2/28/2024
WT Staff
Feb 28, 2024
brought to you by
CYBER101 TRAINING FOR CYBER-HYGIENE
WT Interview with Guillaume Bélanger, President of Exosource
WT: We have bureaus in Mexico, the United States and Canada. I think what we are going to discuss going forward here is really relevant to any country around the world, is that what you think as well?
Guillaume Bélanger Yes. I mean there is certainly cultural and professional differences from certain regions of the world, where the priorities might change but if we are talking about western industrialized countries, especially North America and Western Europe, I think it's pretty much exactly the same thing, yes.
WT: There's been a fair number, I think in the ten to fifteen range, of water plants, wastewater plants across North America being breached by some sort of cyberattack. What would you suggest is the most important thing for water plant, wastewater plant operators to guard against around cyber security?
Bélanger: I am not a water plant security expert, nor am I a critical infrastructure security expert, I am assuming there are some specific to that industry, government and contractors. It starts with good general IT hygiene. Good governance doesn't need to be complicated, doesn't need to involve a lot of paper. Essentially you want to have people who are knowledgeable about what you own or use as IT resources, either hardware, networks, or applications. Where is your stuff and what happens if if gets attacked? When it comes to plants and critical infrastructure, of course the integrity and availability of the systems is what really matters the most. So, in terms of general good practices from a governance point of view, the people in charge essentially need to give the proper resources to their internal IT and security departments when they have one, so they can do their job. Basically, get a sense of what they own, where the risks are and what needs to get prioritized. If you don't know what you have, you don't know your risks, you can't manage them. So, it’s not a question of necessarily having unlimited budgets, but its basically knowing enough to make educated decisions. That's from the management side of things, which is where it starts.
User education is super important because everyone needs to be aware of the risk. Everybody is part of the chain, everybody is working on computers, these computers may link eventually to critical infrastructure, software or equipment, so everybody needs to be aware of the risk and needs to strengthen that chain so that you don't end up with very strong secure systems with very weak, untrained users that are giving access to those systems anyway.
WT: How would somebody leave themselves open by not even knowing what they are doing wrong? How do you get around that with people that need to know about cyber-security?
Bélanger: To me there are three types, the industrial components of course are specialized, but in general there are three types of people that need to be aware of different things. Everyone who is using the systems that has access to data or apps needs to be aware of the basics. That is, there are threats out there, and how these threats are carried out, and how as users they will be targeted, what are the means by which they are targeted so they can recognize those attacks and hopefully thwart them.
Another portion of education would be targeted to your technical people in charge, so that they understand what their responsibilities are in protecting those environments proactively, so that they are able to reduce vulnerabilities and increase protections.
The third part of that education is management, the decision makers. They need to be educated to the fact this is not a luxury, this is an essential component of basic good management and defense. They must be aware that they need to get help externally sometimes, just to get a sense of where they stand, and make the right decisions. Basically, it takes an approach where you must educate every step on the ladder. It starts with the end users, and everyone is an end user, even the president of the company uses the systems and needs to be educated on how to not get caught on phishing attacks from malware.
WT: When you say phishing attacks and malware, can you give a description for our viewers on what that looks like?
Bélanger: Phishing attacks are a type of con, so what you call social engineering in the jargon. These people convince you of their identity that they are a trusted party or trusted organization. The way they are going to do that is by email and text messages on your phone. The reason they do that is email is an awesome way to do fraud on an industrial scale because if you are calling people and convincing them to do things they shouldn't, you have to call them one by one, it’s a lot of work. If you are not from here, your accent will show. Emails are easily written and easily faked, can send millions at the same time so that is the primary vector. What that's going to look like, it might be a very obvious type of scam, it might look like a scam, poorly written, crippled with errors, broken links which is obviously very spammy or fraudulent, but it can go to very specialized emails for your organization pretending to be people that you know. Sometimes they will just use a Gmail address they get for free, and they will spell out the name of the person they pretend to be writing from. Instead of receiving an email from your director of IT, you will get an email from someone with the same name from a different email address, everything will look legit, you have to be very careful, and you might click on some links in the email. They will try to get your password, that's the best way to get a grip on your system, to get your passwords for cloud services, Microsoft, for servers. Often, they will mimic Microsoft saying here is a file that's been shared with you, or something urgent, you really need to open it, its coming from your management, asking for your password, something you are used to doing regularly. You type in your password, and you have just sent to a criminal organization. You are not necessarily going to notice right away, when you type in your password and click send or ok, its does not just to go "Ha ha! We got you!" They are going to be doing this discretely enough, they get into your system through your accesses, they might stay there for a while until someone figures it out, sometimes for months and years.
