Feb 18, 2020
How to Secure Your Business Network
Joshua Lewis: Everyone listening out there in the cybersecurity world and business owners, I've got a very special guest on here, Alex from Jolly Frogs. And he does something called pen testing and that's something that might sound really scary, or might sound like you've only ever seen it on NCIS or CSI. When they're jumping through, getting through all the firewalls and breaking into the hackers websites and all these other sort of fun stuff. But it's actually quite a lot more involved than the way they make it look on TV. What could you tell me about what you do Alex, and how that affects businesses?
Learn more on how to secure your business network at dorksdelivered.com.au
Alex Penrose: Currently I focus on training, penetration tests. So I've got a lot of experience, and I've done probably a ridiculous amount of research myself to get myself to the level that I wanted to be at. And I'd like to do nothing more than to share that knowledge. So primarily at the moment, I'm training pen testers, I'm training reverse engineers and forensics experts as well. Before I started doing the trainings I held the role of Director of Cyber Security at Queensland Public Education. And before that, I had various management roles in Queensland health and Queensland police. So most of the knowledge that I accumulated is not from work but from personal research. You get home after six in the evening, and you've got four or five hours to do your own research, every weekend 12 hours per day. Researching various new technologies, new ways to get into websites or get into companies and doing various certifications to get to that level as well. So I enjoy doing it. It's something that I like doing. It's a hobby for me.
Joshua Lewis: Cool. I think it's a cool hobby to have. That could definitely get you in trouble if you do to the wrong things. If you're doing the black hat stuff instead of the white hat stuff. And-
Alex Penrose: Yeah absolutely. You got to be very careful. For instance one of the interesting things that I was looking at was reverse engineering. And some of the things that are the most interesting to me are reverse engineering hardware devices. And do you know IoT, the Internet of Things?
Joshua Lewis: Absolutely.
Alex Penrose: They're basically the little things that you can buy. The little cameras, little portable devices, even coffee machines. Anything that's connected to your network or to the internet for updates. Fridges nowadays, ovens, and the way that these devices are being put out to the market, it's all about speed. To get them out to the market as quick as you can because, it's innovative only for the first few months. And after three months, six months, that device starts to get old. So those devices are not always given the scrutiny that other devices are being given Like your Operating System. Your Windows Operating System has a lot of scrutiny going over it. Linux as well, which is another Operating System that has a lot of scrutiny going over it. And it takes many months for particular patches or security updates to come through to be tested by Microsoft or by the Linux consortium.
So these IoT devices, these little hardware devices you can buy them off Alibaba or eBay. And some of them come from China and they're really not that secure, but you still connect into your network. So they're an entry point for a hacker to come into a network. I love to do reverse engineering of those devices. But coming back to the issue of black hat, white hat, there are some legal issues with reverse engineering. You're not always allowed to do it. So the best way to go about that I found, was to contact the vendors and to agree with them that you're going to do it. And a lot of the vendors are more than happy to help you out and say, "Yes, sure." And I ask for a signed form from a high up executive in that company. And what I found that a lot of the Asian companies out there are more than willing to do that.
They don't immediately call a lawyer and try and get it all sorted out. They just say, "Yeah, go ahead and test it for us. If you want to do that in your free time, and for free we'll even help you out with that." I had one vendor send me a device, quite an expensive device that I could reverse engineer. Found a few bugs in that one, a few security vulnerabilities for them, reported it directly to them, and they security updated it in the back end. And all of that went on without anyone knowing about it in the public, and their devices are now more secure. So you've got to be careful especially at say with American and European companies that when you start reverse engineering anything or unpacking firmware that you are covered legally. I'll stop talking now.
Joshua Lewis: That's all right. It was really good because it's something that I'm a huge believer in the IoT movement. I've got a very, I'm going to call it automated house, and I'm also going to call it vulnerable. I would say that it's ... And it comes down to the way that you do it. With any new flexibility with technology, comes about generally inherent security issues. And I can say my gates, my locks, my watering system, the level of my pool, my lights, everything is automated or has some level of IoT connectivity
If I want to turn on the waterfall and the pond, I can do that with my voice. So it's all really, really cool. But what people don't understand, and this is ... I've set it up as an IT specialist, which means I've got everything on ... You know what I'm talking about for everyone out there, and the rest of the world on it, sort of VLAN. Which means it is separated to anything that I have that I hold dear myself. So worst case scenario, someone hacks in, and they're able to open the gate. The locks, I intentionally went with something that I've developed myself, which means although the security ... and this isn't what everyone should do, the security might not be as unpenetrable as what you'd have with a Western country developed device.
I can say that the obscurity would definitely mean it would be zero chance of being attacked. And that's what it is. It's kind of balances with everything. The worst thing that could happen if someone was to gain peering eyes onto my IoT network as a separate network to everything else is, they'd be able to turn my waterfall on and make my lights go to music or something against my want. And that would be obviously quite an interesting thing to happen. And I would do something about it at that stage.
