As technology, such as AI, gets more sophisticated, so does cybercrime. According to a recent Cybersecurity Ventures report, the global annual cost of cybercrime is predicted to reach a staggering $8 trillion in 2023. How can small businesses and individuals protect themselves against this onslaught of cybercrime? For this episode, we will talk with cybersecurity experts Patrick Hynds, CEO, and Duane Laflotte, CTO, of Pulsar Security of Londonderry, NH, to get their perspectives on the global cybersecurity crisis, the shortage of cybersecurity professionals, the different levels of cybersecurity threats, the security risks of popular IoT devices, as well as concerns with the AI chatbot, #ChatGPT.
The transcript below has been edited for clarity and length
Flo Nicolas:
Welcome to another episode of Get Tech Smart, where we talk about all things tech happening here in New Hampshire. I am your host, Flo Nicolas. And today, we will be talking about a hot topic: cybersecurity. My guests are from Pulsar Security (Londonderry): Patrick Hynds, CEO, and Duane Laflotte. CTO. This year has been mind-blowing in cybersecurity. What in the world is going on?
Patrick Hynds:
Cybersecurity is a war that is escalating every year. The attacks are evolving. And it has spilled over into the civilian and small business worlds. It used to be that the hackers went for the banks, the governments, or high-net-worth individuals. But now the cyber war is attacking anyone it can.
Duane Laflotte:
And the barrier to entry is super low now. For example, there are companies you can buy malware from. So you can go out and buy a ransomware virus, and then you can test it. There’s also a company that will support and test it for you. And then there’s a company out there that monitors how fast it spreads. So, it’s hard to keep up as an individual, never mind an organization.
Flo Nicolas:
Now we’ve got AI. Does our dependence on new technology impact what’s going on in the cybersecurity war?
Patrick Hynds:
Every innovation we’ve had in science has turned into a weapon. Every medicine we’ve turned into poisons. It’s just the nature of the beast. Everything that we can use for better banking, we can use for better hacking. AI is similar. While we’re in an advanced (stage) of AI, it’s still the beginning. So, there’s still a lot of vulnerability. And we’re seeing this with OpenAI and ChatGPT. But, garbage-in, garbage-out; if you put in something bad, flawed, wrong, you’ll get out something that’s bad, flawed, wrong. So, AI isn’t magical. We don’t have conscious AI — we’re still a long way away from that. We have domain-specific AI that can write viruses.
Duane Laflotte:
(The AI code) can be unique enough so that it’s not picked up by antivirus. I saw one campaign where somebody said, “Hey, I’m trying to break into a bank. Can you give me a very convincing phishing email I would send to board members?” And ChatGPT wrote a fantastic email with enough links to click on and why you want to click on them. We’re seeing researchers and hackers use these (AI) tools to augment their skills.
Flo Nicolas:
We have to be aware of the benefits (of AI) as well as the risks.
Patrick Hynds:
Right. Most people understand physical security: We know when to lock our doors and when to stay off the street. We know how not to get hit by a bus. We now need the same kind of street sense in the cyber world. And that’s because the threats are starting to metastasize. AI is a fantastic tool. But it’s not a panacea for defense or attack. So, for example, one of the things that we do quite often is what’s called a red team engagement. So very often, smaller companies (clients) have us attack them like we’re China or Russia. Now, we don’t drop a tomahawk, and we don’t kidnap anybody! But, we do pull out all the stops — do phishing, do open source intelligence. And we try to hack them. Far too often, we can get in. And far too often, their sophisticated AI-based detection tools don’t catch us. That’s because we’re quiet and we’re not noisy.
Flo Nicolas:
Stealth mode, right? Because hackers are not going to use the same methods all the time. They’ll find sophisticated ways to do things like what you just mentioned. They will not come through the front door and say, “I’m here; just hand over the information.” No, they’re going to go through the back door.
