Cyber security insight from former Head of Cyber Security at Swyftx Crypto Exchange
In Episode 018 of REDD’s Business and Technology Podcast, our hosts Jackson Barnes (Head of Business Development – REDD) and Brad Ferris (CEO – REDD) interview former head of Security at Swyftx – Chris Polkinghorne. Chris has decades of experience helping businesses protect themselves from cyber threats.
We discuss his achievements and lessons learnt from running the cyber team at Australia’s largest and fastest-growing crypto exchange – Swyftx. We also go through recent events, running internal security programs, what frameworks to align to and security tips for individuals that anyone can apply!
This one is packed full of cyber insights, thanks for coming in Chris!
If your business is looking to enhance its level of cyber protection, check out some helpful information from REDD here
Cyber essential booklet – https://redd.com.au/cybersecurity-essentials-booklet/
Microsoft security score and what it really means blog – https://redd.com.au/microsoft-secure-score-and-what-it-really-means/
Recorded Thursday, 22nd of December 2022
Thanks for watching!
REDD is a Technology Success Partner business headquartered in Brisbane, Australia. The Business and Technology podcast focuses on the commercial application of digital technologies in business. Guests will include industry experts, vendors, customers, business owners and anyone with unique insight to share. We discuss and explore current events, issues and stories relevant to business leaders, entrepreneurs, technologists and everyone in between.
REDD is a leading provider of the following services
- Digital Advisory Consulting
- Managed Technology
- Cloud Computing
- Cyber Security
- Unified Communications
We believe, in the not so distant future, that people will not only deserve, but demand greater access to frictionless tools and systems that enhance and uplift their lives. Technology can create a truly blended lifestyle between work and play that prioritises mental health and wellbeing for our people, while increasing efficiencies and the effectiveness of emerging technologies in the workplace. We believe the future of work is built on perfectly balanced and curated tech stacks that seamlessly interface with the people they are built for. And it’s that future we’re building toward.
You can read the full transcript below:
– Hello and welcome to “REDD’s Business and Technology” Podcast, I’m your host, Jackson Barnes.
– I’m your co-host Brad Ferris.
– And today we’re sitting down with an absolute expert in the cybersecurity field, Chris Polkinghorne, who is most recent title was Head of security at Swyftx but has two decades of experience in the industry. So looking forward to getting some quality insights into cybersecurity from this episode. Chris, thanks for joining us, mate. Did you want to start with your background rolling way back to 20 years ago?
– Yeah, sure, it’s great to be here. I started at… I don’t know what got me interested in security. I think it was when a friend of mine hacked into my computer and made my CD driver eject over ICQ back in the mid nineties or something.
– [Brad] ICQ
– Yeah, something, something like that. So
– [Brad] There you go.
– Made me want to know how he did that. So, I went trying to figure it out and, you know, that was a good introduction, but I probably, I went to uni after that and I had to… I’m sure I’m like past any liability, whatever it’s called.
– Statutory of liability,
– Statutory of liability.
– This is like the start of 2000. So I got in a bit of trouble for sort of hacking into all these computers. Not like proper hacking, like you know, we used to get like 50 megabytes of internet quota and we figured out a way how to sort of connect into everyone’s systems and borrow them So we, my friends and I were sort of, you know, did that to about a thousand students. And so, you know, we had unlimited, but, so then I had to write a bit of a letter and, you know, that sort of said… Write a letter to the uni saying, “Please don’t kick me out. “I’m a good boy.”
– How’d they catch you?
– Well, there was like a, you know, this other guy in IT, in one of the other col… This wasn’t in my colleges, I should just say. He said he caught me by looking at the logs, but I think someone just told him what it was.
– Look at the logs in the nineties.
– Yeah, I think that’s what it was. There’s no nothing overly technical there, NCSI stuff. So.
– [Brad] Yep.
– And then look after that, I can’t have been too bad cause I went from there and then I went into defense intelligence. I had to go through all the security clearances, so they said it wasn’t too bad. So, you know, I made it through uni, I made it through that. And then I sort of hopped around a few places.
– Starting in IT? Or did you go straight into cyber?
– I was in security from day one at Defense Signals Directorate, now ASD. That was a lot of fun, a lot of awesome people. Nice and cold in Canberra. And, you know, one of the… I think we set a record where had my… We had an indoor cricket team in Canberra and we set a record for the biggest defeat ever at the we lost by–
– Biggest defeat.
– Yeah. The other team scored 200 something and we got negative 50.
– Was that the IT team, was it?
– [Chris] Yeah.
– They lost.
– [Chris] So we, were… Our graduate intake was absolute athletes.
– With lethal weapons.
