What can you tell us about Cosmic Lynx, and their, their attacks?

Bradley Singh: [00:01:58] Yeah, yeah, Dan, Cosmic Lynx, it's definitely been a name which has been making the news recently. Um, and I hadn't actually heard anything about them until, well, this recent news story. Um, interesting thing about the group, is they're based out of Russia, which we know. Um, the employ a, quite a common tactic which is utilizing impersonation emails, of BEC fraud as it's more commonly known.

Now, there's nothing new about impersonation emails, or effectively pretending to be someone important and asking for payment. I think we've seen heaps of examples of hackers utilizing free-mail providers, usually after small forms of payment, uh, maybe iTunes gift cards. I think the, I believe the average sum of, of, uh, of money that hackers are after is about 55000 dollars, for your average BEC fraud.

The interesting thing about the Cosmic Lynx scales, or so, campaign, I, I guess I should say, is that they were targeting, um, well, the average dollar amount was 1.27 million. Um, so we're talking a large amount, like, a large, large, larger amounts of money. But also, in terms of the, the profile, um, of the victims, as well, we're not small, talking small eCommerce websites, or small businesses. We're talking large multi-national organizations, that probably more so fit into your Fortune 500, or potentially even the global 2000 category.

Daniel McDermott: [00:03:13] And, how is that they, uh, what were they doing that made this attack, I guess, rather unique and, and seems to be quite successful?

Bradley Singh: [00:03:22] Well, there's a few things there, right? So you've got the one fact, where email by itself is not secure, right? So, um, it's very easy to effectively impersonate or spoof, or pretend to be someone. So in terms of fixing that, we came out with things like SPF, DKIM and DMARC. Now it's a great standard which a lot of companies around the world use, and I think, uh, all, all agencies in America, as in federal agencies in America, as a standard, have to use it.

And DMARC an option, is something that we, we talk about a lot, and, and that we're trying to push. But the interesting thing about these organisations is, they weren't using DMARC. So the fact is that they're not using the standard around traditional email security, um, effectively means they're open to this type of spoofing. But then when we look at the attacks themselves, it's impersonation attack or BEC fraud on steroid. Because you've got one company which is effectively, uh, pretending to be, which is the initial company, saying hey, we want to engage in some type of MNA, mergers, merger and acquisition, which is very common in multinationals, right?

Um, what they then do, is they then direct the victim company to talk to, um, their external council. And that external council happens to be a very well known law brand, or identity. Um, someone with a good reputation, but also happens to be the hacker as well. So, I mean, it makes sense, right? If the first stage of impersonation or BEC fraud was, we'll start with, um, impersonating one person, why not impersonate two, three, five, six seven? Like, where does it stop?

Daniel McDermott: [00:04:46] And this notion of sort of duel impersonation, or multiple impersonations. Is this something new, or something that we've seen before?

Bradley Singh: [00:04:52] I don't think it's, like, the concept is definitely existed, and, and it goes to I, just social engineering as a whole, and, and the evolution we've seen is that, in the industry. And, if we think about the, the Russians, and in terms of how them as I guess, a, a group of hackers, or, or, or, the way they've hacked in the past, they've traditionally relied on malware campaigns, large amount of virus signatures. Like, they're very traditional kind of, let's, hey, let's automate stuff, script [inaudible 00:05:21], send it out on mass.

But this is an attack where they've done a very, like, lots on research onto the targets. Um, they've used social engineering to, to, you know, get large amounts of money, including Australian businesses, as well. I'll have you, have you know, sorry, keep that in mind [laughs]. Um, but if, if we think about, I guess, the Russians, and, or not even the Russians as a whole, but countries these days, and how they influence politics via social platforms, potentially interfering with elections as an example. Maybe the success we've seen influence, of, of nations influencing social platforms is now starting to translate in terms of how they make money via hacking, or gaining lots of funds.

Daniel McDermott: [00:06:00] Yeah, it's certainly, uh, a lot of research and time has gone into it, and, uh, and obviously a, you know, from their perspective, it's, it's paid dividends. But, we certainly hope that, uh, we're able to, you know, stay protected, um, and not fall victim, um, for local companies, you know, making the headlines for the wrong reason of, uh, of falling for this. But certainly some good advice there, on around, how do we, uh, how do we protect ourselves and, and up level our, I guess our cybersecurity approaches, and use the standards that are available in order to, uh, in order to look to stopping some of these.

The next item I thought we'd, uh, talk about, is, we've obviously, we've gone into July, ended one financial year and into the new one. Um, so it's, it's tax season, um, has started. And the, and the scammers are, are out on force. Um, what can you tell us about sort of the scams that, that are happening at the moment, targeting people around tax time?