You're exactly right. A lot of companies have these products that they just want to send out the door as quickly as possible. You look at Apple and Samsung, just as their basic phones, they're both fighting to be the biggest market competitor. And so, they're releasing these things. Like Apple had a vulnerability on their device for years that was being backdoored and utilised by Google. And it was only found out that they were tracking and grabbing information out of these iOS operating system for years before something was actually done about it. And it is just because we are in this instant gratification life cycle with the people, the Tinders wanting people to have everything straight away and not necessarily thinking about what the longterm risks are with that.
And I think that's bad on a home IoT device level. But there's also something that gets a bit more concerning, and that's the PLC world to me. When you have these controllers that are controlling main water systems, how much fluoride's being dumped into the different areas. And if something was to be broken into there, we could have some serious issues. What are your thoughts on where the world's going, and how do you think you'd be able to fix those things without taking them away? What would you do?
Alex Penrose: Yeah, I think your approach at home is actually really, really good. And that's something that I would advise most businesses and organisations to do as well. Consider the vulnerabilities of your networks. And every network is going to be vulnerable to something, to a certain degree. And you need to be comfortable with what happens in the worst case scenario. As you said, worst case scenario, they can turn on the pump of my fountain or they can turn it off, and I don't care about that too much. I might lose a bit of order, but I'll find that out the next day because I can visibly see that it's on, or I can hear it during the night, and I can do something about it then. So the damage is controlled. And I think you need to treat your network in that way as well.
Joshua Lewis: Absolutely.
Alex Penrose: Consider the worst case scenario. Do a risk profile and do a risk appetite statement as well for your organisation. This is something that is really big in the Information Security Management System world or ISMS world. Is that you create a risk appetite statement, where you state what your appetite is for particular risks and you always have a certain appetite for risks. For instance, you might think that DePaul education might have a zero tolerance zero appetite for any risk related to personal injury because you don't want your students to get injured and you don't want your teachers to get injured, so there would be a very low appetite for risk there.
But the police, you're sending your police force out there is an inherent risk of your police officers getting hurt. So you might have a slightly higher level of tolerance for that risk of people getting injured during their work. Same for firemen, you're sending them out in the middle of a fire, what's more dangerous than that? So you must have some level of risk associated with that, and you must accept that risk. And the same is true for cyber security. So a bank especially like a Bitcoin bank, an online bank will have a very high a ceiling of where the cyber security would be. Right?
Whereas someone who owns I don't know ... it's hard for me to give an example because everyone cares about their security. Right? but you might have a personal home light in your home. You might not have the same level of cyber security requirements as a bank because you say, "Well, okay, so they can come in and they can turn on the pump. I don't really care about that. They can tend to shut those down or the lights on and off. Okay, big deal. I'll learn from it and I'll fix whatever the issue is, but it's not going to cost me outside of my risk appetite."
Joshua Lewis: Yep. And that's, I'll walk in that ... exactly you've said there too. Like Oceans 11 or any of the big heist movies where they're going to break into a bank or break into a casino and grab a bunch of money. And they have these really crazy plans where there's distractions, an illusion. What I think it comes down to is banks have great security. And if you have to think about the actual physical banks now, physical banks don't have anywhere near the security relative to their online counterparts. And that's because, a physical bank will hold 40,000 or $50,000. They'll have many security cameras, but not ... when I say not as much security, I mean it's not too indifferent to what you'd have in a commercial property for a business. You'll have screens that go up, a safe, most businesses will have safes. Most businesses will have security cameras, but the chances of them getting caught is incredibly high.
The chance and the prize at the end, the booty, the reason for them spending all this time and effort making these big plans is so high. It's not worth the prize at the end. And that's what security I think is all about. Anyone that wants to get into anywhere will work out a way to do it if they have enough time, patience and the motive is high enough to get whatever the prize is at the end. But most people are not going to be too bothered because, there is so many steps that you have to take through. If someone had to break into my wifi or through my internet connection, to get into the VLAN, to then jumping and turn my fountain on. The amount of times to get to spend to do that well outweighs the advantages it's going to be for them in the end.
Alex Penrose: Yeah, I agree. Another thing to consider as well, you spoke about the physical versus the cyber breaking in. One thing to consider as well is, back in the old days when you broke into a bank, you had to have a truck, a major truck to carry all those bags of money. Right?
Joshua Lewis: Yeah.
Alex Penrose: But if you break in with the cyber method, you don't need any kind of big truck. You don't need any bags, you don't need any effort. It all fits on a little USB stick nowadays. So it's much easier to exfiltrate information via the cyber way. So I do agree. I think cyber is more important than the physical. Because, in the physical world, you've got physical guards, you've got your security cameras, but also it's incredibly difficult once you do have your loot as you say, you still need to walk away with it. And that can be a major problem. Whereas if you're in into a network, all you do is you download it to some Cloud provider and you're done. And once it's out, it's out as well. You can't stop it then.