– Very good with the tech, not good at anything else. So, yeah and then I moved back to Brisbane, took a few different roles, contracted a bit. I did a good long time at Melbourne IT, WebCentral, I think it was back then, and sort of changed its name a few times. And then went to Accenture and then came to Swyftx. And now… And then that’s finished up and now I’m figuring out what I’m going to do next. So I’m sort of, my current mantra is I just say yes to everything, every conversation. So that’s why I’m here.
– Like coming on this podcast.
– Yeah, exactly. Exactly, Brad reached out and we did a director’s course together and I said, that sounds really cool, let’s have a chat, so.
– So Swyftx, what did you do there? What was your title and what were you in charge of?
– And maybe just for those who, dunno what it is, like what they do.
– Swyftx is a cryptocurrency trading platform in the news quite a bit at the moment. So definitely check that out. But, you know, it was a rapid scale up place. I think while I was there, we went from 80 people to about 330 over the space of 12 and a bit months, so it was just–
– [Brad] Wow.
– [Jackson] Crazy.
– It was just frenetic pace. You know, customers went from, you know, low hundreds of thousands to six, seven, 800000. So it was just rampant pace. Really, really good. Just hiring every week, three people coming in it was awesome, absolutely loved it.
– So I was the head of security there, sort of building out the security program, protecting the customers, sort of defending against, you know, it’s crypto is a pretty hostile place, lot of attackers. And so building up those programs that protected the customers. It was a lot of fun, loved it.
– So how big was the team there when you first started?
– The security?
– Your team.
– The security team was… There was two people plus myself. And then we sort of quickly ratcheted that up to in the twenties.
– Oh really?
– Yeah. Yeah. It was pretty, we sort of built it out across a couple of streams. There was quite a, you know, a big focus on the internal sort of security operations side. We call it like the SOC, we call it cyber defense focus on like assurance, offensive, application, security, all the areas it was a lot of fun. We build it in six months that process.
– So in that industry, in the crypto space, I mean, crypto’s in the news a lot lately. Like was it a higher, what am I trying to say? Was this a bigger target for threat actors because it’s crypto?
– Pretty much, because there’s just such a bad guy who can pull off an attack. They’re so directly connected with profitability. Like once it hits, if they can exit that money, you know, and hit their wallet, very, very difficult to recover from.
– Yeah, right.
– Whereas if you look at like attacks on the fine other, you know, against the regular banking, like you can, there is methods to claw back funds, you know, you can pause and slow things down. So there is avenues for recovery there. It’s still a lot of attacks in that space.
– So crypto’s like a quite high value target and you can get in, get out and kind of leave no trace.
– High value. I remember seeing some stats on it that like a single, looking at like the value of a compromised account across all these different services and like a, I think like a PayPal account might be worth 80 bucks, you know, on these dark web forums and whatnot. And you know, like a account with any of the big major banks might be worth 40 bucks, something like that. A Netflix accounts worth like six bucks. Credit cards the same. Like, it’s all pretty low because there’s a lot of mechanisms in place to stop attackers monetizing those things to really impede ’em. The crypto space, I think on the data I saw was about $400- $500 per account. So, you know, the amount that, you know, anywhere where there’s money to be made, attackers are experts at monetize action on them. And they really farm it out. And you would end up with, you know, attacker groups who specialize in the phishing aspect in pulling in leads. And then you end up with attackers who are experts, you know, taking those sort of warm leads and then compromising their accounts and then that feeds into this machine that people who are experts at acquiring those accounts and then pulling the funds out. So–
– [Brad] I guess.
– We’ve put in a lot of things to stop that happening. We had a big, big fraud team, lot of systems in place to stop it. But, you know, it was a very, this is, it’s just a dangerous landscape or all of those, so.
– I have… I’m envisioning in my mind like a zombie movie on the top of this big mountain and there’s all these zombies like trying to come up and all these threat actors you’re trying to whack away. You would’ve seen it all, I’d say from the cybersecurity point of view in 20 years and then at a big crypto exchange. Were they the biggest in Australia, Swyftx?
– Yeah. There’s one other, but you know, it’s, you know, hard to know who’s the biggest, but I think we were certainly the most prevalent, you know, advertising on NRL, everywhere you’re looking, on the back of The Heat and everything. So it was awesome being a part of it.
– So from your time there, what was maybe your biggest achievements at Swyftx?