Bradley Singh: [00:06:52] Tax time, like you said, Dan, it's tax time, scam time. Um, it's that time of year where we have to go and do our taxes, which reminds me, I have to do mine, probably last years, as well, but that's a separate, separate matter. Um, uh, it's the time of year when we're, we're going online, and we're going to MyGov, we're interacting with that. And hackers are crafting a bunch of fake websites out there, and targeting Australians.

But what's significant about this, is that this is also, I think, the first time we've ever had this many Australians try to access critical services over the internet. Um, we used to, we saw the lines at Centerlink at, at the start of the pandemic. Um, obviously now it's, you know, we're, I'm based in Melbourne, you're based in Melbourne Dan, like we can't go outside, if we need access to a, essential services, or sorry, critical services provided by the government. We have to do it via MyGov.

And what I think is really unfortunate about this, as well, is that the, the people it's targeting are the most vulnerable. They're the people who have lost their jobs recently-

Daniel McDermott: [00:07:45] Mm-hmm [affirmative].

Bradley Singh: [00:07:45] Or, you know, they're out of employment. And they're trying to get access to, uh, you know, public services. So, it's really unfortunate. I just, you know, for anyone listening there, just, you know, just be visible for this stuff. Um, it seems very obvious to us, but I think, um, it is something which is an also very unfortunately, you know, can be successful a lot of the times, and you might also not know the consequences of, of falling victim to one of these scams, until a lot later.

Because it might not always de-, uh, lead to direct financial loss straight away. bUt it could lead to identity theft, or fraud down, down, down the line, which will just cause you problems.

Daniel McDermott: [00:08:19] Mm-hmm [affirmative]. Yeah, very good point. And it's also, they use multiple sort of communication channels, right? I mean, we see the emails obviously coming through. There's SMSs. Um, they even, you know, try, you know, calling you over the phone, and try to get your information that way. So, uh, you've got to be away, I guess, on all fronts on this one, as well. Um, because it seems pretty unrelenting for a period of time, like you say, during this sort of, uh, tax season.

Bradley Singh: [00:08:44] I nearly, nearly picked up for one the other day. Like, you know, we're all working from home. I've got an authenticator for every single application for work, personal use, and, and, you know. So I'm logging into VPNs, I'm interacting with my phone, clicking on things. And I, I got something about a, a power bill from Origin. And I literally nearly clicked it. And you know, I'm someone who I believe, you know, I, I like to think I practice pretty good cybersecurity in general-

Daniel McDermott: [00:09:05] [laughs].

Bradley Singh: [00:09:05] But, when we're all sitting there, and we have information flying at us from different directions, it can be very easy to fall for, for one of these attacks.

Daniel McDermott: [00:09:14] Mm-hmm [affirmative], yeah. No, it's definitely one to be on the lookout for, for sure. And I think one of the other things that we've seen, uh, recently, was a study by, uh, the Center for Strategic and International Studies. Um, released a report around countries, and who's been the most attacked countries, um, in the last sort of 15 years. And um, and well done to us, we are, we ranked sixth on, in the, in the world scale. So uh, what can you tell us of how, like, being sixth on the list of, uh, most attacked nations in the world?

Bradley Singh: [00:09:47] Well, it's certainly something to be proud of, I guess. We're right up there with, uh, the Ukraine, which is a country going through civil war. Iran's just below us, as well, which has, uh, suffered quite a lot of, uh, large scale attacks due to, um, their nuclear program. So, I'd say number six is a, is a good effort for Australia.

Daniel McDermott: [00:10:05] It is, uh, it's incredibly high, really, when you do consider I guess, you know, um, you know, where we would probably consider ourselves on the global scale on, in other factors. Um, why do you think it is that, like, we are so heavily targeted?

Bradley Singh: [00:10:19] Well, there's a few things there, right? So, I think Australia, as a whole, we've got very, we're a very developed economy. Uh, and we've got a very high GDP. Um, great infrastructure, there's a lot of good things going for Australia, which also makes us a very high value target, as well. Um, you've also got, um, I guess a lot of different political factors, uh, at play as well, in terms of, of who we align to.

Um, and there, the report itself, uh, that you're referring to, um, the one for the Center for Strategic and International Studies, it's actually a recurring kind of thing they've been doing since 2006, where they effectively just log all large known cybersecurity incidents, uh, related to nation states. Um, and it's really interesting, because you know, Australia's been on the receiving and the offensive side, in, in, in this report as well, which is, you know, absolutely fascinating.

