The Get Cyber Resilient Show Episode #5
In the first episode of the Get Cyber Resilient Show for 2020, our new host Dan McDermott and mainstay Garrett O'Hara chat about how cyber criminals are exploiting the Coronavirus, explore the recent cyber attacks on companies such as Toll, and discuss how businesses can better protect themselves and control the narrative when a breach has occurred.
#cybersecurity #cyberresilience #getcyberresilient
The Get Cyber Resilient Show is brought to you by mimecast.com.
A rise in ransomware attacks around the globe shows how cybercriminals are targeting enterprises for big paydays.
Emotet resurfaces as cyber attackers use the widespread fear of the coronavirus health crisis to target unsuspecting victims.
The Get Cyber Resilient Show Episode #4 Transcript
Dan McDermott: [00:00:00] Welcome to, uh, the Get Cyber Resilient show for 2020. Uh, my name is Dan McDermott, and I'm here today with, uh, my co-host, Garrett O'Hara. Hi, Gar. How are you?
Garrett O'Hara: [00:00:13] Very well. Thanks, Dan. How are you?
Dan McDermott: [00:00:15] Yeah, good. Thank you. Uh, we just came back from the, uh, MonCast Connect event this morning, which was a, which was excellent. And, um, uh, I think some interesting topics that, uh, we'll certainly cover, and topical things we'll be covering today as well.
Uh, one of the things that, um, our listeners may realize is I'm a different voice today. Um, Gregor Jeffery, who is, uh, I guess the- the founder of the show. And, um, and normally the co-host. Um, unfortunately, uh, had a tragic loss at the end of last year. Um, so he's taking some time out to, uh, deal with that. So our- our thoughts are with you, Gregor. Um, and uh, the microphone is certainly yours, um, whenever you're ready to return.
Um, as I said, the- there has been a bit of a crazy start to 2020. Um, we see a lot of things in the news, and a lot of topical items happening. I think one that is on the top of everyone's mind in loops at the moment is the coronavirus. Um, and it's interesting that it's even had a- a- a play into the cyber world as well. Um, what's your take on sort of, I guess, how cyber criminals are, uh- uh, exploiting something like the coronavirus?
Garrett O'Hara: [00:01:16] It is shocking on a number of levels in my opinion. Obviously, the coronavirus itself is horrific. Seems like something from a … the kind of movie that Brad Pitt or Tom Cruise would s- star in [laughing] as they rescue the world. Um, but what we've seen is that, uh, cyber criminals and attackers are using it as a- a vehicle to, uh, spread ransomware and spread to other threats, surprisingly. Um, it's- it- it just feels disgusting, um, that people would do that, but here we are. And so what we've seen is- is things like emails, RANDs, maybe local information on coronavirus [inaudible 00:01:51] to protect yourself. And there may be a Word document or a PDF attachment on that, but actually in there is things like emotet and- and other malware. Um, absolutely horrific. Um, and- and sort of echoes of some of the stuff we saw in the bushfire crisis just gone.
Dan McDermott: [00:02:07] Hmm, yeah.
Garrett O'Hara: [00:02:07] And where, you know, what, part of what we saw was a domain that's registered to look like charities and- and various scams that were being kind of spun up to take advantage of, um … A time when people are obviously emotional. They're obviously very vulnerable, and um, like really just kind of disgusting behavior. Like it's- it's really just ugh. It's- it's pretty horrible. Yeah.
Dan McDermott: [00:02:27] Yeah, it is. It is one of those things that never- never s- shocks to, stops to amaze me. Like the lengths that people will go to, like to be using these moments of sort of vulnerability to, uh, to- to really take criminal advantage of. It's, uh, yeah. It is disgusting, and then something that, uh, unfortunately keeps happening, and I think keeps getting people at those vulnerable moments. It's interesting how one of the attack vectors that they're using is like emotet, which is, um, we saw sort of have the impact in the Victorian healthcare system at the end of last year. Um, I- I was reading that there was a spike in the tax of the, sort of U.S. over the Christmas period. I- is- is this an attack vector that's ever going away? Or is there a way to sort of, you know, protect ourselves as well from these type of things?
Garrett O'Hara: [00:03:10] Uh, interesting. Like so we- we talked about this, uh, this morning actually. That idea of, actually we [laughs], we were talking about Anna Kournikova, the virus and the tennis player. And uh, the "I love you" virus and all those things from the past, which, you know, have gone away. And, but maybe in very much the way that something like, you know, we thought measles was gone, but then if you stop doing the right things, all of a sudden you've got a problem again. And since, you know, here we are where we thought measles was a problem from the past, but actually has kind of reemerged. And, look, I will say these are fairly similar things that, um, I- I will say you will see a drop-off because, if you're a criminal, uh, organizations like us and other people in cyber security, uh, will have things in place to protect. B- so it becomes less effective-
Dan McDermott: [00:03:53] Yep.