– Well, we got sort of building out a program for one that was great fun to do. You know, building out a security capability that was like linked in with the products getting produced. Like if you look at a lot of security operations, they inherently get linked with just IT. And trying to break it out of IT and drive it into the actual product. The thing that creates value for the business is you know, I think you’re inherently linked to much more value, so you’re going to end up with a bigger more impactful program. So being able to do that was really good. Getting ISO 27001, we went from start to finish on that in I think four months. Something along those lines. Like most people probably take two years, but we were always pretty fast there and that, you know, we were able to do it cause we had a big team and big buy-in the business, you know, really securities, you know, was paramount with woven throughout the company. So that’s why we’re able to do things quick. That’s some of the big ones.
– What are some of the lessons you learned from your time with Swyftx? No doubt you’ve gotten an attack from all sides, building a big team, getting ISO 27001. What are some lessons you learned in that time?
– It’s probably about following the data. like fundamentally your job is to protect and understand the business. So it’s to… The focus on what we used to call situational awareness. So if, you know, once again, that’s about driving security out of just being, you know, laptop defense, email defense and driving it into the product. So if you could deeply understand where the business is trying to get to, you know, what the data is, what the customers, you know, how they want to interact and what their demands are, then I think if you focus on that, that would be a lesson for me. If I was starting it all again tomorrow, that’s where I would immediately start is, you know, is one understanding, you know, gaining that really deep situational awareness and really focusing on where, you know, every bit of data is in the business.
– That’s really good advice. And that’s something that we try and practice as well here is that we have cyber conversations with businesses, we start with what data do you have that’s important to protect and where is it now? And that’s where you want to protect first, right? And so that’s some good advice. What did the cybersecurity industry look like 20 years ago compared to now?
– I remember like your first job is like, I was like pulling RAM out of servers and stuff like that, you know, we were selling assets. So that was like my very first security job in Defenses–
– Why you pulling RAM out?
– You know, when you’re recycling assets. So, you know, Defense would get worried, there would be a standard big just standard on how to do it secure disposal. And it’s like, oh, well no hard drives, no memory. So, you know, that’s what it looked like. And you know, that that’s based off of breaches. I’m sure that incident happened. And so, you know, so now everyone had to check that. But I’d say you, what you used to see is security’s job was to install like antivirus on someone’s laptop. And that was, now you were secured.
– Just a password and an antivirus tool that’s cybersecurity 20 years ago?
– Definitely, definitely. You know, there was identity in concept. I mean, it was just active directory or something like that was your identity. And you know, interestingly enough, I would say that there’s probably still the number one attack back there is compromised credentials and the number one attack, you know, for really significant attacks is compromised credentials now. Like, so I don’t think not much has changed there. Antivirus has just evolved. You’ve got, you know, super powerful agents now. I don’t really get into all the shortenings and acronyms. I don’t keep up with XDR and all, whatever the heck all it means.
– It’s a lot of Drs.
– It’s all the same stuff. Just, you know, really powerful agents that can consume a lot of intel, you know, coming locally from the boxes, you know, it’s going to do a much better job than looking for signs and signatures. So yeah, I think security was probably fundamentally an IT problem. It was just a tech thing, you know, even probably going back maybe 12 years, something like that, just, you know, throughout the early 2000s I think, I mean security was just a tech problem. And then now it’s breaking out a lot and it’s, you know, fundamentally driven by risk, driven by data security, driven by, you know, you’re seeing privacy coming under the banner of security. And I think Australia’s probably a fair bit behind on the privacy stakes compared to some of the, you know, EU, UK, their GPR’s and even the US you know. So I think that’s where we’ll see big change here.
– So looking across your career, long career and security, when you approach a new company or a new business and you’re looking at their cybersecurity strategy, is that influenced by the type of business? And again, we’re probably harping on about this cause it is crypto and it is, that’s usually what people, when it’s a ransomware, like pay us in Bitcoin or pays in some kind of crypto. So across your career, when you are setting a security strategy, is that influenced? Like how much does the type of industry or the type of business and the kind of inherent risks or security risks affect the way you approach security? Like is it a one size fits all? Or do you know, like this is a heightened… There’s a heightened risk in this industry, so we’ve got to do things a little bit differently? How does that play out?
– I mean in every security program, if you boil it down enough, it comes down to like the really basic elements of just plan, do, check, act. Like if you, that’s sort of at the core of like the ISO 27001 standard. There’s different ways to do it and whatever. But, you know, fundamentally it’s plan for something, you know, come up with a plan. So think ahead how you’re going to… What you need to do. You know, look at your risks, do all that stuff, then actually do something, make them better. Put some things in place, check that they’re actually working, and then if you find any issues out of your checking act, and then the cycle just repeats, like. So you can sort of boil that program down and then, you know, regardless of the size of your business, you could apply that concept. And then–
– But I guess your budget to attack those things is different from a, you know, 50 person business versus a crypto exchange, right?