Um, but what I think we're starting to see, is that a continued attack against Australia, and some of the ones in there highlighted, are the Australian National University breach, which we saw, um, towards the kind of uh, tail end of last year. Uh, as well as some of the more high, high profile breaches, as well.

Daniel McDermott: [00:11:25] Yes, and I think, uh, it all ties in I guess to, you know, the, the government's announcement and plans from over the last month, regarding, you know, the attacks on critical infrastructure, um, on government assets, um, and how we do need to bolster our, our cybersecurity as a nation overall. And I think this just speaks volumes to that, that this clearly highlights that, you know, if we are that highly ranked, we are that targeted, um, we need to ensure that we're doing our part to, uh, to protect our businesses, protect our government and our citizens. Otherwise, uh, these things will continue to occur, and you know, we certainly don't want to go up the scale.

Um, we're not looking for a podium finish on this one, that's for sure.

Bradley Singh: [00:12:01] [laughs]. We definitely, we definitely, definitely don't want to be number one. And I guess just, just on that as well, like, the, the, the stance from the government in terms of, you know announcing extra cybersecurity funding. Like, I guess this is kind of the, the evidence if you will, in terms of why it's such a big thing. Um, but look, I think, I think watch this space. Like, I was reading a news article today of, um, the HMAS Canberra, which is our flagship, um, aircraft pseudo-helicopter, um, of the, the Royal Australian Navy. And it, you know, all this skirmish with this, um, Chinese Navy frigates.

But, I think it's, uh, safe to say, based on this report, that you know, there is another greater cyber warfare going on, uh, just one we can't see as easy.

Daniel McDermott: [00:12:41] Hmm. Very true. And in this time of uh, of the pandemic that we're, we're living through, um, we have all become very aware I guess of, of health records, and health information and that. And unfortunately we saw, uh, recently in Western Australia, that, uh, a teenager hacked into, of all things, a pager system. Um, and, and actually was able to intercept confidential health department records, and way able to then publish this online.

Um, what can you tell us about, uh, this teenager in the west hacking a pager system?

Bradley Singh: [00:13:15] I think first off, let's just, um, talk about the, the teenager. That's um, that's a, that's a very interesting effort, uh, in terms of, I guess, him. And it was a really interesting in terms of the response. So the police were involved. I don't believe any charged have been laid, or anything to that effect. I don't think any confidential or sensitive information was allegedly misused. Um, but in terms of the individual themselves, like, the ability I guess for a young person to go online, and effectively break into what should be a secure network, and a bunch of confidential information is, it's not a story we, we [laughs], unfortunately, or fortunately, it's a story we've heard many times.

And it's been the origins of, of many of, many great people in technology these days, themselves. So, I mean, probably not the good, the, the correct method in terms of, um, going about that type of penetration testing, if you will. Um, but I'd say if, if that, you know, that, that young Australian wants a career in cybersecurity one day, if they, um [laughs], they go by the correct route, um, they'd definitely have a, have a future.

Daniel McDermott: [00:14:14] Yeah, for sure. I think that's right. Uh, it's certainly one, one to keep an eye on, if we can get their ethics right from a, uh, from a, from a skill shortage and skill perspective.

Bradley Singh: [00:14:24] But in terms of the, the actual hack itself. So pagers, like, I, you know, you kind of introduced it with pagers. And I was thinking to myself, why, why do they use pagers? Like, isn't pagers an antiquated technology, something we've been using, you know, for over 30 years, or we shouldn't use anymore. But I found out that pagers are still quite heavily used in hospitals. Did you, did you know that, Dan?

Daniel McDermott: [00:14:44] It is something that is used across sort of yeah, different, different, uh, health departments. And, uh, and even in sort of, um, protecting sort of vulnerable, um, citizens, and services and that type of thing, as well. Um, yeah, it's, it's amazing that it continues to be used. You sort of think it is something that, uh, sort of maybe died off in the 90s.

Bradley Singh: [00:15:04] Well the reason is they can't get rid of it, apparently. So, it's very hard. So, which, effectively, because of all the, the medical imaging and scanning equipment, you just can't use a cell phone effectively in a hospital. So, for a doctor to get a message out to all their staff, if there's, you know, we need to get to this theater operating room one, or, emergency section two. Um, pagers is what they've been using for, for, forever.

Um, and there is talk about moving to more secure messaging apps, and the really interesting thing about this breach as well, is that, if we think about WA Health, who they are, they're a government department of 44000. Um, they actually, they're, they're, they're the largest, um [laughs], the largest single health authority by area, just given the nature and size of Western Australia, as well.