Phishing, the first objective of phishing for organizations and corporations is getting access to credentials, passwords. To a lesser extent to get you to deploy malware.
WT: Tell me what malware is in a just a general sense, I realize there are full university degrees on this, I am just trying to get across to operators or people in the water-wastewater industry what is malware?
Bélanger: Malware are programs built by criminal organizations or security research organizations, so there is legitimate uses often for research purposes, but this is repurposed for criminal activities to give access to your systems to malicious individuals. If you run malware in your computer, it’s not going to tell you, "Hey you just ran malware". Its going to pretend to be legitimate software. Say you got a new computer, and you want to download Google Chrome because it’s your favorite browser. You go on Google and type in "download google chrome". Now you might end up on the correct website, or you might end up on one of a dozen fake websites where you will download Google Chrome, but it will also include malicious software. What that malicious software is going to do is spy in your computer, it’s going to record your passwords, send them over to malicious individuals and potentially even give them direct remote access to your systems. You can imagine if you are managing a plant and you have access to control software that can perform certain industrial activities, someone having remote control to your computer with malicious intent would be a problem.
Specific to your industry, there is also specialized malware that can attack basically industrial components and controller machines and these kinds of things. If it was a targeted attack let's say by another country, it is likely they would use general malware to then deploy specialized malware to industrial devices to either damage them or cause disruptions, any kind of mischief you could expect.
WT: One of the reasons I am on your phone is, I read a press release put out by yourself. You were giving away modules for people to view, to teach them about what they need to know, can you describe what the modules were, when people go to your site and click on this, what do they get, why is it important to them?
Bélanger: The reason we built this is because we felt there was a lack of available training for users about security awareness, how they should behave, how they should protect themselves. We are in Quebec, so you know the language is French so that makes things harder because we must provide that training both in English and French. If you are looking for organizations that work exclusively in English, it is not easy to get good content without going to large security organizations that sell their products. That is fine, but we wanted to have something for everyone, the small and medium businesses out there who don't necessarily have security programs in place, to at least get a good baseline of security that they can give training to their users. So, we used my experience in cybersecurity and managing technical teams that provide general good technology management to other businesses. We looked at, what users need to know? What do they learn from paid large enterprise training, how do we modernize, make it less boring. We brought that down to nine modules less than five minutes each, in fact the whole thing lasts less than 30 minutes. It goes by pretty fast. Anyone can go to the website. Organizations can make this a requirement for users, their employees to do this on their own. It is aimed at people who work in organizations, so its less about personal security, Facebook and social networks. It’s more about work-related threats.
The modules are broken down logically and chronologically. The first one talks about the global threat landscape in general. What you need to know about who the main threat actors are, who is after your info essentially. What are the principal means they use to get it, and the techniques and targets. It basically gives a big overview. Then we drill down to phishing and password management, which is a big one. It's important to have good password hygiene and there are ways to do that efficiently. We address multi-factor authentication, so how to protect your credentials, malware, ransomware which is a specialized, very damaging type of malware. We talk about device security, how to protect your physical computer, make sure nobody is inserting malware or threatening devices. We talk about network security a little bit. Should you use public wi-fi networks in airports and restaurants? Just to get a good understanding and make the right decisions.
