Hey, everyone.
Just wanted to let you know about our new video on cybersecurity.
We got to check out a cybersecurity control center, so that's where they screen for massive
worldwide cyber attacks.
We also got to speak to a bunch of hackers, and actually see a hack happen live.
But before we get into that, we wanted to share some of our previous videos on cybersecurity
from some experts in the field.
So this episode originally aired on August 4, 2016.
Hope you enjoy, and remember to also check at RealVision.com to watch the new season
of Discoveries, where we dive into the implications of the internet of things.
That's everything from smart thermostats to internet connected cars and Wi-Fi coffee makers.
It's definitely something you don't want to miss.
So make sure to sign up for your 14 day free trial.
You know, cybersecurity has really become mainstream today.
There's a lot of buzzwords out there that are making it in news publications, the internet,
social media.
And I think that a lot of people don't understand what cybersecurity really means.
There's a lot of terminology, there's a lot of vernacular that's coming out that really
is confusing to senior management, to boards of directors, to executives of companies.
And it's causing a lot of confusion in the space, as far as what they need to do, how
they need to protect themselves.
And there's people like myself that are here to translate what the global cybersecurity
threats are.
As computers and technology have evolved from simple desktop computers to very simple operating
systems, you know, the attack vectors, which is the way the bad actors are looking to get
into the systems, was very simple.
So we were using modems, you know, floppy disks.
Very little storage, bandwidth was not there.
So they were very limited as to what they could do.
As bandwidth has increased, operating systems have got more sophisticated.
Mobile devices, IoT, or the internet of things, where everything is connected through the
advent of the internet.
Email, big, large databases, online shopping, things of that nature.
There's become a number of different vectors or subterfuges where vulnerabilities exist.
And that has proliferated significantly into how we conduct our business.
Again, online shopping, online banking, different types of transactions, the information sharing,
health care, the legal profession, manufacturing, supply chain, all of that is connected.
And it's everybody's information out on the internet, or passing through the internet,
that becomes vulnerable.
Yeah, security today is really, in my opinion, we sacrifice security for convenience and
a very exciting user experience.
So what I mean by that is, when we install applications, most people don't really look
at the questions that are asked before the installation.
So it's can I have access to your contact list, can I have access to your microphone,
can I have access to your email, things of that nature.
So we accept those things in order to have that user experience, so when we're walking
in New York City and we're walking by a specific restaurant, we'll get an email for a specific
advertisement that says there's a special going on at a certain venue.
You know, those are things that are becoming more intrusive in our lives, and those are
things that we accept.
And what's happening is the bad actors are exploiting those types of applications and
exploiting that information, and they're getting geolocation and they're getting our privacy
information, and they're learning more about who we are in order to provide methods of
attacks so that we click on certain things and install, surreptitiously, software that
then controls or steals information from us.
The younger generations, there's, you know, vanity.
The way we look at vanity today is you'll get a simple text message saying that you've
won an iPad or you've won an iPhone, click this link to redeem your prize.
And most people will click on that.
Our research shows that 62% of people will click on bad links or malicious links or links
from people that they don't know who they're from.
And it's the curiosity.
It's I've really won something, someone really cares.
And you know, if it's written well, you know, people will fall for that.
And they think it's harmless because I'm clicking on a link, what does that really mean, how
does that really hurt me.
If I didn't really win, who cares.
But what's really happening on the back end of that is there's people that are looking
to install something.
They want you to visit that site so that they can slip something into your phone, and then
ultimately into your email, and then kind of intrude on your private life.
You know, steal passwords, things of that nature.
And that's on a very individual scale.
And you know, if they can mass produce that to hundreds and thousands of people, 62%,
the rate of return is pretty good.
The cybersecurity threat landscape is education and training and awareness.
And that's something that we provide as part of our firm, is that cybersecurity education
and training.
It's very important because it starts with the human.
If you don't educate your user base or individuals on spotting a piece of malware or spotting
a piece of fake email from someone that doesn't quite look like it's from the person that's
really sending it, trash it.