Daniel McDermott: [00:15:46] Mm-hmm [affirmative].

Bradley Singh: [00:15:46] So they're a very large enterprise organization, if you will. They've been relying on this deprecated pages service which Vodafone have been offering for a very long time. Even Vodafone recommended they get off of it. Um, but it just kind of goes, goes to show though, I guess the reliance on technology and old processes that a lot of businesses, you know, still have.

Daniel McDermott: [00:16:06] And I think that's the thing. Using, you know, as we layer in technology over the years, right, and how our networks, our systems become more and more complicated. Um, but they can leave, you know, vulnerabilities from, you know, those past sort of technologies that are still there, and critical, as you say, as part of delivering services. And certainly I think we've all, uh, we've all watched, uh, ER, or similar shows, where uh, the pager goes off, and uh, and everyone has to, uh, rush to theater. So it's, um, it, we certainly see it through, uh, through, I guess popular media, as well.

Bradley Singh: [00:16:37] Well, what's going to be in a pager anyway? Like, I was thinking about it. So it, I looked it up. You can only have 16 numbers, or 128 characters, depending on what type of pager you have. So I can't really think of what information would be, would be leaked in there.

Daniel McDermott: [00:16:52] Yeah, it's, the old, the old, uh, the old way of doing Twitter. Um, yeah, smaller base-

Bradley Singh: [00:17:00] [laughs].

Daniel McDermott: [00:17:01] So. Terrific, well, uh, thanks Brad, I think that covers, uh, the month in July, in terms of the review, um, and really looking back across what's occurred from, from the, our Russian gang, um, through to the tax scams, um, our, our rise in, in, up the ranks of being a, an attacked nation, and you know, ending on that, uh, the health record data breach, uh, from the teenager in WA. So, uh, thanks for covering all of that. Look forward to, uh, speaking again, um, in a few weeks time, when we, um, when we go live with the Get Cyber Resilient, um, on the 18th of April. So, uh, look forward to uh, having you part of that then.

Bradley Singh: [00:17:42] Thanks for having me, Dan.

Daniel McDermott: [00:17:47] Hey Gar, uh, thanks for having me back on the Get Cyber Resilient show. Uh, terrific to be able to look back at the guests you've had on the show over the past month. Um, yet again, a, a A-list set of, uh, of people that you've interviewed.

Garrett O'Hara: [00:18:02] Yeah, I always feel, uh, lucky, is probably the word that pops into my head, when I think about it. Um, just the, the openness that people are giving their time, and as you say, they're um, yeah, there's some pretty interesting characters, and, and doing interesting and important things in cybersecurity. So, yeah, I think it's been a pretty good month.

Daniel McDermott: [00:18:18] Definitely. You started off the month with, uh, Prescott Pym from Verizon. Uh, and looking at their data breach report, I think that, you know, there's a lot of these reports available in the market now. Um, us at Mimecast produced one, the CrowdStrike one that you covered recently as well. But, I'd say the, the seminal report and, you know, the one that's probably been the most longstanding is the Verizon data breach report. What were you able to cover with Prescott from that?

Garrett O'Hara: [00:18:45] Yeah, it's, so it's a pretty hectic report, right? It's 119 pages, so the, the reality is that we, we barely skimmed the treetops of it. And, um, and even then, I think it was pretty in-, interesting conversation. Um, it's, it's the 13th year of that report, and you know, as you said, it's the one that I think there's barely a cybersecurity talk that goes by where at least one staff from the DBIR isn't on a screen, or part of a chart, or something.

Daniel McDermott: [00:19:09] Mm-hmm [affirmative].

Garrett O'Hara: [00:19:09] So, uh, it's got that kind of, uh, yeah. It's got that kind of pedigree in the cybersecurity industry.

Daniel McDermott: [00:19:14] Mm-hmm [affirmative].

Garrett O'Hara: [00:19:15] Um, interestingly, this year, we've got, um, the AFP and the Government of Victoria contributing, which I think is a kind of a nice evolution. And um, and look, Prescott is, you know, he's a pretty seasoned veteran of the cybersecurity world. He runs the, uh, stock for Verizon, and kind of looks after a lot of governments, but kind of other, kind of customers here in the APAC region.

Um, and they actively use the data out of the reports, um, for their operations. Um, lots, lots of kind of interesting little points in there. You know, things that, to be honest with you, I, I was surprised by. Um, things around the location of attackers versus the attackee-

Daniel McDermott: [00:19:49] Mm-hmm [affirmative].