Joshua Lewis: No, that's right. And then it's out in the dark web, people are buying new information. And that's a big thing that I think people have this misconception of what penetration testing is, and what hacking is. In where Frank Abagnale, who was famously put into a movie called Catch Me If You Can played by Leonardo DiCaprio fooled people to make everyone think that he was a pilot, and that he was a solicitor, and that he was a doctor and a bunch of other things. And what he was doing is social engineering, social hacking to be able to get into a spot that he's not meant to be. And penetration testing doesn't just stop at the wall of your internet service provider or with the security of your physical network.
If you were to ring up someone and you said, Oh hi, my name is X, Y, Z, and you've worked at this, they had this client name because they had a testimonial on their website or something like that. And then you said, Oh, I'm just double checking if our account's delinquent or if we're all up to scratch, because we're changing accounting systems or whatever story you feel like saying. And then all of a sudden, they're telling you the financial position of this other company. And then you're able to use that information and then slowly bite away and break into their network or break into accounts' information. So then use it on the flip side and potentially break into the network that you're pretending to be. And so what it's about I guess, is the way that you talk, and that comes down to the security of your staff and the training that they've had in how to deal with suspicious questions.
I rang up I'm not going to say which one of the big four banks it was, but I rang up one of the big four banks. I spoke as I'm standing right now. And I gave them my mother's details, her birthdate, full name and the address. And it was able to change around her mortgage on the phone sounding nothing, indifferent to what I sounded like right now. And I thought how bad is that? That I can answer three security questions and I could have been a stranger. I was doing it to help her out because she was at a season, needed to sort something out. But I could've done anything, and that would've absolutely caused a world of trouble for someone. I have written letters from mom to say that this is okay, and was ready to patch in on a three way call, but I thought, let's just try, I've already got permission from mom to say this and I was surprised at how easy it was.
Alex Penrose: Yeah, it is. And I think the two easiest ways to get into a company in terms of cyber is either via the help desk. And the reason for that is because, as you did with the bank, you were probably connected to a help desk. And as the name implies, it's a help desk. They're conditioned to help, right? So from the very first day they come into the organisation their performance is monitored and managed based on helping people. And the more happy people leave the help desk, the better the performance. Now if you're a hacker, you'd be extremely happy to get whatever passwords that you want. So that's what they're going to give you, right? Because as a hacker, you're asking for the password and they're going to give it to you. The only thing you need to do is you need to make sense.
So for instance, the help desk is one way to get in, the other way is the HR department. So human resources, and in order to make sense what you would do is, you might wait for some kind of position to open up at that company. And the HR department would then at that point expect PDF documents or word documents to come in with people's resumes, and it makes sense to them. So they will open them without thinking usually. Because, well that job interview did co ads, I'm expecting a document. Because I'm expecting a document, I'm going to open it without thinking twice. And it's really easy at that point from a hacker's perspective to have some kind of malicious code in your resume-
Joshua Lewis: An old version of Adobe reader or something like that and bang, they're in.
Alex Penrose: Oh yeah, absolutely. And all you need to put in there, you put a message saying, in order to view this message, you need to download this programme. And then off they go, they download the programme. Because again, they're conditioned to do this, this is their job, to open these PDFs, to read the contents and to process these applicants. So you got to play to that weakness in a way of those departments. But definitely, help desk, HR department very easy to get in via that way as long as you are believable, and as long as you do it in a way that they expect you to act. So don't send a PDF with the resume saying, Oh yeah, I saw this job for blah and actually the job doesn't exist. You need to make sure it probably exists, it's listed and that's within the timeframe as well. And that they want to open the document. You need them to want to do something.
Joshua Lewis: Yup. And that's as easy as creating an anonymous account on LinkedIn and double checking when they're putting up posts for a new job. And that's where the biggest vulnerability ... Or I'd like your opinion on this, the biggest vulnerability though in my opinion is your staff. Your staff are by far the biggest gateway to bring people into your network, and to bring unwanted nasties and IP and other integral documents of your business outside of your network.
Alex Penrose: Yup. I agree. Staff is behind 50% of all the access. I saw a number a few years ago, it was 50% that they are behind it. This is insiders. So you might've stopped doing accidental things but you might also have malicious staff doing malicious things. So you've got to consider both those approaches. Not all your staff is happy to work for your company. And some staff might be enticed by a few thousand dollars that they could grab if you gave them the opportunity. So you've got to remove that opportunity. And you've got to expect your staff to do something like that. So you've got to monitor your staff in that respect. Both for accidental things, but also for malicious things. And actually most stuff would be accidental, opening a PDF in the HR department is something that they're expected to do, but they accidentally compromise your security for doing that.
Joshua Lewis: We use a tool for monitoring our staff as well, there's a tool that we use for our clients called ObserveIT.
Alex Penrose: Yes, you've got to use some kind of a tool to monitor what people are doing. And you would have read in the news that a few QPS employees were indicted looking up people in the system that they shouldn't have looked up. They didn't have any reason to look that up. This is all public news. And they were indicted for that. So I think there's two or three cases of coppers abusing their position to get into the backend system. And you need to take into consideration that a big organisation like the police or like education, they have tens or even hundreds of thousands of people working for them. And some volunteers as well, right? The Queensland Volunteers, education volunteers, health volunteers. And they get more privileges than the public. So you got to monitor them somehow and whatever monitoring system you use, whether it's ObserveIT or something else or ...