Garrett O'Hara: [00:03:53] But that's not to say that i- it's not gonna continue to exist-
Dan McDermott: [00:03:55] Hmm.
Garrett O'Hara: [00:03:55] … in some form or another, and kind of be out there in the ether. You know, you- you can't not, um, I would say, protect yourself against almost everything that has happened to this point. And all we're really [laughs] ever doing is adding the protection for the- the kind of net news stuff at any point in time.
Dan McDermott: [00:04:09] Hmm.
Garrett O'Hara: [00:04:10] So, yeah. I don't think they, you know, a g- good piece of malware never dies.
Dan McDermott: [00:04:13] Hmm! And I think we're, uh, we're seeing that in the news right at the moment. Um, you know, uh, and sort of our thoughts are- are, we're told … Um, they're obviously experiencing a- a bad time, and that, but … again, it wasn't really a- an some sophisticated new attack vector, right? Uh, MAL2. It's something that has been known for a while.
Garrett O'Hara: [00:04:33] Yep, um, and- and it- it's horrible. [inaudible 00:04:36] We- we've seen this a few times. Uh, we had a speaker this morning, actually, who was talking about things like [inaudible 00:04:41].
Dan McDermott: [00:04:41] Mm-hmm [affirmative].
Garrett O'Hara: [00:04:41] You know, it wasn't particularly aimed at them, but where did they … you know, were they affected? Um, time and again, you see that where the, uh, organization's been caught up in those spray and prey or opportunistic type stuff. Um, significant modifications for their business, and some … You know, it's- it's all over the news. I don't think we need to cover the details of what happened-
Dan McDermott: [00:05:01] Yeah, yeah.
Garrett O'Hara: [00:05:02] … but um, I think the- the important point, the interesting point there, is just how big a disruption can actually be for organizations. You know, [inaudible 00:05:10] health, um, [inaudible 00:05:11] uh, LifeLabs. Um, Travelex. You know, there's a long list of very big outages and disruptions to organizations these days. And um, I think part of, part of this stuff, in my mind, is the, "Yes, there is the opportunistic stuff that will have a huge effect, and that is obviously terrible."
Dan McDermott: [00:05:31] Mm-hmm [affirmative].
Garrett O'Hara: [00:05:31] And, but then we're also seeing that stuff where actually the attacks are pretty targeted. And I think Travelex in that example, uh, it was a six million dollar ransom.
Dan McDermott: [00:05:39] Hmm.
Garrett O'Hara: [00:05:39] And the attackers were, you know, in that network for six months.
Dan McDermott: [00:05:42] Hmm.
Garrett O'Hara: [00:05:43] So it wasn't, you know, an ooh- oopsie, somebody in [inaudible 00:05:46] clicked the wrong thing. I think that was, you know, very specifically targeted at that end, at that organization. I think we're in a bit of a, like a- a sort of pivot point in terms of what the, what ransom we're into.
Dan McDermott: [00:05:56] Mm-hmm [affirmative].
Garrett O'Hara: [00:05:57] There's ransomware where all lowercase, and now we're moving into, you know, uppercase ransomware, um, you- you know we've been using the phrase "black whaling," uh, which I think that sums it up. Right?
Dan McDermott: [00:06:06] Mm-hmm [affirmative]. Yep.
Garrett O'Hara: [00:06:06] It's, you know, it's black- blackmail but for those large targets. And very well researched, um, and- and it came up this morning, the whole idea of not paying the attackers. Or not negotiating with terrorists, which sounds amazing …
Dan McDermott: [00:06:20] Hmm.
Garrett O'Hara: [00:06:20] … until somebody's life is on the line because their allergies are locked up by a piece of ransomware.
Dan McDermott: [00:06:25] Yep.
Garrett O'Hara: [00:06:26] And, you know, that's a huge implication to-
Dan McDermott: [00:06:28] Hmm.
Garrett O'Hara: [00:06:29] … people living. Um, you know, or, uh, [inaudible 00:06:32] talked about this today. He's a, you know, the idea of attackers going in and maybe changing, not even stealing data, or locking it up, but what if somebody goes in and changes your blood type. You know, on your medical record.
Dan McDermott: [00:06:42] Yeah, yep.
Garrett O'Hara: [00:06:43] That's a pretty big deal.