Garrett O'Hara: [00:19:50] And how often that actually is in the same country. You know, and when I think of attackers, I'm, you know, I'm guilty of the program that happens in our industry, where you know, I picture the faceless hoodie person in a basement in some exotic country. But actually, um, you know, the report actually point out that it's, it's quite often in the same country, and it's probably much more boring. They're probably sitting in a local coffee shop, and looking exactly like we do. And so, yeah.

Daniel McDermott: [00:20:12] [laughs].

Garrett O'Hara: [00:20:12] That was interesting. And, um, things of, you know, and we, look, we talk about this in the industry, how often, you know, everyone's looking for the crazy exciting new thing. But actually, quite often what it is, is the tried and trust methods that just work, and they're vanilla. You know, they're bread and butter but actually, they just, they work consistently. So that's what the attackers go for, and the report data definitely seemed to reflect that.

Um, and there's a really nice breakout for APAC data as well. So, highly recommend, um, although you don't need to say that in cybersecurity, right? You don't, no-one recommends looking at the DBIR, everyone does it anyway. But um, yeah, it's, it's a cracking report, and uh, I think the episode, or for me, anyway, I'm always looking for ways to, uh, quickly digest a lot of information. So for me, it was a good way to talk to Prescott and just get it straight from him. You know, what's the stuff of the report that we need to know?

Daniel McDermott: [00:21:01] Yeah. Definitely. And uh, and after Prescott, uh, we moved onto having, uh, Chirag Joshi join, uh, the podcast. And Chirag, uh, great guy, um, and uh, has, you know, recently, uh, moved, uh, onto AMP, um, to lead their, their cybersecurity, uh, practice. Um, we wish him all the best with that. But he's, uh, you know, he's really taken to heart around, sort of the notion of driving awareness and, and behavioral change, um, in organizations. And how, you know, it really is the human factor that, uh, that needs to be addressed. And as that last line of defense, and is the critical, you know, I guess factor in being able to, you know, create better defense and security practices.

He's gone to the extent of writing a book around the seven rules to influence behavior and win at cybersecurity awareness. Um, what did you, what did you learn from your conversation with Chirag?

Garrett O'Hara: [00:21:56] Yeah, he, he's an energetic guy is the, the main thing about Chirag. And I think it's infectious. Like, he's a really into what he does-

Daniel McDermott: [00:22:02] Mm-hmm [affirmative].

Garrett O'Hara: [00:22:02] And it's reflected in the writing. Um, you know, if, if you read the book, which is pretty solid, and uh, also, you know, how he kind of, kind of talks through these things. And I met him years ago, actually, at a, a conference. We ended up chatting after I think I'd given a talk. And um, you know, that, that thing where you're just having a yarn with somebody afterwards. And you're just a really, as you say, like, he's just a very sort of switched on, sharp guy, really interesting.

And, um, and he's one of those guys who, who do that rare thing, or maybe not so rare in cybersecurity. But they, they manage to have a foot in the sort of heavily technical, you know, detailed understanding of what the, this, the, the, you know, what makes the sausages. And, but also then is able to kind of straddle into the, the human side of things, and understanding some of that psychology and behavioral change stuff, which has become critical in awareness training or cybersecurity awareness behavior change, whatever way you want to call it.

Um, and we talked through a lot of stuff. You know, for him, um, he's obviously written, he's written the book on, um, you know, how to influence cyber, uh, security behaviors.

Daniel McDermott: [00:23:01] Mm-hmm [affirmative].

Garrett O'Hara: [00:23:01] So, you know, there's a lot in there. And things like, you know, the reliance on bad news, which, you know, I think you and I have talked about, and you know, that, it sort of doesn't work. You need to, you know, use positive motivators, find out, um, you know, what are the, the positive buttons you can push with people to really kind of influence and change behavior. Um, things like the importance of context, the allies in the organization.

And I think that was a really interesting one, because quite often we just think about, um, well, certainly now I think about it, we programs for awareness training in isolation. Almost a silo of entities that run in and of themselves. But actually need buy-in from lots of different parts of the organization, and allies within the org, to make those things work. So he was pretty good at calling that out.

Um, he actually call back to the, you know the smart goal approach from the, uh, I think I mean, it must be around from the, like, the early 80s. You know, everybody knows it. Um, but it overlays actually quite well with cyber awareness. And he called that out as well. So that, that kind of stuff. Um, and things like persistence and consistence, um, in terms of the, the programs.

You know, they need to be persistent, in that you're not going to run out one video or run one sort instruct, uh, instructural ed training session, and then you know, magically everything's better. Um, it needs to be persistent, and it needs to be consistent in messaging with the context of the organization taken into account, with the, and with the support of, of senior management.