They're just electrons.
If it's really something important, they'll send it again.
One of the big mistakes that companies make is there is a disconnect between executive
management, so board level, and the IT and security department who are trying to-- they're
there on the front lines.
And there's budgetary constraints, there's the translation of what really that the organization
needs, there's risk is not translated or assessed properly.
And it's really an educational gap.
And you know, organizations typically do what they can do.
A lot of times, they're left with what they can fight with, and what they can defend with.
It's not always what they want, it's what they get.
And to truly assess that risk is very important.
And that has to be translated all the way up to the board level.
And we're not seeing that.
We're just starting to see that, where boards of directors, CEOs, CFOs are starting to have
to know what those risks are in cybersecurity.
Many years ago, they didn't want to know.
Now, it's a duty that they have that they need to know what's going on.
The next level in state-sponsored type attacks is very sophisticated.
You have many countries participating in the cyber war.
The Eastern Bloc, China, Russia, Pakistan, even the United States participates in the
cyber warfare that's going on.
And different levels of skill are present in different organizations and different countries,
but their common goal is to gather as much information as they can on the adversary or
on a specific country.
And their attacks are very motivated, they're very focused, and they're very sophisticated,
and they're very hard to thwart.
The possibility of cyber attacks on our critical infrastructure are very real.
The threat is very real.
We have, certainly in the United States and in other countries, critical infrastructure
is aging.
And it's become a problem where cyber attackers or bad actors or even state-sponsored attackers
are interrogating those systems, and are able to either shut them down or able to get in
and take control of specific systems.
Those systems, some of them run on proprietary systems and some of them run on very common
operating systems.
So it's really a combination of both.
And they're connected to the network.
They're connected to the internet.
So there's exposure either way.
If you had a persistent state-sponsored hacker or organization, state-sponsored organization,
that was interested in doing that, in shutting down a country, the first thing you would
attack would be the critical infrastructure components-- power, water, financial.
Those are main critical systems of-- transportation.
All of those are connected, and those are the critical components of critical infrastructure
that they would attack.
There are so many cyber attacks today that they come and go.
So the particular attack on the Bank of Bangladesh, which involved the SWIFT network, which is
an intermediary third party that helps with the banks in transferring international money,
was exposed.
So there was a specific cyber attack against the SWIFT network, in which bad actors were
able to siphon-- I believe was $81 million out of the bank.
And through our research that we did, we predicted that this wasn't the end.
And sure enough, two weeks later, you have half a dozen banks, 10 banks that were affected
by the same network, because the SWIFT network is connected to all the banks.
And as a result, the SWIFT network was the network that was compromised, that was then
getting into the other banks.
So look, it's Bank of Bangladesh today, it's, you know, large health care system tomorrow.
It's really just running very rampant.
And every day is something new.
Different variants of malware, different variants of viruses and trojans and different types
of attack vectors are becoming prevalent.
And the bad actors, they know what they're looking for.
And it's specific information that they can sell, they can use to exploit, and in many
cases they use to exploit and publish that information.
The phenomenon with something like Wikileaks, you know, I believe that fuels the cyber attacks
because what they're doing is, you know, they're exposing information regarding sources and
methods that have been used in the past by organizations or governments of all kinds.
And you know, it becomes a recipe book, or a playbook for the bad actors to then exploit
those types of vulnerabilities, or attack those specific sources and methods that were
being used.
And in many cases, it can dismantle operations that have been happening in specific governments
and organizations.
So it's more of an exposure of those types of things that are then used by the bad actors,
whether they're out for financial gain or they're out for just, you know, defacement
or, as we call it, hacktivism, which is more of an ideology.
So it really perpetuates and fuels that specific opposition.
The most common threat we see today is probably it comes in a couple different forms.
One of them is what's called phishing, which is when it's more or less a social engineering
or an email type campaign, where mass amounts of email are sent to organizations masquerading
as specific people or as a specific outreach for something that users will click on a specific
link, a specific attachment, and then that launches a campaign or a malware type attack
on the inside of an organization that then allows the bad actors to phone home and then
to create back doors into an organization.