– Totally. Totally. And that the variable on that is the risk, you know, so if you’ve got a risk program that says, you know, the cost of an issue that’s going to influence how you address those elements, the planning, checking, doing and acting. That’s what’s going to change there. So, you know, and that’s based upon the loss to the business, the loss to the clients. And then you get variables coming in there, which is like the, you know, the government increasing the fines that can be imposed on a business for running, for being negligent in your cybersecurity duties. You know, on the say like that changes a risk equation, right there. It might’ve been what a $2 million fine and now it can be up to just 50 million.
– [Brad] Yep.
– Let alone that’s without even touching the brand damage, which can be company ending, so.
– So when you’re at Swyftx, I imagine you would’ve had a lot of experience with this around building the team saying, “I need this new hire, “I need this new tool,” for example and probably even prior to that you would’ve to go to the CFO and you say you need these things around cybersecurity. How did you articulate the risk back to the people who have the purse strings to get what you needed to build out the large cybersecurity team?
– We understood risk pretty well. We spent a lot of time sort of being able to describe what that looks like and there’s different methods. We tried out a few and some things worked better than others. But, you know, fundamentally, if you can show someone that this is a very severe risk, we think that it can lead to this event, we think that this is the likelihood of that event occurring. And then you can go through and talk about do we want to decrease the likelihood, do we want to make that occur less? Do we want to decrease the size of the event? And that helps then inform the, you know, the selection of what you do there. Because, you know, it’s… You can make it as complicated as you want. And if you’re, you know, big really mature businesses, they have immense risk management practices and very complex, I’m not a specialist in that space. I like sort of keep things really simple. You know, that’s all risk as an equation of is, you know, the something bad happening and the likelihood of that bad thing happening. And then out of there you talk it through and you discuss what do we want to get it to, how do we get it down to a level we’re all comfortable with? And then how much does it cost to do that? And then you can sort of represent a return on investment equation. And that’s the general approach. So that’s what we applied.
– That’s really good advice actually focusing on just the likelihood of this happening if we don’t put this tool in place, for example. And what’s the impact that’s mitigated if we do put this tool in place and really just have that conversation. So that’s really good advice. I think you can break it down and if you’re in the IT team and you’re responsible for cyber and you have this really technical conversation with the CFOs and stuff trying to get money out of ’em, they’re going to go, “What are you talking about?” But focusing just on the, what’s the likelihood of this, us getting breached for example. And what’s the impact or what’s this tool going to do to the impact if we put it in place or don’t put it in place. That’s some really good advice.
– People are going to complicated it.
– Keep it simple like, you know, people will, but yeah, different companies works different size. Smaller business, the nice chart, nice quadrants at the very top corner is the really bad stuff. Then the very bottom left corner is the not so bad. And your job is to try and get less things pointed, keep it pointing down. That’s what you want to do.
– So they’ve been a lot of large scale breaches in Australia, you know, Optus, Medibank and those kind of things. There’s been under feels like in the media that Australian businesses large and small have been on a consistent attack. In your words, I mean, you’ve been in the industry for 20 years, cyber security, which is a lot longer than everyone else. I feel like a lot of people in that sector now, but definitely 20 years ago we’ve been a small market for cybersecurity experts. What do you think is going on?
– Yeah I remember, I did some reading on it and I don’t know if there’s more events. What I thinks happening, I think it’s a sort of actually a bit of a feedback loop. There is more attacks, because now they’re more, the media is covering them more and the attackers are using the media’s coverage to monetize. So they’re leveraging the coverage. They’re, you know, they’re leveraging the government’s, you know, increasing fines. They’re leveraging all of these things to then drive more attacks to make more money. And the feedback loop continues. You know, it’s… I say they’re probably is more attacks that are happening every week I get, you know, someone messages about some new attack. I sit at a couple of like security groups and you sort of hear what’s going on. I saw there was one in the news a couple weeks ago about a school in Brisbane, something happened. And I’m like, that would never be in the media to go back a couple years. Like that stuff that, that event, it’s unfortunate, very bad that it’s occurred. And these, you know, the people who’ve experienced these attacks, they are victims of crime. Which that’s a really important point to focus on. But like that event would never make it to news headline to the front of the ABC news, you know. So, and the attackers are definitely leveraging this. So, you know, I think we need to really change the narrative on it and focus on that. You know, if you experience these breaches, like you are a victim of a crime. It’s not, we run to oh, who’s at fault, these guys. You are negligent. I’m like, well, not necessarily.