So it's all like, a really rich conversation in my minds, um, on something that's, uh, it's just so topical. I think everybody we talk to at the moment has some interest in how do I fix this problem of the end users?

Daniel McDermott: [00:24:32] Mm-hmm [affirmative]. Yeah, and like you say, I think his advice, the, the book, and the way that he sort of presents on it is fantastic. And, um, that is quite inspiring to sort of think through that, and, and really does I think address the issue of it being cultural change. And that's where, you know, those champions and everything else has to come into it. It's not just, it's not just awareness, and it's not just the training, right? It is actually changing behavior, is the hard part, um, and that takes, you know, many efforts over a long period of time to do that.

And I think, you know, he sums that up in spades, which is great. The last guest for this month was, uh, was from NetScope, Mike Ferguson, um, that you had a, a chat to, um, around creating a sassy cybersecurity organization. Um, sassy, that sounds pretty interesting.

Garrett O'Hara: [00:25:19] Yeah, it, it, it is. Um, I'll, look, I'll be honest with you. It's, it's been one of those ones that for me, has been pretty confusing. I, I had a chat with [inaudible 00:25:26] analyst, it's a couple of years ago actually. And, um, in, you know, the one to ones that we do. Um, actually I think you were there. I think you were actually a part of that conversation and you probably remember this, you know, the guy mentioning sassy. And I think you and I looked at each other and kind of went, what?

Daniel McDermott: [00:25:38] [laughs].

Garrett O'Hara: [00:25:38] Um, is this guy making a pass at us, or what, I mean, you know, what's going on here? Um, but he went on to explain this idea of secure access service edge, you know, to give it its, its full title. So it's, you know, SASE. And I'll be honest with you, it's one of those ideas or concepts that, it's kind of been batting around in the back of my head, and uh, talking to Mike, who I've known for years. I, you know, he's a, actually a personal friend outside of the cyber world.

And I knew him before either of us were, were doing what we do. Um, or Fergo is actually how, you know, he's, he's better known, certainly in the cybersecurity industry.

Daniel McDermott: [00:26:10] [laughs].

Garrett O'Hara: [00:26:10] Um, but it was, it was actually great to sit down with somebody from a company like NetScope, and um, talk through this stuff. Mike, uh, for those who are listening, does great explainer videos on LinkedIn, um, that breaks down the ideas and the concepts of SASE in a, a pretty, for me, anyway, was an easy to consume way. I actually watched a bunch of his videos before we, we did the interview.

Um, but it's a really big concept. And, um, actually Tom Cross, who's the CTO over at OPAC, you know, for me was one of the better descriptions. Which is, it's the idea that security comes through the traffic, rather than the traffic going to security. Um, so yeah, Mike, um, really got into it. You know, it's a big idea, a lot of different moving parts. Um, what we kind of tried to focus on, was some of the material outcomes for a business, uh, rather than just the technical stuff.

Um, like the explanation of what actually SASE is beyond it being a guarder term-

Daniel McDermott: [00:27:01] Mm-hmm [affirmative].

Garrett O'Hara: [00:27:01] Um, some of the interesting stuff to me was, cannibalizing the performance uptick that you can get with a SASE architecture, and then using that as a way to apply security to, uh, applications, and, and traffic. And we, we used this, uh, the analogy of, if you're going to the pub, and you're getting an Uber versus, um, getting public transport. You know, if you get the Uber, you get more time at the pub to have, like, really lovely cocktails and beers, versus you know, if the traffic is slow, uh, you're getting a, getting a bus then a ferry and a train. You've got less time at the pub, so less time to actually do the cool stuff.

And, and that's kind of how I started thinking about, um, some of the stuff that you could get from a SASE approach. But you know, it's all about performance, protection, um, and I think particularly pertinent giving, uh, you know, the COVID world that we're living in at the moment, the massive transformations and move into, uh, cloud first architectures, and, and securing traffic.

Um, uh, you know, as in, bringing in security to the traffic rather than the other way around, which I think presents problems when you're not, uh, in a perimeter based security model anymore.

Daniel McDermott: [00:28:08] Mm-hmm [affirmative]. No, definitely a big concept, and uh, certainly, uh, you know, part of that was ringing very true on uh, being based in Melbourne, and in lockdown 2.0. Uh, going to the pub is just a pipe dream at the moment, so, uh-

Garrett O'Hara: [00:28:20] [laughs]. Yeah.