Dan McDermott: [00:06:44] Yep.
Garrett O'Hara: [00:06:45] Um, so I- I think what we're seeing is a bit of a … It's a move, right? It's a move away from, uh, the nuisance factor.
Dan McDermott: [00:06:51] Mm-hmm [affirmative].
Garrett O'Hara: [00:06:51] Which maybe underplays the effect it has on business, where files are locked up. And that's a horrible thing. There's a remediation process, but-
Dan McDermott: [00:06:59] Yeah.
Garrett O'Hara: [00:06:59] … there's no loss of life. And we, you know, a city's electricity is not, you know, unavailable. I feel like we're kinda moving into a … I think the people have talked … [inaudible 00:07:08] talked about this, uh, many years ago. Critical infrastructure attacks, um, you know, medical facilities. Attacks there. That changes the game.
Dan McDermott: [00:07:16] Hmm.
Garrett O'Hara: [00:07:17] It's- it's not as … It's not as simple as it was before.
Dan McDermott: [00:07:19] Hmm. Yeah, definitely. I think that's right. The- the impact of these attacks is what, is really going to the next level, right? Um, you know, probably should've done a better job of training my dad, but you know, he uh-
Garrett O'Hara: [00:07:30] [laughs]
Dan McDermott: [00:07:30] … He- he did have a- an incident, a call from Telstra. Log on, obviously got- got everything locked up. Um, and it was, you know, buy, go down and buy iTunes gift cards and stuff-
Garrett O'Hara: [00:07:41] Right.
Dan McDermott: [00:07:41] … and things like that. And it's, you know, he was trying to, you know, negotiate with them, and what could he do, and how does he get it back. Um, so it- it sort of goes from that, which is, you know, pretty low- low-scale, um, you know, couple hundred dollar gift-card type thing to try to get an encryption key to, what, potentially millions of dollars in- in- in Bitcoin that people are looking for. They're holding, you know, whole corporations at ransom.
Garrett O'Hara: [00:08:06] A- a different world.
Dan McDermott: [00:08:07] Yeah.
Garrett O'Hara: [00:08:07] Like a completely different world. Um, and a different, uh, I mean we- we- we don't talk about this stuff. Like it's a different risk profile.
Dan McDermott: [00:08:13] Mm-hmm [affirmative].
Garrett O'Hara: [00:08:14] Um, I don't know if it's a fair statement. I think it is. I think we still think about [inaudible 00:08:18] outages. Like that's sort of the mentality-
Dan McDermott: [00:08:20] Yeah.
Garrett O'Hara: [00:08:21] … versus, y- you know, literally a business disruption, a- a seismic event for want of a better phrase. But those are big, big events, and it's not a … It's not the same as it was, but I don't know if the mentality has caught up even within cyber security, I would say.
Dan McDermott: [00:08:35] Yeah. I guess, uh, one of the- the talks this morning, uh, Jim Lennon from, uh, Norton Rose Fulbright as a lawyer talking to a bunch of IT security professionals. And um, resonated a lot with me as not- not being, from the technical side of the business of being sort of part of the business, was very much around the- the communication that needs to happen in a breach. What do you, ha- who do you communicate to? How do you take control of that narrative? Are you in control of the narrative when the media start getting involved. Um, and uh, putting pressure on you. You may not have all the information at hand from the IT systems. How fast spread is- is the attack?
Um, I thought that was, you know, uh, frightening. Uh, but very insightful in terms of there is obviously the technology side of things. Try to stop things, try to stop people clicking on things, but when something does go wrong, your response will probably define really the outcome at the end of the day for the organization. Um, in terms of how did you respond to that? Not just from an IT and process perspective, but from a people and communication perspective, I think. Uh, it's really, I guess, the notion of crisis management. Right? There's a new wave of- of how to manage crises, um, and how do you keep people informed? Or, you know, across your employees, customers, investors, regulators. It's, uh-
Garrett O'Hara: [00:09:55] [crosstalk 00:09:54]
Dan McDermott: [00:09:56] … a comple- [crosstalk 00:09:55]. [laughs] It's a complex, uh, environment. And I think one that I think a lot of people, you know, would really struggle with to- to- to enact, even if you had a plan in the first place to enact that and do it, you know, in a, in a consistent way across all of those groups. Would be incredibly stressful to, uh, to be going through.
Garrett O'Hara: [00:10:14] Uh, 100% agree. Um, and I think, you know, we've talked about this for many years. The having an incident response plan. It's critical these days, but that shouldn't just be a techology plan.
Dan McDermott: [00:10:25] Yeah.