– I think you’re definitely right that because of so much media, people are probably playing on it. And there has been breaches for years and people in the IT industry know that there has been breaches, right. It’s just that the, I think mainstream now media, they’re sick of talking about Covid, so they’ve got to get something else. But it’s probably a good thing. And I’ve had conversations with heads of IT who are actually trying to capitalize on that. So the fear with the people hold up the economical bio, that kind of person who before wouldn’t have put budget towards cybersecurity. They go, “No, there’s all these breaches. “The awareness is up.” And actually the IT managers are trying to capitalize on that. Which is probably a good thing that people are more aware. But the industry is definitely going out of control. What are some interesting attacks that you’ve seen recently?
– You know, I remember seeing some attacks that, you know, you’d get like recruiters trying to talk to people and they would be, you know, attackers in disguise. I remember hearing about people applying for… This didn’t happen to Swyftx. This is stuff that, this one I’ve heard about, you know, people applying for jobs and being sort of insider agents. And you know, I think there’s a whole world of discussion that you can go into there–
– So trying to breach the human element, like kind of get behind all the controls?
– Yeah, yeah. Like I think the remote work has opened this up in to where… And this is this… There’s documented evidence of this happening, like these sort of very prolific attacker groups applying for jobs in tech firms to get insider agents in there, purely remote workers. And they pass the technical interviews through, you know, they just get skilled up at it and they’re experts at passing these interviews cause it’s… And then you’ve got, even now, like some of these sort of AI systems, it’s going to be very interesting how they start to change their, you know, the remote tech interviews thing. You might end up hiring someone who never actually existed and might be a robot. An awesome world that’s a whole tangent to go down. I think we’re seeing some attacks that are really starting to change their barriers of entry. Like yeah, there’s, you know, attacks on cars like, you know, like attacks on satellite systems. It could be anything, so.
– I mean, on the flip side, do you think, again, being in the industry for so long, do you think as a business culture if you like, has been a bit lackluster around security? And maybe not taking it as serious as they should have up until it’s got kind of exposure in the media?
– Yeah, I definitely think so. And, I think it relates back to security was born out of IT. And everyone’s just happy that it’s, you know, it’s happy there, it’s doing its job till it isn’t. And then, you know, it becomes the number one thing that everyone wants to talk about and you know, the CEO wants a daily update and all these things. But you know, before that you couldn’t get the time of them to do their job. And yeah, that probably resonates with quite a few groups. So yeah, I think a security moves into, you know, the task is to make a resilient business that’s resilient against attacks and bad things happening.
– [Brad] Yep.
– You can start to show a lot more value to the business. I think everyone can probably thank the poor brothers and sisters at Optus and Medibank for unlocking that budget and probably unlocking access to the board.
– Yeah, it’s been going.
– Boards and CFOs are the two big changes. They’re getting really cyber conscious and asking internally a lot of questions. There’s a lot of frameworks out there, you know, 27,001 like you mentioned earlier. There’s the ASD Essential 8, there’s NIST and all these frameworks. What’s your advice to businesses about what framework should I pick to align to? ‘Cause it’s hard to do all of them take a long time, right? What process would you go through to pick the right framework to align to.
– The stuff like the ASD essential 8 that’ll make you pretty resilient against the most number of attacks that they see in Australia, are quite like that. I think anything which is making you resilient against phishing and makes you protect your identity and your endpoints. You’ve probably covered a lot of the most common attacks right there for most businesses. Doesn’t mean you’re impervious, but you’re probably a lot better than, you know, your neighbor who hasn’t applied those things. I like ISO 27001, cause it’s a more holistic one. It doesn’t get down to the specifics, the two detailed of how to implement everything. It’s more just describes at a high level, it’s that plan to check, act, cycle, right? It describes how to do that and the things that should be in place to sort of show that you’ve got a program that has management support and it has longevity. That’s what it’s trying to establish is this isn’t just a single photograph of your security program. This is a, you know, a series of, you know, sorry, this is going to lead to a long lasting program that’s going to protect your customers and your business. I’ve used this sort of NIST CSF a lot, the cybersecurity framework. It’s really good, I’m a big fan of it. It’s pretty broad, it’s detailed enough, covers a lot of domains. And I feel as though if you can respond to a lot of them, even in the most basic level, you’ve probably got the foundations of a pretty good business right there.
– So if you were internal in a business right now, and I know you do some consulting work as well, what criteria would you go through to select what frameworks? ‘Cause if you’ve had that big one, right, and yeah, being at Swyftx, 27,001 makes perfect sense, right? But say you’re a smaller business, you might more align to, not just on the time to go through the process, right, something else. What criteria would you go through to advise a business on what framework?
– It would depend upon the, like, the risks. That’s where you start, is like understanding the risks in which you operate and you know, what’s the sort of regulatory landscape in which you know, you work, you know, are you providing critical infrastructure? Well there’s, you know, there’s guidance and standards are your financial services, well, you know, there’s some upper stuff that you can use there.