There's various solutions for that. You've got to monitor your staff, but you can't monitor every staff all the time. So usually, you'll have some kind of trigger going off and you would use some kind of screen recording software to then check what actually happened. Was it just accidental? Because someone could accidentally double click on a programme and open it up private. It does happen. It's happened for me as well. Where you open up the word document, it just double clicks. The mouse might have double clicked by accident and it does happen. So that's completely different than someone opening the tool, specifically searching for a particular person that they might know, and then finding out some details that they're not supposed to know. So there's a difference as well. And to differentiate between accidental and malicious that's where your screen recording software comes in. So I'm not sure if they use ObserveIT or not, it might be something else. But yeah.
Joshua Lewis: I was just going to say anyone listening out there in the podcast world ObserveIT is just a tool that lets you audit what your staff are doing, or what a network is doing. Gives you text data so can see if they're opening out notepad or Firefox or Google Chrome or something that they wouldn't have normally opened up. And then also lets you see suspicious login activity. So if your receptionist for whatever reason logged in at 2:30 in the morning for half an hour and that wouldn't be what her normal process would have been. It will then create an alert, and send that off so that you can then monitor and work out more accurately what your staff is doing. So it's good that we both know what we were talking about, anyone else don't know what we're doing.
Joshua Lewis: So above and beyond putting that sort of software in, there's obviously tools like Nmap or Wireshark and things like that. So Nmap lets you scan over a network and monitor what new devices might've appeared. And then Wireshark depending on how you have it set up, lets you intercept and then see the type of information that's being transmitted. Now these tools are only just a couple of free tools that imagine you would have in the plethora of tools that you would use to go and work out vulnerabilities in a network. And then once you've gone through, say an Internet of Things device and you've accessed it, and how you can actually work out the goodies on the other side. What other tools do you use?
Alex Penrose: I like to categorise the tools that I use. I use a plethora of tools, hundreds of tools. And I also write my own tools as well. I'll write most of tools in a programming language called Python. But I also write it and see whatever's needed. If I need a fast programme, I might write in C or C++, if I need a programme really quickly, I might write it in Python. I like to categorise the applications passive, which means you already raised Y shock. You can passively tap the network and listen to the network, you won't get detected doing that. It's basically having like a microphone on the network which records everything that goes over the network. And you might pick up passwords, you might pick up network protocols that should not be enabled or which you might be able to abuse. So I would say that would be the one category.
The passive reconnaissance. Then you've got your active reconnaissance tools Nmap would be one of those. So, Nmap is a port scanner with some additional functionality that is able to recognise certain protocols and certain services that run on a particular computer. So you might be able to detect not only that there is a web server listening on a particular network port, but also what type of web server that is. It might be an Apache web server, it might be a Microsoft IIS server, it might be whatever the make of that web server is. And sometimes, even the version of the web server as well. And all that information allows you to then research to find vulnerabilities. And one of the tools that I like to use for finding vulnerabilities is a Kali tool, which is Searchsploits
So there is a distribution, a Linux distribution or Linux operating system that you can download for free on the internet. It is called Kali, K-A-L-I. And Kali is preloaded with a lot of different tools on it. And one of those tools is Searchsploits. So you can type Searchsploit in the Kali prompt, and then space, and then puts an Apache in there, and that will list you all the available public exploits for Apache web server. So if you find a particular vulnerable Apache servers, say whatever version number and you use Searchsploit, it might give you the exploit ready-made and you can just run the exploit right there.
Obviously, there's another tool called Metasploit, which does a very similar thing. Metasploit automates that hacking process to a certain extent. It allows a hacker or a pen tester to break into the system using known exploits, and then instal a backdoor automatically on the server that was compromised or the IoT device that was compromised. And the backdoor, not everyone will know what that is. It is effectively a piece of software that allows you to easily get back into the system at a later date. So like a Trojan horse kind of thing.
Joshua Lewis: Well, I guess the way that I would describe it, a general network is imagine you've got a unit complex, and there's one big gate at the front. You could call that your router, and then all these little things inside the unit complex, all these little units, could all be different devices. And if you're able to grab the key to one of these units, that means you're able to get through all those different ... The front as you said, you have a backdoor created, it means that the more devices you have on your network, the more chance of vulnerability things are being looked at, and actively patched. And using one of the Internet of Things devices or any known patchy server or web server or anything like that could then mean that you gain access to absolutely everything for a later stage. So, that's kind of the way I sort of normally think about it. If you've got lots of doors into a building, and you just have one door that you leave open a lot of the time, they're not going to go and check that.