So you know, there's so many different things to protect in an organization.
It's not about the perimeter anymore.
It used to be just let's get a firewall, we're OK, everything's good.
We're going to lock the front door.
It's not the case anymore, because there's so many different angles that we have to protect.
And we have to be right 100% of the time.
The bad actors, you know, can get lucky.
So that's one of the main areas that we see today, phishing.
It's definitely on the rise.
It comes through email.
It's hard to detect.
And that's one major way.
You know, social engineering, which is more of a non-technical method that's being used
today, we as humans want to help.
We want to be helpful to people.
And you know, the hackers are looking at creative ways to have people divulge specific pieces
of information.
And they're connecting the dots.
And as they do that, they get little pieces of information.
They make something appear legitimate.
And it's really a 24/7 campaign for them.
You know, I was an avid, die-hard PC user, and then went cold turkey many years ago and
switched to a Mac.
That used to be the case.
You know, Mac was perceived as being more secure because the market share was only 10,
15%.
And Microsoft, you know, owned the market.
So like anything, you're going to go for the big picture.
You're going to go for the touchdown.
And the best place to get the most bang for your buck was to exploit, you know, Microsoft
systems.
You know, 90% of organizations run on a Microsoft platform.
That's changed.
You know, they're running more on Linux operating systems and open source systems, Macs, you
know, those types of things.
So the paradigm is shifting where we're starting to see specific exploits and vulnerabilities
in, you know, the Apple iOS and Mac and those types of devices from that manufacturer.
So the tides are shifting, although you know Microsoft still has the majority of the market
share, so it's still a very, very large target because they can attack the masses.
As far as Macs being safer, I think that they are probably less picked on.
So there are probably less attack vectors toward a Mac.
But again, as the paradigm shifts, you know, it's not about the Macintosh anymore, or Apple
anymore, or the iOS.
It's let's attack through the email system, right?
It gets a link or a PDF attachment in which they're attacking-- now they're not attacking
Apple anymore, they're attacking another vendor, like Adobe, or going to a third-party website
to download something in your Chrome browser or your Firefox browser.
So many, many different subterfuges, many, many different layers of access here.
And you're talking about it's a smaller population of hackers, but again, they know the types
of systems that people are using, and they use that to their advantage.
I think, back to your initial question about cybersecurity, again, I think awareness is
very important.
I think it's important to convey that the threat is real, and that there are bad actors
out there looking to destroy, disrupt, or exploit data.
I think reputational risk is going to become something very, very serious, as it is currently
today, but it's going to get more serious as it relates to an organization's reputation,
as an individual reputation.
The ability to conduct yourself on the internet in an anonymous fashion I think is a very
serious issue today.
The ability to put something out on the internet that's not true, whether it be about an organization,
about an individual, I think is only going to become more prevalent.
And it's a real problem.
It's going to become an epidemic.
And the internet is full of good things and it's full of garbage.
We need to be more prudent about what we're looking at, and what's real and what's not,
because it's very hard to tell today.
Cyberbullying is a real problem today, as well.
And we see that.
And as part of our organization, we've taken up, you know, that as a very important cause,
is cyberbullying and, you know, cyber crimes against children.
We take that very seriously.
It's going to become a big problem.
People need to be more vigilant about what they're looking at, what they click on.
You know, they say think before you click.
I think that's very important.
When you're surfing the internet, you know, not everything you read on the internet is
true.
And that's something that people need to take into consideration when they're looking up
things, looking at different things.
There's a lot of deception, there's a lot of untruth on the internet.
And part of it is unethical, unprofessional, and there needs to be some change in that
area.
Technology is changing so fast that it's very difficult for some people to keep up.
And as things change, people aren't changing with it.
And that causes problems.
That causes, you know, errors, that causes exploitation.
You know, just people can't keep up with the technology.
Không có nhận xét nào:
Đăng nhận xét