– So if the risk is larger, you would go more towards NIST or more towards 27,001, how does that work?
– I would… If you were getting things going, I would grab NIST CSF. Anyone can get that public document and just start, just have a read, it’s not that big. It’s, you know, it’s got a reasonable amount and if you can, you know, some areas you can just completely remove. I think if you picked that, you’re going to be, you know, you’re coming from a pretty good base.
– So you talked earlier when you were going through some of the stuff you did at Swyftx around creating an offensive programs, not just looking at the internal, protecting our data and how people get in, but also building an offensive program. Can you explain a bit more about that and how would businesses start in an offensive program?
– I’ll tell you what an offensive program is. Talk about, you know, when you might need it and how you might use it. So an offensive program, like people would’ve heard of it, like in penetration testing. And the concept would be how you take that and then build it into your more, you know, daily, weekly, monthly routines. And its purpose is to give just continuous assurance that you are primed and ready for when the bad guys come knocking. So one of the things you do in that program is you think about, well, what are our threats? What tactics do they use? What tooling, you know, how do they operate these bad actor groups? And then you go and model that and you say, Well this group is just pick an easy one like phishing. This is the techniques they use and they use this sort of, phishing mechanisms. And then you go and test your organization against it. So you actually do the attack in a nice way. Not in a naughty way. Say you do the attack and then out of that, you know that out of our a hundred people in the company, we are able to get 10% credentials or, you know, whatever your figure may be. Or you target your admins. Or we’re able to get one admin’s creds from a, you know, your moderate level of complexity, phishing attack. And then you can use that to build that through, you know, okay, we are at the very front door from phishing, we’re at this level. And then you might keep pushing that program through. You might then say, “Okay, well let’s say we’ve, “you know, we’ve proved, “we’ve tested the hypothesis “that you can phish one of our admin.” And then you go onto their desktop or you know, you spin up a corporate device, which any which anyone would get. And then you go on and say, “Well what can we do from here?” You test and say, “Well, we’ll we run, you know, “whatever vendor, XDR, EDR, whatever.” And you test that it’s actually going to do its job. And so you could get your sort of good guy attacker to write some code, which once again, bureau is what those attacker groups do their techniques and tooling and test well how resilient are we against that sort of attack. And it’s actually like, you can do this stuff. It sounds really complex and like a lot of big companies would do this. But I don’t think it’s that unreachable for a lot of companies. If you’ve got really keen techies, like you could do sort of like hackathons around this like a fun sort of engagement. Give people 48 hours and say, “Let’s hack the business, “let’s see what we can do. “Here’s a bunch of pizzas, “here’s some cans of beer. “Go at it.” And like it’d be a really great engagement. And like if you’ve got really keen techies, like they’ve all got that inner security person in them like that hat is, they definitely wear it all the time. And they’ll come up with like phishing attacks and they’ll come up with like, you know, these things called like, we call ’em lull bins or something, you know, living off the land like their malware, but their, you know, it runs and users consumes the you know, the capabilities locally on the machine to perform its jobs, you know? And so, you know, they could write that. And next thing you know, you’ve now got the beginnings of a, you know, a fledgling offensive program and you’re away.
– It’s kind of interesting, we talked about this last week, how you were mentioning, you know, kind of on the flip side to that, or part of that offensive program then is… Or maybe it’s the defensive program, is how would you respond to an event? So just sit there and go, this has happened in our business, go, what would you do once you’ve identified once the offender are in and they’re doing something so the nice offenders, okay, now the other team defend what would you do?
– Absolutely. And that’s the crucial bit. That’s how you really link it to the return on investment there its job is to make the business more resilient. So you know, you’ve tested yourself against this attack, but throughout the whole thing, you’ve got an internal security program. It doesn’t matter if there’s not like some, you know, 24/7 SOC or anything like that, you know. Any business has some level of a security program, you then take, you know, the elements, the artifacts that are generated by the offensive tests and you say, “Well, what did we see? “What did we see from the phishing? “Did our email system, did it pick anything up? “You know, how could we make it better “to detect the, you know, these sort of phishing attacks?” And then, you know, underlying, that’s the human element as well. How do we make our staff more resilient? How do we, you know, we give ’em a bit of training, that’s pretty good. You know, give it more testing, you know.
– That’s interesting when you said offense, I thought you were meaning attack back to hackers is what I thought you were you going not attack internally as a–.
– Hack the hackers
– Yes that’s what I thought you were doing. But interesting–
– You want to be careful with that, that’s–
– It’s a bit illegal.
– Yeah, yeah.