Alex Penrose: Yeah, that's true. It's a good comparison actually to how it really works. You try and find an open door or a door that is ajar and you get in. And then once you're in, and you are at a particular security level on that system, it is then very, very difficult to first of all detect that person. And to get rid of it is difficult as well. So there is a thing in cyber security which we call a privilege escalation. So as a normal user on the computer, you typically have low privileges. Which means that you can't instal programmes. For instance, especially in managed environments like big government organisations or banks, employees are generally not allowed to instal programmes. And the reason for that is that, if you do instal a programme that is a back door then that's installed in your system and you need to provide access to a hacker remotely. So generally speaking, people have low privileged accounts, normal user accounts. And what you want to do as a hacker is, you want to try and get access to administrative accounts or a high privileged user.
So the process of hacking into a company is to first get access to a low privilege account on a PC. For instance, using the HR department trick or the help desk trick you might get access to a PC. You get what we call a remote shell which allows you to enter commands on a desktop. And the next step would then be to try and elevate those privileges to an administrative account on that PC. And that is usually fairly easy to do on the Windows and Linux machines. There will always be some kind of vulnerability on the PCs that aren't specifically hardened, especially the PCs that haven't been updated. If the automatic updates on windows have not been enabled, you can be almost certain to find some kind of vulnerability in that system. There was a test done at one point. Some university did a test, they put an unpatched or unupdated system on the internet and they checked how long it would take for that machine to be compromised. And this is back in 2015 so I'm sure that nowadays it's even faster. But in 2015, it took four minutes for a device to be connected to the internet for it to be fully compromised and added to a botnet.
Joshua Lewis: All right. That's quick, isn't it? And that that goes, should I say the severity of security and how much more important it has become even over the last years?
Alex Penrose: Yes. And the importance of running automatic updates. I understand that large organisations don't want to enable automatic updates. They don't want to disrupt the business. And security is always a concentration between usability and security. But I believe that not enabling automatic updates is probably one of the bigger issues in metrics being compromised nowadays. So, one of the things I always advise is, enable automatic updates on everything. On your web servers, on your user fronting servers, VPN servers, routers, everything. Just automatically update that thing. And don't wait a day, don't even wait half a day. Because one of the things that hackers do is, they run daily scans of the internet. And when I say the internet, I mean the whole internet.
So they've got what's called a botnets which is a network of compromise machines. And these might be very big. You might have 10,000 computers that have been compromised, that have been added to these botnets. And the botnet can be operated from one central location, from one central server, one computer effectively will then manage all those 10,000 compromised machines. And you can give those compromised machines orders. You can tell them to do certain things. And one of the things that hackers do is, they take scans of the internet Nmap scans specifically, to find services and service versions.
So they might find that your organisation might run a WordPress site and it runs WordPress 5.7 or whatever the version is. They will add that knowledge into it's database. So there are hacker groups that just do that. They scan the internet every 24 hours, the whole internet, and they add your WordPress sites with the version number to that database every time. Now, when a public exploit then comes out ... and an exploit is something that exploits a vulnerability. If an exploit comes out and they find that's odd as an exploit for WordPress 5.7, I'm not sure if WordPress 5.7 exists. Might be a different version number. But let's assume that it does exist and that you are running that on your-
Joshua Lewis: It doesn't yet.
Alex Penrose: Yeah. Well there you go. And so the hackers know, as the public exploit comes out for that version ... They know the IP addresses or the locations of all the vulnerable machines on the internet. So it doesn't take them weeks to find your server. They already have that information. They already have it in a database. So as soon as the exploit comes out, what they will do is, they will run that exploit against your database to those IP addresses that they know to be vulnerable. And bomb suddenly they got another thousand nodes, a thousand robots in their botnet. So that's how things happen nowadays. So you can't wait even hours anymore after a public exploits comes out. You have to run automatic updates. If you don't run automatic updates, you will at some point get owned. That's just the way it is. Especially on your web servers, they're extremely vulnerable.
Joshua Lewis: Absolutely. And then when you have services like WordPress, you kind of hope that there's no vulnerabilities that come out. But given it's all open source, if there's anyone that's a bit tricky, they may find a vulnerability and then not release it to the public. Like there was the Heartbleed attacks a couple of years ago that had been seen to have been patched on the Google servers years before it was released as public knowledge. And-
Alex Penrose: Yeah.
Joshua Lewis: Again, that's a bit sass. Was Google using that as they were aware of the vulnerability and doing something about that? Or were they just a bit sass in my opinion? But, the best thing you can do ... I guess the take home would be, if you're a small business and you don't want to have any downtime, which is what hacking is going to create, is make sure you keep things up to date, secure, and have an active backup that's not connected to the same physical network. Would there be any other tips that you would give to make sure that they can stay protected in this ever worrisome world?
Alex Penrose: Backups. That's the only thing you can really do. The thing that you were talking about there was, we call them Zero-days in the cyber world. So they're effectively vulnerabilities that have not been released, that are not public knowledge. But the chance of getting hit by one of those things if you're a fairly small business here in Australia is extremely low, and this comes down to your risk appetite again. Are you going to worry about being owned by a Zero-day? I personally run WordPress on my website. So jollyfrogs.com is a WordPress site. I do automatically update everything. I don't care if it goes down for five minutes, I'll shut the website's offline for a bit. If I want it to be 100% available, I'll run a second one and I'll run the patching five minutes apart.