Garrett O'Hara: [00:10:25] That should be a- a [inaudible 00:10:26]. Um, that should be [inaudible 00:10:29] as you, as you said. Um, that should be customer communica- communications. And it's your point. Like it's a very broad plan, and very hard to really know it's gonna work until you've actually practiced it.
Dan McDermott: [00:10:39] Hmm.
Garrett O'Hara: [00:10:39] And that's one of the things that we- we often talk about is [inaudible 00:10:42]. It's gonna be complex. It's gonna be tricky, but you absolutely need to test it. Um, and really go through the motions though, if you have those- those tabletop exercises where you do get a phone call from the media saying, "Hey! We're about to run a story on this. Do you have any comments?"
Dan McDermott: [00:10:56] Yeah.
Garrett O'Hara: [00:10:56] And you're not at a point where you can really comment because you- you're still trying to understand what's happened. Um, yeah. What a world we live in.
Dan McDermott: [00:11:04] Yeah.
Garrett O'Hara: [00:11:04] But to- to your point, it's not this … I heard a podcast this morning. It's not a nerd problem. This is one of the comments that was made-
Speaker 3: [00:11:10] [laughs]
Garrett O'Hara: [00:11:10] … and it's true, right?
Dan McDermott: [00:11:11] Yeah, yep.
Garrett O'Hara: [00:11:11] You know, this- this stuff, and- and definitely to your point, post fringe becomes a- a huge business here, uh, issue. And it's across so many different departments. Get in, just, um, you know, they have big eyes, and the- the background, was trying to figure out what's happened. It's the communication experts.
Dan McDermott: [00:11:26] Mm-hmm [affirmative].
Garrett O'Hara: [00:11:26] It's the, uh, the business leaders. Um, you know, figuring out probably on the s- on the fly what the strategy is to, uh, make people feel, make sure they're- they're well-communicated to, but at the same time not maybe saying things that, you know, subsequently turn out to be non-true.
Dan McDermott: [00:11:41] Yeah.
Garrett O'Hara: [00:11:41] So, spinning plates. Yeah. Yep.
Dan McDermott: [00:11:44] Yeah, and that definitely is a, I think, an executive management issue, and- and up the boards, and then like you say, uh, it's not a nerd problem is a-
Garrett O'Hara: [00:11:51] [laughs]
Dan McDermott: [00:11:51] … is I think a nice summary of our, of that, and I guess start to show the importance of it as well. Um, I guess one of the last, uh, things that have been topical lately, talking about it sort of not being a nerd problem in the executive management. You know, we have Jeff Bezos, a Saudi prince, and a WhatsApp group. It sounds like, uh, the start of a- a good standup that I- I a geek. Um, what could go wrong, and how does somebody, you know, of that nature, with so much intelligence and so much, you know, know-how and- and smarts in the industry. And- and knowing about it can, uh, can I guess be vulnerable as well.
Garrett O'Hara: [00:12:25] Uh, there's so many layers to that story.
Dan McDermott: [00:12:28] [laughs]
Garrett O'Hara: [00:12:28] And, uh, you know, the- the politics and the reasons why it'll happen to me. It's a completely separate thing obviously, and it's- it's quite fascinating, but when- when I think about death, some, you know, what happened there? It- it maybe points to how much trust we sometimes put in third-party applications. And the things we use day in very sensitive ways, sometimes. And, you know, my caseworker was, he goes, "What's up?" And, um, yeah. Well, I don't know that there- the full details are- are right there. I kind of fully understood, but you know, it looks like it was potentially some kind of vulnerability or exploit those taken advantage of to, um, yeah. To expose that information. Um, we talk about this, uh, in the session this morning when we were thinking about disruption. That one of the big things is the idea of digital dependency. Um, and how critical it is to think in those terms, where if [crosstalk 00:13:18], uh, personal communications, business communications, business data flow.
Dan McDermott: [00:13:22] Mm-hmm [affirmative].
Garrett O'Hara: [00:13:23] Everything is digital. And combine that with the fact that human error at some point is probably the reason why every summer attack happens.
Dan McDermott: [00:13:31] Yeah.
Garrett O'Hara: [00:13:31] You know, being kind of over-simplistic.
Dan McDermott: [00:13:33] Hmm.
Garrett O'Hara: [00:13:33] [inaudible 00:13:34] somewhere husband understood. Uh, you know, [inaudible 00:13:37] or, you know, doesn't realize as the buffer overflow, or any of those examples. But, you know, it's sort of a human error. Um, so it was right … It flows right … It threws you having some fairly big impacts, and- and then you look at what, you know, what happened to, uh, to Jeff Bezos. That's just one example. You think about how many, you know, apps people install on their phones because it seems like a cool thing, and they just pick okay on the, um, the end user agreements [and kind of really reads them]. You know, what data is flowing in penance, and where to? Um, and- and how good a job … They turned on the security, it was applications. It costs money to do security well.