– But one key takeaway from that, from what you just said is it’s… You’re probably right, people think it’s really complicated and I’ve got an offensive cyber program. But what you’re saying, you can do some pretty simple things to get some pretty high value results.
– Yeah, you can go and get like people publish their playbooks for this sort of thing on how to do it. You can go on GitHub right now and download someone’s quite well built out Red Teaming program and run it. You know, it’s not like it’s actual code, it’s instructions. You know how to execute this sort of attack against your own business, it costs you $0, you know, it costs you time and a six pack, like.
– How many businesses are actually doing that? Must have to be quite low?
– Like, I guess in your opinion?
– I think pretty low.
– Like the big end of town, you definitely see it. There’s a really awesome like Google series on it where they talk about how they do it in internally. It’s really, really fascinating. If–
– When you say a Google series?
– It’s on YouTube, they made like a… This is how sort of the Google security program works. It’s really right, I watched it with my wife to sort of show this is what I do for a job.
– And she was awake? Did she make it through it?
– She was into it for a bit. But yeah, it’s a really great way like to watch that, you know, like people should send that around to their like, you know, their board of directors and say, you know, they’re sea levels and say this is, you know, you’re right. Google’s worth a lot of money, you can take it in concept. Like you don’t have to do the specifics. They, you know, they talk about an attack. They did their… I really wanted to do this at the Swyftx. We were starting to think about how we were going to do it. Like Google did this attack where they got a USB powered spark lobe. You know, you touch ’em in the little lightning bolt.
– Oh. I’ve always wanted one of those.
– Yeah. Yeah.
– I remember when I was a kid.
– So their red team got got one of these and then they got, it’s called like a rubber ducky, right? Like it’s a little, you can go online this website Hack5, you can download all these hacker products. Oh, sorry, you can buy all these hacker products. And it’s a remotely, it’s a programmable keyboard. And so they got the electric USB globe they built in this keyboard and they had it… So as soon as you plug it in–
– [Brad] Your virtual keyboard?
– No, no, so it’s a physical keyboard in concept. Like the computer, you plug it into your device and your computer goes, “Oh, that’s just a keyboard.”
– Oh, okay.
– Oh I see.
– And then it just starts typing at 10,000 characters a second. And all you see is a screen pop up and disappear. And now from plugging in that device, that little funny little globe, it’s now completely taken over your system. So it’s gone online, it’s downloaded it’s binaries, it’s pulled in, it’s executing on your local host or it’s pulled out, you know, it’s pulled every ounce of data out of it. So Google talks about how they did that attack. I was so keen to execute those people around at a time.
– That’s really cool. I’ve heard of people dropping off USBs in reception desk and see how they get plugged in, which happens all the time. I’ve never heard of one of those zappy light bulbs to drop it off somewhere.
– It’s the exact same concept. You know, all they’re trying to do is give people a reason to plug it in.
– [Jackson] Something into their computer, yep.
– Everyone’s probably across the, “Oh yeah, don’t plug the USB drives in.” But I don’t think people would realize like that, you know, you can do anything with a USB. You go on the Hack5 website now, you can get a iPhone charging cable that you plug it in, plug it into your iPhone. It’s actually got built into it, like a wifi connection in a remote keyboard. And then I could sit in the car park and send remote commands. I’d have remote keyboard onto your system.
– Through the cable?
– Yeah. Costs 90 bucks, right?
– Like, don’t get any ideas Barnsie.
– Oh Jesus.
– You know, like that sort of stuff’s fun to do. You do it part of your hackathon. You go spend a couple hundred bucks on these cool things and you know, you start to teach people about what’s possible. Like if people know what’s possible, they can defend against it.
– I think those things make it tangible, right? Like you said, like I think people think when they spend tons of money on programs and you know, you spend some money, but yeah, for, if you just kind of be a bit creative with it, you get a few little cheap tools. Instead of buying some beer, buy pizza, whatever. A bit of time invested and off you go. And that makes it real, like, it’s tangible people have actually experienced that. So they’ll remember. Yeah, okay, I plug that thing in and things got a bit crazy, so.
– If you could provide some security tips for personal people, some interesting tips throughout all your years of experience and all the crazy stuff you’ve seen. What are the top kind of three or four things you’d recommend?
– Look, I always try and imagine how I protect my elderly parents from getting hacked. They’re my benchmark.
– [Jackson] Your litmus test.
– Yeah. So, you know, like it’s probably a bit controversial that I would absolutely support writing down your passwords in a little book if you are my 60 something year old parents. ‘Cause it’s probably going to be more secure than however they, you know, whatever they’re doing on their systems.
– Yeah, Spreadsheet or a Word document or something on the desktop.