Oh, sorry. I touched my microphone there. So I'll still have 100% uptime, but I don't even care about that I just want to update. But I'm aware as someone who has a Zero-day against the particular WordPress site that I'm using, they could break into the website. But then again, there isn't very much on there. The only damage that would be done is, someone could what's called defacing the website and could put some nasty things on the front page. But it will be obvious that'll be taken, but I don't really care about that. It's a risk I'm willing to take and I think everyone else should consider that as well. Unless you're the NSA or the FBI, the CIA or some major international organisation that works on defence contracts.
Zero-days they're not really used that much because there is always a chance that if you use your Zero-day that it'll be found out. And then your Zero-day's gone because they'll be patched. So they're very valuable for hackers to have Zero-days and most hackers would have one or two Zero-days that they don't disclose. Because it helps with pen testing. And so you don't disclose everything. But you do disclose some of the things I would say. But yeah, you can't really worry about those kinds of things I would say.
So you ask what other things can people do? Definitely backups, have backups and make sure your backups are not connected to the network. So that if something happens, you can always restore it and practise your restoring process. Don't just have backup. Because I worked for a company a long time ago and they had a backup system that they never checked, they made the backups and they made it on what's called a tape, which nowadays is old fashioned technology of course. But a lot of companies still use tapes. And they're magnetic tapes, and they never actually checked them. So they ran them for years and years and years, and eventually they would fade in their effectiveness.
And when there was an incident at this particular organisation, we had to restore something. And that's when they found out the restore process didn't work. So the backups that they had were useless. Luckily, it was only one small system that wasn't too important. But it immediately sparked replacing the whole backup process and also testing your backup. So don't just make the backups, also test your backups as well. And that'll allow you to restore your things much quicker. If something does go wrong, you'll have all your processes ready and you can usually be online within an hour.
Joshua Lewis: Yeah. If you've got active backups, you've got verification on your backups and UI. As you said, you're going into a mode of let's do a test when it's an available time for the business as opposed to in the middle of their busiest weeks. Which let's be honest, is the only time things really break. It gives you then the ability to get, "Okay, we're having some downtime, a three day weekend or something's coming up. Let's restore everything on current hardware and see what happens, see what breaks, see what doesn't." And it gives you the ability to see if it was going to work hopefully when you don't have a catastrophic event. But hopefully if you did have a catastrophic event, you then know that you're going to be protected. We were very lucky that ... well not lucky I guess prior planning prevents piss poor performance.
Alex Penrose: That's it. That's the piss perfomance.
Joshua Lewis: And when the Brisbane floods came through a number of years ago, we had clients that were evacuated from Brisbane, and they had their backups that were offsite. And as soon as they were able to be at the offsite location, we were able to restore their servers, workstations, and everything to a workable state. And that meant that they were down as you said hours, not days or weeks. Where their office wasn't going to be manageable, ended up being in two foot of water where they were and everything was covered. So it was replaced everything. I was going to say hilariously, not hilarious really.
But two years later, they've moved buildings and they said, ah, we're never going to have a problem with the floods. Two months later the roof collapsed in, in the middle of the storm and everything was in a foot of water. But part of the times they had backup, and so they were all back up and running. And you don't know when these things are going to happen. And just for small business, I think it's more important than ever to have backup because you can't afford to have ... If you have a work workforce of 10 or 20 staff and all of them are sitting there doing nothing, you don't have the cash flow that cash buffer to be able to be paying them all while everything is being recreated, as opposed to just being restored.
Alex Penrose: Yeah, absolutely. Backups are probably at the top of the list. There's some other things that I would advise people to do. The other thing that's probably as important as backups is, to use some kind of a security proxy in front of your web server so-
Joshua Lewis: Like CloudFlare?
Alex Penrose: Yeah like CloudFlare for instance. So the way it works is instead of web browsers, web users going directly to your website, they'll instead go through this security service like CloudFlare, you mentioned it just now. There's a few other ones out there as well. They're very cheap by the way. They cost almost nothing but $29 a month or something or a year even, I don't know. It's really cheap. It's something that doesn't cost a lot of money. And what these proxy services do is, they sit in between the end user on the internet and your web server.
So even if your web server has a vulnerability, say in WordPress, and some hacker's trying to exploit that vulnerability, the proxy security service will pick up on that and actually block that request. So your web servers vulnerable, but your proxy security provider will actually save you from being compromised. So that's a really important thing to do as well. And it's cheap. They know that these are not expensive services and they offer additional services as well like speeding up the content delivery of your website to the users in different countries. So definitely look at CloudFlare or some other kind of provider in terms of security proxy services.