Patrick Hynds:
There are levels of threats. One of our regular presentations is called the “Pyramid of Threats.” At the bottom layer are the script kiddies — a person who wants to be a hacker and wants to have street cred and wants to show off. And they go on the internet, find an old exploit, and find a script that will let them use it against any website in the world. A lot of times, these people are kids. There have been sophisticated hacks by some 16 and 17-year-olds. So, some of them are dangerous, but most of the script kiddies are neophytes. They are looking for the equivalent of walking through a parking lot and trying car door handles. If the door’s unlocked, they’re a thief. If the door’s locked, they’re just a kid who is not doing anything. So, they need someone to make a mistake by not patching and not having up-to-date systems. And so our advice to our customers is to patch your systems and have up-to-date ones. So that’s the first level (of the Pyramid of Threats).
The next level has fewer people, but there are probably tens of millions of hackers with a grudge. These are technical stalkers. They’re not really hackers. They know enough to be a little dangerous, but they have a grudge. They don’t like their past employer. Or they will be a stalker against somebody in their family or their life. Those people have a lot of time and more technical acumen, so they’re going to be a little more sophisticated (than script kiddies). And there’s a lot of them, but not as many as the script kiddies, but not as dangerous as the higher levels.
The next level is the criminal syndicates — people trying to make money. They’re the ones launching ransomware, and they’re the ones that are causing us to pay attention because they’re starting to go after homes. They’re starting to go after civilians. They’re going after smaller businesses. They’re the ones who are doing a lot of phishing. And they’re more sophisticated. You need firewalls to stop them. And then you get to the nation-state level organizations that aren’t nation-states. So like Equation Group — they’re called APTs, Advanced Persistent Threats. And they typically are organizations or companies that work for governments or large, multi-billion-dollar institutions. And in that same category are things like Anonymous, LulzSec … these groups of people who are very good, have very high skills, have money, and can buy the hundred thousand dollars tools it takes. They are dangerous, but they’re typically doing the bidding of some government or they’re doing the bidding of some billion-dollar company. And then the last level is nation-states. And if a nation-state comes after you, we say the only defense is prayer. Even the smallest nation-states in the world can put a billion dollars down to get you — so try not to get on their bad side. So, if you understand the Pyramid of Threats, you understand where your risks are, and you understand what the mitigations are.
Flo Nicolas:
What we see in the news are big names like Uber being hacked again through a third party. So that raises the question about people doing business with a third party. How can they protect themselves?
Duane Laflotte:
That’s a really good question that bleeds into what we call supply chain protection or attacks. So, we see many of these supply chain attacks where you purchase a piece of software, and it’s cloud-oriented and put in all your data. Well, somebody else has access to that. It’s the company you purchased it through. We’ve seen attackers in nation-states starting to target those heavily because why breach one customer when I can breach into this supply chain and have access to hundreds of customers’ worth of data. You should ask the third-party company: Do you have security code reviews? How often is it done? How often do you have red team engagements? How long does my data exist on your network? If I stop being a customer, is the data removed? Who in your company has access to my data (ideally, the answer is nobody). These are great questions to ask any third party you’re dealing with.
FloNicolas:
Let’s talk about what happened with Twilio and how their employees were tricked … texting, email seems to be the new method of attack.
Duane Laflotte:
One thing Patrick always talks about is this arms race. It used to be (a hacker) could send an email to someone and have them click on something, and they’d get access. Microsoft and Google have said 99% of those phishing attacks can be stopped if you implement multiple authentication factors. So, text to (a code) your phone. So now what’s happening is that you’ve been trained to wait for a text on your phone to authenticate to something.
Patrick Hynds:
They are going get you fatigued, and you’ll click to authenticate. So, with Uber, one of their support techs, it was three in the morning, and he was like, I don’t know what’s happening. It’s probably my laptop trying to authenticate. And he just clicked OK.
Duane Laflotte:
And then they (the hackers) got access to the network. So that’s the next stage in this arms race: We’ve trained everybody to click OK (to authenticate), so they’ll keep sending you that message until you say OK. It’s called “smishing.”
Flo Nicolas:
So what is the solution, since there’s a global shortage of cyber security professionals? Still, I knew of a gentleman who was looking for a job. He had all his certifications, but he was struggling to get work. So, what’s going on?
Patrick Hynds:
The problem is that there are lots of different nooks and crannies in cyber, and there’s a lot of demand, but the need is uneven.