– Absolutely. Like it’s, yeah, it’s not great practice. You won’t win any awards for that. But you know, it’s about protecting them. Look a big one and is to use, I recommend this to anyone, like use a Chromebook, they are so resilient to attack. Most people, if you look at what they’re actually using their system for, they log in, they open a web browser. That’s the only thing their system ever does. So that device is basically, it’s whole purpose and it just runs web browsers, insecure sandboxes. And so it is very difficult for an attacker to take over the system, it isn’t perfect. It’s very good.
– Are you saying business use or like students or elderly or?
– You could apply it to anything. Like if you had a customer service operation, that would be a really easy way to, you know, protect a lot of that space. And you know, the Google, it goes for you there. They’re getting better at the sort of enterprise space. There’s some good stuff there. You know, like they have like manage Chrome browsers, stuff like that. The Office 365 space has the same going now, like the sort of defender products they’re really good. That’s like really high level and use an iPhone as well. The Apple protects their ecosystem way better than than an Android. But I. Use–
– And they’re enhancing that now. And they’re enhancing that again I believe. I think the Apple just released their putting some next level encryption in place, surely.
– They’re really good on privacy. They’re really good on security. They fundamentally, they protect their ecosystem. They don’t let in as much rubbish as Android lets in like, it doesn’t make it’s perfect. But they’re pretty good. They do a bit more scrutiny on what comes in the app store.
– Yeah, I’ve definitely heard that from businesses that we work with that try and get apps on the app store and it’s a big process, which is a good thing. You want that to be a big process around.
– The last thing is the religion that everyone needs to get on board is just put MFA, multifactor two factor, whatever, put it on just everything. Like it should be coded.
– Just accepted its way of life. Don’t complain, you’re going to spend extra 10 seconds to log into something. I feel that that tide is changing. I know a year ago, yeah, probably a year ago in my role with our clients, it was always the more senior people, which are the ones who are actually probably the more risky people to not have it. ‘Cause they’ve got the keys to all the different systems, you know, there was a lot, yeah, there was a lot of resistance, if I’m honest, I don’t want that on my machine. But now everyone’s kind of, it’s changing, it’s being accepted.
– You can tie it back like that. The question only about some of the attacks, like if you look at that, the Uber breach, that was one of the things they executed there was basically like an MFA flood attack. They just spammed some poor person and called ’em up in the middle of the night and said, “Hey, I’m from IT, if you just just hit accept “and that stuff will, that MFA prompt will go away.” And someone’s going, “Oh, okay.” Now they’ve just logged into their VPN, you know, the attacker. So definitely to try and move, like let’s say for your home, you’re unlikely to be targeted with that at home. But for a business like to move away just the prompt ones, the, “Yes I that is me.” It takes you about, you know, if you use like the Office 365 file, this is your–
– So don’t use the the Authenticator app?
– No, the numbers are really good. Because what you’re doing is you’re adding deliberate friction to the MFA process. Where people ran too quick to, “We need to make it so seamless “that our 62 year old CEO can use it.”
– Yep. Hence the hidden Yes. And goes in, right?
– Exactly. And so now we need to add in a tiny bit of friction to make it a bit more resilient and say like the ones where you type in the code awesome. The ones where you got to match a code up with what’s on the screen. Very, very good. Those are great things.
– Do you have an opinion on the authentication cadence? If you like, you know how you can set it to 14 days or 30 days or whatever?
– Is that for how long it keeps you logged in?
– [Brad] Yeah, yeah, that one. Sorry. Yep.
– It all comes down to like what the system is. Like if it’s, you know, your–
– Like Office 365 is the classic one, right? So everyone’s got that.
– Yeah, people’s like emails just the center of your life now. I think like we probably let that, you know, so much of your identity is tied back to if someone can get in your emails and that probably compromised your entire life. Like some of those systems you probably need to be a little bit more strict on and say, you know, you should have to log into this a little bit more frequently. That’s probably something. I’m probably not so great at that at home. I’m definitely not, but you know.
– [Jackson] Yeah, that makes sense.
– I’m not sure.
– Hey, thanks Chris for coming in. Really appreciate the insights you’ve given for personal users and some interesting ones like Google Chromebooks. And also your experience and what frameworks to align to, mate. So I really appreciate it. Anything else you want to add before we close out?
– No, that’s about it. I mean it’s been great in here chatting with you is, I dunno what I’m I going to do now?
– You have to make your accounts, don’t you?
– Yeah, I do.
– You got your personal passwords.
– I have to do that.
– No, it’s great. No, thanks for having me. It was really, really good fun. Awesome.
– Thanks Chris, thanks for coming in.