Joshua Lewis: Yeah, I couldn't agree more. That's very good advice, CloudFlare. These attacks called DDoS attacks or these denial-of-service attacks where these bots, like you were talking about will just go and smash your server with 10,000 requests a second or something ridiculous. And these services such as CloudFlare allow for you to overcome that problem because it goes, "Hmm, that's odd, you're getting a lot of traffic from Turkey at the moment or a lot of traffic from some that you wouldn't normally get. All seems a bit weird." And then protects it and blocks it out and has them go through typing one of those annoying codes that no one likes, that robots seem to have a big issue with, the CaptureCodes.
Alex Penrose: That's the ones, Yes. And those security proxy services are getting smarter by the day. They are actually using what's called artificial intelligence to learn what your web server normally is exposed to. So normally you get 90% of your customers out of Australia for instance, and only 10% out of the US and suddenly you start to get 99% of your requests starting to come out of Russia or China or the UK or wherever. And that's not normal. And then the security proxy will go "Actually, well, let's have a look at what that is. And based on AI we'll then make a decision." Say, "Hey, hold on a minute. This is actually an attack happening because this is not what we've seen the last year on average."
So they're really smart. So don't underestimate them. They're very cheap for what they provide in terms of security. And that'll provide your front end, your web server, which is really important. Because if your web server gets compromised as a business, and someone puts the Iranian flag on there with ISIS stuff and whatever. That's not something that you want on your website, or worse, illegal materials, illegal content. They could put all kinds of things on your web server and if you get caught with that on your web server, you're in deep trouble, legal trouble at that point. So you really want your web server to be very secure. So put that in front of CloudFlare or similar kind of service and you'll be sleeping a lot better.
So the other thing that I'm recommending as well is, use the Cloud more. The Cloud is actually really secure if you do it properly. Cloud services, Cloud web servers, everything is all monitored. And you can automatically update that without having any downtime whatsoever. Everything is automatically backed up for you in three physical stores, locations if you want that to happen. Everything's kept up to date. So you kind of remove the human element a little bit from the maintenance aspects if you use Cloud. And the human element like you said, that's one of the biggest elements in terms of security issues, it's the human element. So if you can remove that by going Cloud, that's actually a good thing.
Now you do need to use the Cloud very securely. There are ... I would definitely advise doing a training. So Microsoft offers one, Amazon offers a training as well. If you purchase a contract with the Cloud, they might even offer you something for free. Who knows. So that's something that I definitely advise doing. Get a training, don't just go into the Cloud without having had training because, you'll end up on the front page. Because, you've left a particular what they call buckets with information exposed to the internet. And that's really bad because, once it's ... everything in the Cloud is on the internet, right? So you need to lock that down.
So before you put it in the Cloud, get some training. Usually it is three or five days with training for your IT staff. And then consider getting stuff into the Cloud. Because it is ultimately if done properly very secure. More secure, I would say than most organisations I have to manage. Because a lot of the aspects of security are actually managed by a company that does a really good job of doing security, whether that's Microsoft or Amazon or Google or some other provider of Cloud services. They cannot be seen as not doing security because, if one of their servers ever gets hacked, it'll hurt their business too much. So they invest a lot of money into security. So that's the third piece of advice there.
And then the fourth one which is a really good one as well I think. Personal security, use a password database.
Joshua Lewis: Yup LastPass.
Alex Penrose: Yeah, LastPass is a good one. KeePass is the one I personally use because it's offline.
Joshua Lewis: Really good.
Alex Penrose: LastPass is really good yeah. There's a lot of really good ones out there. Just have a look at the history. Just Google, "Has LastPass ever been hacked? Has KeePass ever been hacked?" Whatever, just get some information. Don't just go with a random password provider if they have ever been hacked in the last few years. And I would suggest not going with those particular ones. But LastPass is a really good one, KeePass is a really good one as well. And the benefit of using that, is that you don't reuse passwords because by now most people would have hundreds of websites with a council there.
You might just go shopping for shoes and you need an account on there. You might go shopping for motorcycle parts and you need an account on there. You have an account on eBay, you have an account on Facebook, Google, Gmail, Hotmail various accounts. So it's very easy to get to more than a hundred accounts. And a human brain, typical human brain is not able to remember all those passwords. So what people start doing is, they start reusing the same password and the same user ready for the various ... for their work but also for the personal accounts.
So if one of those accounts then gets hacked, and people are able to find your username and your password in one service, then it might be able to break into your work, or your VPN account, or your web server because you use the same account details there. Now this can be overcome with a password database. So the way that I use password is, just every single account that I have is a unique generated 30 plus character password that is generated by KeePass. If someone were to try and get the password from me for a particular website, I could not give it to them. They could torture me, I could simply not give it to them because I do not know my passwords. They are automatically generated in a password database and they are stored there. Sorry, you wanted to say something?
Joshua Lewis: No. I was going to say ... what you're saying is ... what's the term that hackers use when they find out one password and then go and hook into other accounts? Because it's if someone has reversing-
Alex Penrose: I think you're looking for Natural Movement maybe so-
Joshua Lewis: It's like my fitness pal accounts were broken into only recently, where they've got millions and millions of passwords. If you use that same password for LinkedIn they're in your LinkedIn, but as you said, if you use a Password database manager, they're not.