Duane Laflotte:
Cybersecurity is a big topic. So, lots of people will say, “I want to get into cyber.” But do you want to be blue team, which is defensive; do you want to be red team, which is offensive; do you want to be purple team, which is a little bit of both? Do you want to be compliance — understanding laws of regulations; do you want to be an auditor? There are hundreds of different subsections of jobs inside cybersecurity. So, it’s tough to know when you’re going to college to study cybersecurity. They will teach you a little bit of everything, but you do have to figure out your focus.
Patrick Hynds:
We need to do a better job of educating students about what the market looks like. And the best way to do that is for educators to say, here are the job listings from monster.com this week. Walk them through, and see what they might qualify for. The problem is we’ve oversimplified security and cyber, and so now people have expectations that are being unmet. Certifications are a great place to start — there are plenty of technical certifications that are great.
Flo Nicolas:
Some companies are looking for someone who can jump in. But they don’t have the trainers or mentors to help out.
Patrick Hynds:
At least you have to show that you’re a self-starter. At least show that when you show up, you will keep digging into this and devouring it. They want somebody who’s going to be an animal who’s going to be running as fast as they can to get the technology because they realize the organization doesn’t have time to train them. The other problem in cybersecurity is that it’s one of the few industries that changes minute by minute. While we’re on this show right now, I’m sure about six or seven new security breaches have happened. I want to mention our podcast, @securitythisweek.com, where we talk about the hacks and the events, pick about half a dozen news stories, and talk about them for about 35-40 minutes. My catchphrase is that convenience is the enemy of security. I say it in every episode: the more convenient it is, typically the less secure it is.
Flo Nicolas:
So, what are some of the myths about cybersecurity that we need to know about?
Patrick Hynds:
So the first one we’ve already exposed is that you can easily get a job in cyber. The other is that there are armies and legions of really good hackers — most of the companies that do what we do have a couple of really good people. But real hackers aren’t everywhere.
Duane Laflotte:
One of the other myths we run into is this: “Well, I bought it from a company; it must be secure. I bought my ring doorbell from Amazon; it’s got to be secure.” Well, chances are when you buy IoT (Internet of Things) devices, like your refrigerator that connects to Wi-Fi, your camera that connects to Wi-Fi, your thermostat, or your dog collar, there is no guarantee that the company you purchased that from has any idea what they’re doing in cybersecurity. While they don’t want to be the one with the bad mark on them that there was some sort of hack that allowed them to breach your home, it doesn’t necessarily mean they’re pouring millions of dollars into it. So, I’ve seen that as a fallacy when I talk to companies, and they say, “We bought IP cameras, our bank uses them, I’m sure they’re secure and fine.” And we say, OK, but did you test them? There are still steps you need to take before you put them in. And, another thing: Just because an app is in the app store doesn’t mean it’s safer. Some apps in the app store are malicious and can steal people’s data, track them, and even turn on microphones.
Flo Nicolas:
But how do ordinary people protect themselves?
Duane Laflotte:
Number one: password managers. A password manager is one of my biggest recommendations to anybody. Have it on your phone, have it on your computer. It manages and resets passwords; when one of those passwords shows up potentially on a breach, it lets you know and tells you to change them.
Patrick Hynds:
And longer passwords are far more secure than all the crazy stuff we put ourselves through. Another thing people can do is turn on multi-factor authentication.
Duane Laflotte:
And never click on anything in email.
Patrick Hynds:
When anyone asks you, whether you know them or not, to do something on email or text — to call a number that you don’t know, to click on something, to open a document, to do anything, use a second avenue of communication and ask them, “did you send this?”
Flo Nicolas:
This was great information about cybersecurity. Thank you, Patrick and Duane, of Pulsar Security, for talking with us. And thank you for watching another episode of Get Tech Smart. And don’t forget I have a partnership with Granite State News Collaborative to help amplify my message across New Hampshire.
Get Tech Smart is being shared with members of The Granite State News Collaborative.
1 thought on “‘Cybercrime is a war that is escalated every year’: Experts outline risks, give tips on keeping data safe”