Daniel McDermott: [00:28:22] Unfortunately it's something we can't partake in. But um, I think again, it's just you know, thanks to, to all the guests. Um, they add so much value, um, and share so openly with us, uh, what their, what their thoughts are, and what they're seeing across the industry. Um, and hopefully everybody finds that really educational. And again, looking forward to some exciting guests coming up, uh, for August as well. Which uh, which will be great. So, uh, thanks again, Gar, and um, we'll speak shortly.

Uh, Gar thought we end at this month's, uh, conversation, looking at probably the most high profile attack of recent times. Um, that of being the, the Twitter hack. What can you tell us about what's going on here, and the impersonation of, uh, some well known people?

Garrett O'Hara: [00:29:06] Oo, yeah, this is a whopper. Um, you know, you always know it's big when it's, it's the story that hits the mainstream media before it hits the cybersecurity media [laughs].

Daniel McDermott: [00:29:15] [laughs].

Garrett O'Hara: [00:29:15] And, uh, uh, that was definitely the case here. Um, and big names, right? You know, it's Joe Biden, um, President Barack Obama, uh, Bill Gates. Elon Musk was the first one to get popped. Um, I mean, he had the honor of seeing Kanye West and, uh, guys like that also get, uh, get their accounts taken over. Um, pretty hectic. I mean, the, the interesting thing is that the attack netted the, the attackers less than 120 grand. So, it wasn't really that lucrative. Um, but I suspect maybe that wasn't the, the motivation.

I think the big thing for me is, the questions, the huge questions this rages around, um, uh, what, what sort of Twitter is. And maybe Facebook to a certain extent, you know, what they have become, uh, which is really utilities for communication. Um, and they're private enterprises, they're private companies, but they're in this weird position where their, their platforms have a correct effect on the resilience of nations, of, you know, political systems and potentially of companies.

Um, you know, if you think about what was done here, um, and if I'm an organization and I'm looking at resilience, outside just, you know, we talk about cybersecurity a lot, but outside of that. You know, this, this sort of organizational resilience. If, um, you know, Elon Musk's account got hacked. Um, but it could have been anybody. If I'm an attacker, and I, I sort of flew a little bit lower and slower, what's to say I don't buy a bunch of stock in, in one of these companies, and send out a, you know, an inflammatory tweet. Something that's going to spiral the stock price down.

And, um, you know, if I've short sold, or I've got short contracts and that, I've, you know, sent to make a ton of money. Or vice-versa. I might make a tweet that says something really positive, that sends the, the stock in a different direction. Um, so there, there's a whole heap of things here that would have me worried. And, one of them is the, um, look, in, in sort of security operations there's a very basic concept, which is the separation of duties.

So it's the idea that, um, a single person shouldn't really be able to do, you know, an, an action, or do anything that puts a company or data at risk in a, in a meaningful way. And in this case, I'm not saying that there wasn't that in place, because there could have been. Um, but something's gone dramatically wrong. You know, if you see those accounts being taken over in the way they were, and um, it, it turns out it was basically what seems like internal tools for the, what they call the OG accounts, the, you know, those original accounts that people got before Twitter became what Twitter is today.

Daniel McDermott: [00:31:44] [laughs].

Garrett O'Hara: [00:31:44] Um, so you know, being able to transfer those. You need the tools to be able to do those transfers, um, and you need tools to be able to manage, you know, at a, at a platform level, accounts that are belonging to Elon Musk or Bill Gates, or Michael Bloomberg, et cetera. Um, but the questions then arise, you, like, what are the implications there? You've got a tool that is essentially used as a communications platform by people like Trump.

The, you know, the, the, the implications to society is resilience, to organizational resilience, are pretty big in my, my opinion. Like, it's a, it goes beyond the cybersecurity. It's hacking into something that, you know, it, it should be a concern for societies, I would say. And you know, that has been raised I believe by some of the politicians over in the US. So, yeah, interesting to see where this one goes.

Daniel McDermott: [00:32:32] Yeah, and uh, what's your take on it being, you know, was it a malicious insider? What, you know, was it somebody on the inside that's, you know, really orchestrated this?

Garrett O'Hara: [00:32:43] So, according to Twitter, um, it was actually social engineering that happens for multiple people. And you know, that, that potentially could be lots of different things. You know, they, the term social engineering is so broad. You know, is that an email that was socially engineered to send into, you know, to sent into a couple of, I don't know what they call, tweetees, or tweeters, or whatever the employees of, uh, of Twitter are called.

Daniel McDermott: [00:33:05] [laughs].