We end with data security and privacy, in other words, the confidentiality aspects of data, but also new privacy concerns that are being codified into laws. In Europe it's been ten years almost, in Quebec we have Bill 25 coming into force for about a year now, I think Canada-wide and in the States and Mexico, most likely, we are going to see a lot more compliance issues on that front. So, if you are not doing it for security purposes, you are most likely going to be doing it for privacy purposes. This is essentially what the training covers. The average module lasts about three minutes, so its pretty fast. There is a small quiz at the end, you've got to listen if you want to get it right the first time though.
WT: I really agree with what you have done, there are two things I would like to touch on before we conclude this. You have used an interesting word several times, when you talk about hygiene. Can you explain your version of hygiene?
Bélanger: Personal hygiene is doing the routine tasks required for optimal upkeep, health, eating well, sleeping well, brushing your teeth, this kind of stuff. For cybersecurity there's good practises that everyone can adopt that are not necessarily very complicated. Once they are understood and practised you are going to improve your security basis quite a bit. When we talk about password hygiene, we are talking about not doing the behaviours that expose yourself to unneeded risk. When we are talking about passwords, we mean using strong enough passwords, storing them in a safe place and not re-using those passwords across different websites. For a long time, we have been telling people what not to do, but we haven't told them what they can do. We have complex passwords now. So, we are giving people ways to work around that. When I say efficiently, it is important for us security practitioners to give people ways they can adopt that are realistic. If I tell you don't do this, don't do that, and you are left with basically nothing practical that works, you are not going to adopt those behaviours and then you are not going to improve your security. When I am talking about hygiene, what I mean is good practises regularly, being sure you are following these practises in a way that protects you.
WT: Last question. When I go to an airport I don’t generally use wi-fi within a restaurant or an airport, what do you suggest people do instead?
When people need access, what is the best version of what you can do if you have to use outside wi-fi?
Bélanger: Ideally your organization would have policies in place and would have tools in place to either tell you not to use public wi-fi and prevent it, or to protect your data in a way that it cannot be intercepted. So, always using virtual private network (VPN), these kinds of things. The reality is, most organizations don’t have that level of control. When you are working from a wi-fi, let's say sitting in a restaurant. Airports are a bit different because they typically have specialized security, the chances of their wi-fi being compromised is lower. If we think about just a restaurant in general, how much security does that restaurant really have? What would prevent me as a criminal from hacking their system or just replacing their router entirely with one that I have back doors to, and having access to their traffic. It’s very realistic, in fact its been a long time that malicious individuals get access to data is they would show up in a restaurant with their own wi-fi router. They would use a name similar to the place where you are. Its not just a matter of securing their access points, it’s that anyone can show up with a wi-fi that has a name similar to the restaurant. For example, if I live on top of a McDonalds, I can name my own wi-fi "Free Mcdonalds W-fi" and then intercept your traffic. The fact this is very easy to do means that whenever you are using a wi-fi that is not provided by your business or your home, you are exposing some of that data at least. Now most network traffic nowadays is encrypted but it can be intercepted. You might get some signs it is intercepted, like certificate errors, things like that, but people tend to get wary of these and they click "OK" and keep going.
Using any public wi-fi is a risk. It doesn't mean that you shouldn't use them, but I would say be aware of that risk. Be aware situationally of your surroundings. Am I in a trusted environment? Am I in a less trusted environment? Reduce important work to a minimum, if you are going to do things that are very critical, maybe wait until you have a more trusted network or try to prioritize your mobile phone network which is safer than general public wi-fi.
WT: I really enjoyed this conversation. Are you going to keep your demonstration up for a while? Is there a time limit? Where do people go to get this wonderful training?
Bélanger: The training is free, its going to remain free. We have a dual mission here, one is to educate the public in general to better protect themselves, we think this is important, myself and my partner Benjamin. We believe in this. We also invested money in this and we want to make it back, so we are going to develop a version with more features for businesses later down the road. The free version is there permanently. That is the idea, we will build another one for businesses willing to pay for added benefits. Anyone can access this version, it’s Cyber101.com you can use it for free, your organization can use it for free. Please let us know if you have feedback so we can improve.
WT: That’s fantastic, Guillaume Bélanger. I want to thank you for doing this you are going to amaze a bunch of our viewers, thanks very much.
|
|
|