Dan McDermott: [00:14:11] Mm-hmm [affirmative].
Garrett O'Hara: [00:14:12] And I think the, uh, the, uh, U.S. elections, you know, the recent uh, the app that went kind of haywire in the voting. That's another example. You know, where, uh, if you don't do security well, like you're probably gonna have some problems. But it causes friction, and it's an impact to getting yourself out there and [inaudible 00:14:27], uh, barrier to innovation.
Dan McDermott: [00:14:29] Hmm.
Garrett O'Hara: [00:14:30] And, you know, you get to choose between fast innovation and then slowing down a little bit to actually do the security part well. And sometimes that's really hard. If you're [inaudible 00:14:38], and the street wants to know how well you're doing, and how fast you're innovating.
Dan McDermott: [00:14:42] Let's be honest. I mean a lot of the time, that's the thing that, that wins over, "Let's do really good security," which is boring, and you can't really …
Garrett O'Hara: [00:14:49] [laughs]
Dan McDermott: [00:14:49] You know, you can't sell it as a cool feature.
Garrett O'Hara: [00:14:50] Yeah.
Dan McDermott: [00:14:51] Maybe you can.
Garrett O'Hara: [00:14:52] May has-
Dan McDermott: [00:14:52] [inaudible 00:14:53] I mean, is his defense … Sort of security is a- a competitive differentiator. My, maybe that's a … Maybe that's [inaudible 00:14:59] some point. You know, it becomes that important.
Garrett O'Hara: [00:15:01] Well, I think people who stayed are as important, and then everybody wants to know who has what, and when what's happening. Right? I think that the, that he's only gonna become more and more prevalent over time. And I also think it's interesting that, you know, things like WhatsApp that was considered sort of, you know, safe from some of these vulnerabilities and, uh, apps, you know, and you know, and the app store has, you know, protocols to go through in order to get apps up and that type of thing.
Um, our creating, us, creating new attack vectors. People are just finding ways around them, right? So, um, anything can be I guess a potential, I guess, uh, breach. Sort of, uh, aspect of coming into you. Um, so yeah. You definitely need to beware. That's for sure.
Dan McDermott: [00:15:40] Yeah. And then- then you get into, you know, digital footprints and minimizing those, and you know, it's … Not that I'm a tinfoil hat wearer, but uh, certainly since I've gotten into cyber security, I … My phone has barely anything on it, and it's really only the stuff I need.
Garrett O'Hara: [00:15:54] [laughs]
Dan McDermott: [00:15:54] I just h- horribly cynical and untrusting of even the big name stuff, because um, look, in too often, it feels like we hear these, um, very recognizable applications.
Garrett O'Hara: [00:16:05] Hmm.
Dan McDermott: [00:16:06] That no one has thought about in a way that, you know, subsequently sh- turns out to be something that exposes private user data.
Garrett O'Hara: [00:16:13] Yep, look at StraVis, for example where … No, it wasn't necessarily like a flaw in the platform, right? But the GPS data, being sent up to- to the cloud, which is [inaudible 00:16:22] all of a sudden you've got military bases being identified because you can see the soldiers going for a jog on the perimeter.
Dan McDermott: [00:16:29] Hmm.
Garrett O'Hara: [00:16:30] So, you- you know, I mean it's that stuff, and um, yeah. Maybe- maybe I am a little bit of a tinfoil wearer over that.
Dan McDermott: [00:16:36] [laughs]
Garrett O'Hara: [00:16:37] Yeah. I- I just … It frightens me.
Dan McDermott: [00:16:39] Yeah.
Garrett O'Hara: [00:16:39] [crosstalk 00:16:40] you can't get it back. You know?
Dan McDermott: [00:16:41] Hmm. No, definitely. Um, a- and I think that's sort of a- a good summary, I guess, of, um, I guess the topical things right at the moment that we're seeing, and then the types of responses that people were having to- to … struggle to get to in that. So, um, uh, thanks for your time, Gar. I look forward to, uh, catching up again shortly and sort of sharing out what else is happening in the world of our, of cyber-resilience. So, uh, for anybody out there listening, thank you. Um, go- to cyber resilience dot com, um, subscribe to the newsletter, and we'll keep you up to date with, uh, the latest happenings as well as, um, the next issue of the podcast as well. Thank you.