Alex Penrose: Yeah, password reuse. You have password reuse. And the way that, if you use a password on one side and you use it on the other as well, you can basically possibly reuse. You can reuse it in another service as well. And this is actually a big issue because, you can go to a particular website. I can't remember the name. It's a guy in the Gold Coast who manages that. You might know the website.
Joshua Lewis: Yeah, I do.
Alex Penrose: Have I Been Pwned.
Joshua Lewis: Yeah that's it.
Alex Penrose: That's the one. And you can actually look up your email address to see if your password has ever been exposed anywhere. And if your password ... and this is some something I'd advise everyone doing just check your work email and check your personal email to see if that email address has ever been compromised. Because if it was compromised, I would start changing passwords really quickly if you have been reusing the same password. So this again, if you use a password database, you only need to change that one password that was compromised, not all your passwords.
Joshua Lewis: It makes it so easier, and especially if using say a password database as well as with as many services as possible. Two factor authentication and ...
Alex Penrose: Yes, two factor authentication very, very important. I would advise using two factor authentication on most important administrative accounts at your workplace. So if you manage a firewall, definitely have ... because that's one of the key security devices in your network. Use two factor authentication at work, but also personal. For your Facebook or for your LinkedIn use two factor authentication, unless you don't care about your account being compromised. In which case, it comes down to risk assessment, isn't it? Do I care about this account being compromised? Do I care about this shoe shopping account that I have that I created 10 years ago? I never shop for shoes there anymore. As long as I don't have any financial details, link there, personal details, you might just think, Oh, actually I don't really care if they get compromised or not. I'll just put a really hot password on it, save it in my KeePass and never actually look back.
The other benefit of KeePass is that it automatically enters your passwords for you. So if you go to a website, you don't need to type your password anymore, it does it for you. So you go to a website, then you're automatically logged in, in a secure way. So that's another benefit of using KeePass. So it's not just more secure. It is also more user friendly and that's how I was able to sell it to some businesses. You start using it ... once you use it. It's really good.
Joshua Lewis: People don't want to remember their passwords as you said. They have too many things to remember. Too many other things that are going through their mind and it's unnatural to remember what can end up looking like a 30 long character string of hieroglyphics. So it's sensible to me and it should look like that. I'm not saying don't use your mother's maiden name, zero, exclamation mark or the word password with an exclamation mark that is not secure. That is-
Alex Penrose: That's it, it's one password. Password one most common passwords.
Joshua Lewis: One of the best passwords that I had someone come to me with and they said, Oh yeah, I believe to log into my computer, the password ... I said, well what's your password? He said, what password? And I said, you pop up your computer is what password? And the guy's, "It's what password? Capital W capital P. What password is the password. And I was "All right, that is terrible."
Alex Penrose: Yeah. Well if you can't use a password database for whatever reason, the most secure way in terms of making it as unbreakable as you can ... Nothing is unbreakable given enough time of course. But use full words put together even in low capitals, it doesn't matter. So horse, bank, suitcase, school, four random words put together is incredibly difficult for a computer to break, but incredibly easy for a person to remember. So, if you absolutely cannot or don't want to use password databases, then use full words together. Random ones.
Joshua Lewis: And you can make those words something easy enough to remember. Like your name Alex. You could have the word apple, elephants, Lima, xenon, or something like that. And it would be easy enough to remember it's your name, Alex. But it's your words and incredibly beautiful.
Alex Penrose: And from a computer perspective, it would take millions or billions of years to crack such a password like that. It would be unfeasible in terms of time to crack, something like that. But from a human perspective, still fairly easy to remember. So don't try and remember the really difficult passwords with all kinds of things in it. Make it long and make them just normal words, and put together four words or five words and you're good. Very difficult to break that.
If people make good backups and they use password database, they use CloudFlare, use Cloud services. I really do believe that Cloud services are more secure than most networks in Australia. Because of that focus on security, right? These Amazons and Microsofts, they employ some of the biggest brains and security in the world to work for them. So I think that's a really good thing to do as well. So I think we covered a lot of the simple do's and don'ts of security.
Joshua Lewis: Cool. Well, Alex, it's been lovely speaking with you and I really appreciate you coming on the show and going through some of the different dos and do-nots for security, giving a few different tips there. And if anyone is looking to get more advice or maybe even get their network tested out, jollyfrogs.com would be somewhere to be checking out to start off with and having a late through and jump through some of the different potential vulnerabilities you have in your network.
Alex Penrose: Yeah, absolutely. And for training as well. OECP, OSCE kind of preparation trainings or Assembly or Exploit Development. Send me an email and I can give you some training.
Joshua Lewis: Cool. Well is there anything that you'd like to go through before we finish off?
Alex Penrose: No. I think that's it.
Joshua Lewis: Thank you very much for your time.
Alex Penrose: Thank you for having me.
Alex Penrose: Thank you very much.
Joshua Lewis: Thanks. Bye.