Garrett O'Hara: [00:33:06] Um, but, you know, is that, if that's a way where they can short circuit the potential separation of duties by socially engineering attacks on two people, so that they kind of get around that separation. Like, that's, that's a concern I would say, straight away. But it sounds like it was maybe, um, not, uh, I don't know the answer. Whether it was a, you know, a deliberate thing from an insider, or they were socially engineered, I, from what Twitter says, it's the second one. That you know, essentially the way in was through employees, but through social engineering.

So, um, you know, malicious attack, but the, the conduit, or the way in was the, the um, the employees. But they, the, it's their second time around. You know, 2017, you saw that, um, you know, it's the contractor, uh, I think on their last day. Uh, they popped, uh, Trump's account, or just disabled it. And you know, was only 11 minutes, but it sort of pointed to [laughs]-

Daniel McDermott: [00:33:57] [laughs].

Garrett O'Hara: [00:33:58] You know, pointed to some potential problems with how that stuff was being managed way back them, three years ago.

Daniel McDermott: [00:34:04] Yeah, and I don't even think it's the second time. I won't out the person-

Garrett O'Hara: [00:34:08] [laughs].

Daniel McDermott: [00:34:08] But a friend who, uh, who is in the security industry, um, and uh, has a, one of the, one of the OG accounts, uh, was, uh, actually hacked by the Russians a long time ago, many, many years ago.

Garrett O'Hara: [00:34:21] Oh.

Daniel McDermott: [00:34:21] Um, and turned all of his tweets into Russian, and started tweeting in Russian on his behalf.

Garrett O'Hara: [00:34:29] [laughs].

Daniel McDermott: [00:34:29] Um, yeah [laughs]. And, uh, it's really just to, uh, to show that they could, right?

Garrett O'Hara: [00:34:32] Yeah.

Daniel McDermott: [00:34:32] And it was just to, to mess with it. And um, there was, that was weird. They actually gave the account back, and um, and he still uses it today [laughs]. But it's, um, it sort of showed that it, it could be done at any time, is sort of, I think the way that they were trying to show the world that, you know, be careful what you put out there, and be careful of becoming a target, as well. So, it's, uh, not the first time and probably, unfortunately as you say, may not be the last, either.

Garrett O'Hara: [00:34:57] Yeah, definitely. And, and your example actually points to exactly the reason why you need those tools, internally, right? To, to get back accounts that have been, you know, taken over-

Daniel McDermott: [00:35:06] Mm-hmm [affirmative].

Garrett O'Hara: [00:35:06] -and, and, you know, and transferred financially, when somebody buys a, uh, an old account. So, you know, those tools need to exist, but um, yeah. I think Twitter's in for some pretty serious questioning lines, from, I would say like, the industry. But also, I mean, the FBI, there's a bunch of agencies now that are involved that um, yeah, I'm sure there's a lot of people at high level in Twitter who are not sleeping so well right now.

Daniel McDermott: [00:35:27] Mm-hmm [affirmative]. Indeed. Well uh, thanks for covering that, and um, all things cybersecurity for the month of July. Um, I think it's been a great review. Um, looking forward in a, in three weeks time, on the 18th of August. We're going to celebrate, uh, the Get Cyber Resilient, uh, blog, and website, uh, one year anniversary. We're going to have a, a go live with the podcast, on podcast Tuesday. So, looking forward to that on Tuesday the 18th. And um, we'll open it up to listeners, um, ahead of time, and at the time to, for a, as it's known in the industry, an AMA, an ask me anything session.

And um, and certainly look forward to our audience's questions. And, uh, hopefully we're, uh, we'll be able to answer a few of them, as well.

Garrett O'Hara: [00:36:11] Yeah, that's exciting stuff, actually, when you mention the, uh, mention that, uh, yeah. I'm very much looking forward to that. Um, and I love the energy of I think for me, anything live.

Daniel McDermott: [00:36:20] Mm-hmm [affirmative].

Garrett O'Hara: [00:36:21] Uh, is always kind of fantastic. So yeah, definitely looking forward to that one.

Daniel McDermott: [00:36:25] Terrific. Well, uh, good luck with the coming up interviews for, uh, for the coming weeks. And uh, look forward to seeing you live on Tuesday the 18th.

Garrett O'Hara: [00:36:34] Awesome, thanks Dan.

And that is a wrap for July. Lots going on in cyber as always. Thanks to Dan for hosting the episode. Thanks to Bradley for the insights. Please do dip into past archives, and if you like what you hear, we'd appreciate it if you subscribe and rate us. If there's a topic you want us to cover, please do drop us a line and let us know. For now, thanks for listening to the Get Cyber Resilient podcast, and I look forward to catching you on the next episode. 

 

Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara