How COVID-19 is changing phishing, social engineering and security | Cyber Work Podcast
It's, a celebration here, in the studio because the cyber work with InfoSec, podcast, is a winner thanks, to the cybersecurity Excellence, Awards for awarding us a best cybersecurity, podcast, gold medal in our category. We're. Celebrating, but we're giving all of you the gift or once again giving away a free month of our InfoSec, skills platform, which features targeted, learning modules, cloud hosted cyber ranges hands-on projects, certification. Practice exams and skills assessments, to. Take advantage of this special offer for. Cyber work listeners head over to InfoSec, institute comm, slash, skills or click, the link in the description, below sign. Up for an individual, subscription, as you normally would then in, the coupon box type, the word cyber. Work CY BER, wo, RK no spaces no capital letters and just, like magic you can claim your free month thank. You once again for listening to and watching our podcast, we appreciate each and every one of you coming back each week so, enough of that let's, begin the episode. Welcome. To this week's episode of the cyber work with InfoSec, podcast, each week I sit down with a different industry thought leader and we discussed the latest cybersecurity trends, how those trends are affecting the work of InfoSec professionals, while offering tips for those trying to break in or move up the ladder in the cybersecurity industry, we. Hear it in, every other TV commercial, email ad Facebook, promo post etc, we're living in unprecedented. Times the. Modern age of sheltering in place has, changed huge, swathes of our societal interactions, or lack thereof and. Has led to new strategies for everything, from work from home methods to live concerts streaming live and. Often built on platforms, not built for the purposes they're currently supporting, with. So much instability in our day to day routine there's plenty of opportunities, for fissures, and other bad actors to target the constantly shifting nature of our online routines. And, that means new and different attack vectors for fishing and other types of social engineering, today's. Guest Aaron Cockrell of lookout is going to tell us about some of these new kovat, 19 and lockout related. Phishing. Attack patterns that are showing up and how to help us continue to stay safe and secure, from, online attacks, Aaron. Cockrell joined lookout with nearly 20 years of software product management periods as the, chief strategy, officer aeryn is responsible, for developing. Validating, and implementing, cross-functional. Strategic, product initiatives, that, align with the lookout vision of a secure connected world, most, recently he served as VP of mobile technologies, at Citrix where, he and his team were responsible, for the development of Citrix is mobile, app and container, technology while. Driving the acquisition of Zen prize prior. To working on mobile technologies, Aron drove the creation of Citrix his desktop virtualization, project. Product. XenDesktop. Which grew, into more than 1 billion yearly. Revenue for Citrix during his five years of leadership before. Joining Citrix, Aaron worked for eka my leading, product, management on their enterprise, content, delivery solution as well as working on the development and deployment, of many of Akamai's. Advanced. Content delivery network technologies, prior. To that Aron led product management for one-stops ecommerce system, and he held multiple positions, at BHP. Billiton in. Australia, he, holds a BA materials, honours from Wollongong. University, in Australia Erin, welcome to cyber work, thanks. Yeah. I like to let people know what we're getting into so so. Yeah, we got a little bit on your work background but tell me about your sort of life. Background, where did you first get interested in computers, and tech and and, when did you get into cyber security as as a job in a calling. Well. From. That. Was pretty. Young I guess I'm. Telling. Everyone my agents, on here my first, computer was a Commodore 64 and. That's. When I first, got. Interested in computers, and then I guess. I didn't take a direct route into computer science but ended up in materials. Engineering as uhm looking for bhp billiton but it's a really interesting learning. Experience I worked a lot with robotics. Systems, and PLC's. And. I'm. Programming, in Fortran, to to operate, giant. Machines, like a coal. Mill that's got a steel, and, working. On in, crazy game items like they, just had Halon gas systems. To make sure that the Cregg computers, that were working on didn't which they're calling fire we didn't lose everything it. Was it was a really interesting time back there but and. Things have changed dramatically, obviously, but. That that, really got me interested in, computers, I think the.
Transition To cybersecurity it. Wasn't I didn't. Actually. Pursue. A career, in cyber, security it's, that. Every, time I, got, involved in, solving customer, problems, in. General. In RIT I, would say everything you know Akamai, onwards one of the primary, issues, that we kept facing, was addressing. Cyber security, so especially. Like for example in Citrix, Citrix, is not specifically. A security. Company but. Their products are frequently used in high security environments. And so I was, always adjacent. To it and customer. Has always seemed, to be frustrated, that they were having, trouble solving, that without I mean scientifically. That was their biggest problem, like it was great to be able to help them with things like we, did at Akamai what we did at Citrix and I think that they're. Great companies, but I wanted. To get closer to solving what, seemed to be the biggest problem which I think still today is Security, unfortunately, right, so, yeah so let's jump into sort of present-day how. If it all has your day-to-day work routine, changed in the last few months I'm assuming it's changed somewhat. Were. You I work from home person before and if not like what changes or concessions, or maybe even improvements, have been implemented, into these emergency measures so. I. Would, say look. At we. Always, had the ability to work from home you know back entirely online and, we're assess, but, both we used, online. Services, for all. About productivity, apps, and so on and past where our. Services, are online so we're very cloud. Oriented. Company. And relatively. Modern. From that perspective. Though. Personally, I wasn't, originally a work-from-home employee, I, would spend a lot of time in all of our offices so I spend. A lot of time on the road to do traditionally. Has spent a lot of time on the road both talking to customers, and. Presenting, and talking to, people. Like yourself so which. I don't know we would have probably still done this virtual, but I do a lot of them in studios, and that sort of thing so that, big change has been staying, at home. The. Couple of challenges in fact we had that discussion right before, we joined I think I need to invest in a better microphone, and. Set up for my way, home offices, you can see it right I, don't know if the audios okay but I hope, everyone can hear me I will, be interesting with it but not too distant future business that's, the biggest change I think. How. That's impacted. Us is, specifically. Look out for me. We, do a lot of what. We've been doing is really pushing the edge, of innovation, in mobile, technologies, mobile security I'm, really proud of that I love, doing what I do it's. It's. More difficult to, do. Cutting-edge. Innovation. Brainstorming. That. Type of interactivity. Virtually. Unfortunately. Like I love all that, we're talking on zoom' right now I've used most of the tools for. Virtualized. Meetings. And. There are whiteboards, that you can share and that sort of thing but it it. Doesn't be actually, being in the same room with a bunch of smart people and coming up with brilliant ideas right, I've, not been able to recreate that environment, yet so yeah for me that's probably the biggest impact, okay. And you think that's that and white dogs keep barking during. Into news. Yeah. We're all seeing a lot of everyone's, life during. This things it's, kind of nice I mean do you think that's something that people will eventually get used to in terms of being able to, interact. Over a computer. Space versus, you know I mean, when we you know we talked about you know II reading 10 years ago like people were saying oh it's never going to replace paper books and things like that but do you think, that. There's just a learning curve here and that people eventually get it or is there just no substitute for in-person, collaboration. I think. That two things will happen. I definitely. Think that there's opportunity, for improvement but and.
I Do think that we will learn, how to do it but I think it will take. Changes. In the tools that we use okay, I mean. When, you look at the tools that we use today they're mostly focused, on this, type of engagement or. More, formal. Meeting. Like, if. You think about what you do in a design. Context. Where you're taking, lots of post-it. Notes and sticking on a wall and try to categorize. A particular, write to hear and that sort of thing and I'm. Sure that we all would solve these problems, virtually, and I look forward to seeing innovative, companies that do that right, just don't think we're quite there yet not, there yet okay so. As. I mentioned at the top of the show we want to talk specifically, about phishing. And how it's sort of you. Know the social engineering and attack vector nature of it has has, changed in this present time and you know we've had a few guests in the past and I'm. Thinking way back I think was episode 13 we, had a guy named Pedram emini from, inquest who talked about the latest phishing trends you know it's back in 2018, at this point so, you. Know based on your own research how. Is the nature of phishing, changed since this first major shelter-in-place, order back. In March has there been an increased decrease, similar. Number. No. Is signifi. Increased so I'm, gonna put, it this way there. Is a significant. Increase in the. Targeted. Phishing. That. Is leveraging. The, whole curve at pandemic, as a, tool, for social engineering. Whether. There's being a. Specifically. An, increase, in, generalized. Phishing, or not as a result of that incremental. Step in covert, I think, that the numbers are a little bit too early to say. That it does look like that from, from where I sit but. You've, got to understand, when I talk, about phishing I actually am talking, about something slightly different I, probably should explain and. What, I'm about to explain is sort of being on a curve like this for. Months and like the best part of 2018. And 2019 and what, I'm referring to is, less, about you know you, get from, some. Long-lost uncle in Nigeria, that left you a million dollars or whatever sure more and actually, not even necessarily. Email, but someone's, sending you a personalized. Message that. Has a link in it that, you click on and yep. In the mobile world what that tends to be is an SMS, or. Picking. On any platforms, of facebook, Messenger, message, or whatsapp. Or you know could be Telegraph or any, type of social, media yep where, they, can send your link and say hey if you keep on this you'll get. Something for free or, you'll be able to see awesome. Pictures, of someone. Or something or or even. More troubling, which is what's happening in the current pandemic we. Found that someone has, a, code of 19 in your office click on this link. For more information. So. That, type of social engineering, attack, where you click on a link now, most. Often then, the link is geared, towards, stealing, information, for. For the recipe knowledge or direct, attacks so anything. Like your credentials. For. Online. Banking, your, credentials, for company, access to productivity tools like officers used to follow Jesus well you know what about which, we see a huge, amount of equally. Things like successful but also your, personal details. And personal, credentials. You, know no one ever uses the same password for both services. Obviously so, that working sorry yeah. Oh yeah, ever. Happened ever. Yeah. I sort. Of getting into that bit let me just sort of. Talk. On a larger, scale here what are the most. Common types at the moment, of phishing. Types you said that there are you know there are links, you. Know within emails, and things like that have. You know, you. Know and. And, that sort of like the sort of text story based things might not be as prevalent. These days so like along with you know click, this link for more information what are some.
Of The primary sort, of like fishing. Types to watch out for I mean are you know at essence URL, big are invoices. You know fake invoices Docs, PDFs, like. What are you seeing. In. The mobile specifically. Lots. Around. Someone. Has over, nineteen in your office definitely. For more information that type of thing and I've put them all in a category, similar, to both, we. See horrible ones that say like your. Daughter, has been injured, at her elementary, school with the play-doh name and the FATA school name right, click on this link for more information or I can click on that so put them all in this sort of health accident. Type scenario. Right, there's a bunch, that we've seen around, this. Is how you get your code, 19. Check. Or you'll be able to get money back I found the government bring, anything, from, into your credit card details here and I'll send you the money. With. That type of thing, and. And, that's directly. Reading that took over but you see for in a financial. Context. You'll see frequently. A. Link, to say this, is, you. Receive. This check. Authorized. The the deposit, here before, there's, the. Untoward. Activity on, your account. And. These are all financial so, there's the untoward activity on your account click, here to change your password, and. Of course then the capture your password. Verify. This. Transfer. Or, you, know someone's. Trying to send you money I click, on this link that they're the types, of financial ones and next they, do a relatively, good job of, putting. It in the correct context, I often know what, you're a bank who your bank is and that type of thing yeah so there's no research involved, yes. And then the. Next category are, along. The lines of getting you to do something. That. You probably shouldn't, do like and. A lot of that is. Involves. Business. Email compromised and an, impersonation. So. Sending. A message to an, executive assistant to save this, in Niall of the company's w2 so need them for. Random reason and, then the, bad, guys file, all the ones that I've got returning and that, type of thing so, or send, me the, HR, database for this reason, or send, me corporate, information of some sort so I. Would. Make a distinction, so they're. The general, categories. That we see okay okay so. Financial, intellectual property or some sort of company, theft. You. Know financial. And then the the ones that are around health care or you. Know personal information, the. Those. Categories. Exist. Actually. In email, and pieces there was there's one that I would talk a little bit more about which is business. Email compromise where, you impersonating. Someone else to get something, but in mobile, that Tim what, model is infected, it equally by email since it on reads their email on their phone but there's. Also impersonation. Of like the SMS, sender, and that sort of thing you have to worry about because. That's relatively, easier, to to. You. Know pretend you're someone else when you're sending an SMS message or.
There's. Another category which is less applicable, on, mobile, it's not completely. You. Know, it. Does exist but it's more frequent, that, the attack on multiple. Devices tends, to be click, on a link and that link. More. Often than not tries, to extract information. Rather. Than on, PCs. Frequently. That link or. More. Appropriately an attachment. In email tries to get you to open, package. Between, stall software. To do something on those lines and. That's. Not where look at that is focus but that's that. With the tools that are existing, email phishing. Tools, today a very good helping. In that sort of area but, because, laptop. I'm sorry mobile. Operating systems are less focused on that processing. Of attachments, and what, the apps running is right right for traffic it, tends to be more focused on click. On this link right. Guidance Tirupur now. You. Know thinking, of phishing, attacks that are happening then specifically, within a work context. You, know last couple months have been a lot of as we said people have been kind of you. Know improvising, their new workspaces or you know clearing space out on the kitchen table, or you, know a card table or whatever so there's a lot of sort of like just. General, instability, especially those first couple weeks now did you find that people, were more likely to, sort, of succumb to phishing attacks during that because everything was so in, freefall, or was it maybe that everything. Was so sort, of uncertain. That everything, that came across your desk looked more suspicious. No. Phishing. Attacks were far. More successful in that period for a couple of reasons, and and I wouldn't say that that period. Has ended it's. Still, figuring this out, so. Two big things that, we noticed the first and sort, of the most obvious is. Everyone's. Working from home so unless. You're. Operating, a hundred percent of the time through, a fat VPN, tunnel back into you're working.
For Structure you're, an outside, which. By the way has its own issues because, then all of a sudden your, home network and everything, on it becomes part of the corporate network which, is IT. Security nightmare. You, know so, yeah if you if you're not using an exact VPN, pipe like that then, you're outside, the corporate perimeter, and the, corporate perimeter, has, traditionally. Had things like secure, web gateways, and you, know advanced firewalls, and so on that are able to protect you from these sorts of phishing links and. These types of content. In general so, right. Now, people. Are working from home and their, access. To the Internet is completely, unfiltered they, don't have the. Advanced, security, infrastructure. That's, available when. They're on premise, using, the, you know the corporate network so, that applies to as I mentioned the secure web gateways and advanced, firewalls, and that but even things like data. Loss protection and. Ueda. And all those types of tools that we used for monitoring for things like insider. Threats, or inadvertent. Duyvil arsenal they're all so, about a window, so that, I would put all of them in the same pocket as this, fishing. Link so that that's the, first problem. The. Second problem is, when. You're at home and, you, have a 8. Year old that you've got to teach how to use zoom because they're you know told them to teach on a 13 year old that has a algebra. Problem, and you've got work trying to go on and your wife's got work as well and, you've, got one office maybe in, your house right, you. Start working in not. Normal working environments. And to, be honest, and, I actually sort of want this you that your, your your, tablet your iPad, I've, found, becomes, a much more convenient looking to all then, sitting. In an office lot to, a desktop because your your. And, I think it was Madeline, at Citrix uses this, term time slicing, here like, I've got any sort of an hour focused, on you right now but as soon as I get done with this if, I'm not on a dedicated call, with the customer, probably replying. To email, and then doing it algebraic, question for you and 13 of math men, trying, to solve of all, your problem on the zoom or like something you become it's just right, crazy. Like that they're not feeling tablets. Are, far more convenient, them. Seeing. Down glued to a growing, work environment, so you're, going to hire leads to please and they. Are not. In. Most cases they're not company. Supplied, it typically, BYO, typically. Are managed, so, yep any. Sort of new, yeah. New many tips for, sort of securing these, sort of rogue devices like that um. I. Mean because, of the company I work for and because, of my beliefs I think the most important thing is to have mobile security on the plate so an iPad, is no different, to a phone for us the tablet. You. Know Android, tablet is no different to a pixel they process. All the same things so I would and, you can install look. Out other, security. Software for, mobile, operating, systems, from, the App Store's of course I would recommend, ours but but, it's. A good start too have that on your device if, your company doesn't provide it many. Of our customers though, quickly, rolling, out, protection. For more devices, as a result of this, so we expand to give an uptick, in that, sort of deployment, recently, so, if your company provides it's fine put, that protection. On is on your the, devices you use it for work is something that I'd recommend if, your company doesn't go, get. Something. From the act. Yeah. So, let's sort of break down into I mean we talked about some of the the main sort, of. Appeals. Especially, things like you know your your coworker asked Ovid click here to find out more or whatever but can. We sort of go. Sort of syntactically, and talk about like some of the language that's getting. People to click in these types of emails like what is what are some of the emergency, you. Know search term or you know the emergency sort of like hot-button terms that making people sort of you know cuz it's social engineering is all about you know getting you to act before you think you know so what are what, are you seeing that are some of the sort of like successful. Sort. Of writing stratum and you can you can tell you know a bad fish. When you see it if if the, language is garbled or you know or just a weird formatting, or whatever but like what are some of the things that they're doing effectively. That we should be watching out for so. I think, you. Said there which is you. Know. To, protect yourself you, should not click, on links. Or you, know take, seriously, emails, we don't.
They. Just throw those away yeah, that's. A really good start because, they. Are frequently originating. From non-english. Speaking countries, and so the English tends to be limited. In many, cases so that's a really good tell that most people should take a close. Well but every the, ones that are most. Effective. Tend. To fall into two. Categories. The, first one is initiating. That I guess you could almost call it final, flights you know my my daughter's been injured like we've talked about or you, know someone's gotten sick in the office like we talked about before anything, that can, um your, financial. Your bank. Account is under attack for fraud your, password, has been stolen, yep, any of those things that that, would be a shock and password. Stolen. Even. Your. Order, has been rejected. Credit. Card was rejected. Your. There. Was a an issue, with your delivery which is a big thing right now everyone's, getting so many deliveries right now yeah the issue with your degree or or you. Know your order is on its way and it's something really expensive that, you didn't order or something like that yes yeah, that's a good one. Yeah, and like I said you know, something really expected, me and, your credit card was declined, so. Those, types of would. Make you typically. Uncomfortable. Well, that's, the, the one category yeah. One I laugh, it's. A little funny and it probably affects males. More. Than females, because. We're very visual, but. We're. All stuck at home and, especially people that are dating online or something, there's. One of these tricks to say click. On this link or install this app to have. A more intimate interaction, with me. Yeah. That's. A common one as well okay. So. You. Know we, mentioned it with the the tablet and stuff but could you give me some sort. Of overall, sort. Of requirements. Or guidelines that employees or IT departments, or companies could. Do to make these altered altered working environments, more safe against phishing and other social engineering attacks like obviously we want to put. The right you, know defense and you know the BYOD devices and, stuff but like what what, in your mind is sort of like, like. A really good kind of plan of attack that, that IT departments. Should be doing you, know to sort of keep you know the endpoints safe and so forth um. That's. A tough one to be honest because yeah the, D. And. I don't want to seem so soon because you know we, were one of the unique companies that solves this problem but, the. Challenge, that point e departments, have is, that the. Devices. That they're, to connect sorry, protect right now are, outside, their network so, there, are tools that allow you to extend the corporate network into the home like VPNs, and if, you're, being, attacked. Consistently. Through, these, types of phishing attacks it may be worthwhile, extending. Your VPN into. Into. Your employees homes that may be the right approach. Really. The only that's. Really, the only alternative, other than having. Effectively. The secure. Web gateway type technology, which, is what our phishing, protection does, which, is blocking links, walking URLs, that are appropriate, on the, endpoint, and. Unfortunately. Right now there's only those two solutions, available. Of. Course we recommend the one being deployed on the endpoint because it means that the devices safe. No matter what network it's connected, to but. Extending, your view. Network protections, out to your, users if, you don't have something available like, Lookout might, be the right way to go in.
That Scenario. Where. You're extending your you. Know VPN out to the home. Network. The. What. Actually there is one other solution which I'll come back to but if you're extending your corporate, network up to, you. Know home computers, or whatever I would try, and encourage your employees to have it on a singular device, that's. Dedicated, for, a work and make sure that you know obviously that the operating systems up-to-date and all the applications are up to date and that they have some form security. On the device and so on in fact most. Companies. These days have some sort of Mac set, up so that if the VPN, is going to be running on that device it does some, rudimentary checks as to whether the device is safe before that connections made if, you don't have that I would encourage to set to, set that up so. So. That's one solution okay, obviously deploying, something, like lookouts. Phishing. And contact protection. Recommend. That as well the. Last scenario having. Come from Citrix. Solutions. Like VDI are amazingly. Effective. This type of environment. I've gotten, off the phone recently, with a number of customers that. Reminded. Me that you, know I met you back when you're working, for Citrix and XenDesktop. Saying to us in this scenario because we were able to remote. Everyone's, desktop, to, them so that's a great solution if you have it in place it's, pretty. Difficult to spin it up quickly although. There are service providers that provide no, type of capability, but what that allows you to do is. Have a before work desktop, running on a device that you, don't really have to worry too much about when, it comes to the underlying, operating. System, and so on because it's completely virtualized. So, then I guess the three scenarios. The. Video. I want and I tends to come with, a fair, bit of cost and implementation, setup if you haven't got it already, operating, so the VPN. One and and and, mobile, threat protection on your endpoints. Is probably, a faster. And more. Productive, solution. For most companies okay. So I want to sort of move you. Talking about time slicing, and, sort of the way that people are working now you, know especially for people who are working at home it seems like you. Know work time and leisure type time, for a lot people might be increasingly. Blending, together so you have any advice people who find themselves who. Are sort of always sort of at work you know you might be watching, TV with your family but you're checking email or slack well you know on a tablet, or going over report tell everyone's hanging out in the living room for family time and I, feel like that not only you.
Know Is a technical. And mechanical. Risk. Waiting to happen but also the fact that you're sort of your, mind is everywhere you're less likely to you know to check in on these things and a friend of mine just said that he got hit with ransomware because. He was checking his working about 12:30, at night so yeah, you know with some of us having a more porous barrier between personal, time and work time you, know what what what, can we do to sort of be. Less susceptible, these kind of attacks than. You know if we would be during work hours so. I think, I should stop by saying that, if my wife were listening in on this call she. Would say that I'm not the right person are you giving that a thing. Okay I'm, almost losing you have a hypothetical person oh yeah. It's. Really good advice to. Try. And see. If it's even, vaguely important. Try and keep, it to, work. Hours, but when, you have the opportunity, to think deeply about that, you know what you're doing again focus time anyway yeah. And it's so. I try. Not. That I'm very successful at this but I try and deal. With the. More. Focused work stuff, earlier. In the morning and then, I tend, to Tommy and have a lot more social. Engagements. Like things over zoomed in. The afternoon, did you still work, related, for me and Lee they might go until, later at night and then. Wine. And, security. Don't mix very well either I don't know Hecky, and Lee know we've all tried yeah. Okay. So um. Well. That sort of brings me nicely in my next question, you know with so many work in social events currently, being hosted by platforms. That weren't meant, to support them whether it's you, know before mentioned company-wide happy, hour is on zoom' or streaming. From home concerts, on Twitch or telegram or takeout food or grocery delivery you, know which is often being executed by sort of new secure, payment options or restaurants that didn't have you, know takeout options before sort, of throwing them together at the last moment what are some security. Issues or red flags that we should be watching out for not just on our work account but in our newly, shifted leisure time um. So. Again. I don't like to pick on any particular company so I think we all know that resume, has got dinged for a bunch of things in this area in, general, and. We. Use them like, I'm talking to you on it now so a. Lot. Of these problems such. As inappropriate. People joining parties, and, being able to then subsequently, joining work meetings, and so, on that's.
Just Simply. Configuration. Of the tools yes. This is you, know I already, am, a. Little, bit frustrated, by the term new normal, you know if this is gonna be on new, normal then become, familiar with these tools this is something, you're gonna be using on a regular basis, set up a password for, like, I actually recommend, that you set up a regular, personal, meeting so that it's you can switch one on whenever, you want instead, of having to set. Up a schedule and a different number and all that sort of thing but put a password on it and don't let people. That are unauthorized. Join it you, can set up things like waiting, rooms and so on that. That's probably the most important. Thing button. Making. Sure that you control who's, able to join those yep. The, the next thing and this is it's, not as much social. As, well, it's actually just general good, hygiene, these. Applications. Gain. Access to your microphone and your camera, and so on so. When. Be. Careful, when. You're having. Social. Interactions. That. You. Use, tools, that you're actually that. You know of like if you get a, meeting. Request whether, you can you. Know have a happy hour with some, obscure. Conferencing. Tool that you've never heard or before that's awesome for your access. To your microphone, and your camera and so on in, a question, bat. Trying. To stick to at. Least the tools that you know and that can be very regional and. You know you might come across once again seen because it's a regional party or whatever it is but, bear in mind that, one, of the attack vectors, is to, gain access to your your, microphone, on you your. Camera and so on by installing. Software, specifically. Sorta. Surveillance, and. Pretending. To be a social, interaction where you're going to get sent years, or whatever it is is, an, attack vector with a live scene and it's something that's. Something. That is pretty, open, to bad. Actors, given, that we're all trying to do, interesting. New social engagements, so yeah are, there any, particularly. Unusual phishing. Attacks you've heard of that actually that, seemed insane but actually worked like either before the pandemic especially, now.
Just, Trying to think. Of any of those I know. I'm. Always surprised. At, how, simple. They. Can be to be effective. Probably. The most telling one I think. Was sort of funny. You. Can actually refer to it on the lookout website it was, called Viper answer, it's dated now, but, it. Was targeted, at a particular, forces. Group which let's face it back talking female and that was that was one of the first ones worse or you know. Hypothetic. Made, pretend. Ladies. Sending, pictures to men, and saying, hey, if you want to have, a more intimate interaction. Install this software and it's. Amazing, to me that we watched the people that got hit by that literally. On one, of the important, borders of the world where all of the armed forces were deployed. Very. Very successful and very rudimentary, um, from. Obscure. Perspective. Most. Of the obscure, ones tend to come through email, with a convoluted, story and. That you get you get tied up in the story I guess. The, program. Listening there's one other one that I forgot to mention which. Is um, and. And it's particularly. Bad for. People. That are not as experienced, with IT and I'm often the elder community which, is let, me help you you've got a problem with your computer or your, firing. And always amazes, me how effective. Those ones are as well yeah, so. Expanding. Out from your company to companies, that you might work with are there any best practices, for ensuring, that any you, know third-party, vendors that you work with who. Might need access to secure information are, less likely to accidentally or intentionally compromised. Your network and your information. That's. That. Hasn't really changed in the covert. Scenario. That's. Where, you're sort of using digital rights management and, control of intellectual, property those, those tools wait for, us that, hasn't changed. Because. Everyone's. Accessing, things the same way so this, is about. Implementing, the right deal be. The. Right potential. Digital. Rights management on, content. Not. Only on sharing, outside of mobile containers, that sort of thing so for. Us that hasn't, changed a great deal, maybe. With the exception of the fact that well, it's not for us the companies that are using. Comprehensive. Use of VPNs it, tends to make that a little bit more difficult, especially if. They're parameter based tools so.
Keep That in mind if you're if, your application. Is all revolved. Around your, perimeter and. You're. Having people connecting, from VPNs, that. That's kind of make your life more problematic, from a management intellectual, property perspective, um there's a related thing that I wanted to raise, though and this is especially. In, the healthcare. Is. There's. The. Health care everyone. In the healthcare, industry at the moment on you, know we're all indebted, to the doing an amazing job, absolutely. It's it's it's. But. With, the. Added, pressure and, I've actually a lot of a few friends of working this face they're. Having. To come up with new and unique ways to solve problems like we've heard of people, building, ventilators. And all that sort of stuff, there. There's, it's. It's troublesome. How. Do I put this, the. Health care regulations. Does it relate to things. Like digital protection of people's information keep. Up, that. Doesn't go away because of the pandemic so, try. And make, sure that people. In the healthcare industry, are using, tools, that, do. Encryption, of data or na transmitting, data and that sort of thing and and, that's a big challenge right now so. Educating. Doctors. And, that sort of thing on how to use, tools. That, make not. Compromising. Individuals. Pristine, and their private health information is, sort, of important as well but, making that easy for them is all I would focus on from an IT perspective right, now, we. Want, to be possible, for them to work as fast as they, can and focus on the patient, and what's happening, rather than I - so. I'm forcing them to do unnatural. Things is not the right. Approach right, now I'm making it easy as possible it's the way you wake up okay so. Where. Do you see fishing, going, and five to ten years from now is this just gonna be a constant arms race where it's you know fishing counter fishing fishing County fishing or you. Know is there a way you know is there a way to make it keep it from getting worse is this something that you know we, think of like spam like we still get spam but spam filters have effectively. Sort of like removed spam as a thing that you experience. More or less on a day to day basis, is there any similar. Track for fishing or is it just gonna be part of our life for from now until forever I. Don't. Have, good, news here yeah. He's. Gonna be a constant arms, race. Let. Me give an example I. Think. That it's gonna be a wonderful revolution. When we're able to get rid of passwords, yeah. And we can do let's, say for example not. Picking on any particular company or standard. Or anything but the final alliance with Fido. UAF. To the product. To universal. Indication, is a great, step, in eliminating. The. Type of fishing that I talked about before which, is where you steal a password, and then steal, data from person, yep, that's great but, you, can guarantee that. The bad guys are going to once, that problem, is solve then they just attack, a different vector, so. I don't think that that's going to go away and, I really, like that movie catch, me if you can and let them and I've actually been lucky. Enough to meet the original, frame. Care end and he, talked, to our company, about, the future of cybersecurity and what what, what. He sees and, it's. Not a rosy, picture laying, the the the way that he described it is if. You. Looked. At trying to do today. What. He did back, then to. Create, a look you know he. Purchased. An entire printing, press to pre, checks, of a significant. Quality. Signal. Even enough for high enough quality that, they could be passed off as real checks he. Literally. Took, over an entire printing, thing in Europe you. Can go down to Office, Depot and buy everything you need to set, up shoppers Frank today right, right on so it's actually easier today, in many respects to, socially.
Engineer, And the, tech people so. Kind. Of hacking as a service things out there where you can just pay, someone a fee and then they do you. Know either the hacking thing for you or they give you the whole fishing template, and and set you up everything, yeah oh. You. Can buy for 30 bucks a fishing. Kit that will give you the ability to. Perfectly. Represent. A website. Like it's a financial institution for, that restaurant, with. All goes everything you, know it looks perfect, you. Give in buy the domain that, will look just like the right, domain you, can get a certificate for, it so it can be SSL, and the kits include. Things like one-time, links so I send, you the link you. Click on that and you're you're fished, but the, the. Secured, gateway there's doing analysis on that same link sees, a regular, website, mmm so the there. The. Techniques are very advanced, and the cost of entry is very low so, we. See you, know thousands. Of new kids a week. I'm. Sorry not good news yeah, but I think, that and. We always talk about this is as, part, of what should be good digital. Hygiene, people. Need to be made more aware of it the whole education. Like there is not going to be a technology, panacea. That solves, this problem, it's. Going to be a dual. Arms, race and. We're, going to have to increasingly. Teach people about it so no. That's. A shame but it's just going to be part of their lives okay, so let's let's sort of wrap up on that any final tips or tricks to keep yourself from these next wave of phishing, deceptions. Always. Like. The first thing that we, mentioned the, grammar, and that sort of thing that's an obvious tell, you um think, twice about whenever, you're, sharing. Personal. Information that. As. Recently as yesterday my, wife, we changed health. Care provider, not to go into my personal I think detail but the, company, called us and said and. Started asking questions for, personal information and and, well it, was great my wife said it's you, you called me I'm not going to start giving up because of personal information unless I call you so think, of that equally, in a SMS. Email. Type, world you're, on if you're getting inbound. Questions. For. Personal. Information or. All. Corporate information or anything like that be very wary and that's part of the problem on the v-mail because you send people questions in email so unless, you know that this is a verified, interaction. And you have pretty cool you're pretty confident that who's. On the other end if.
You Get unsolicited, questions. In an email in. SMS. Over. The phone anything, that's unsolicited, asking, for your personal information be. Wary, that's the think of what, you're giving up and to me, yeah. Okay. So you know just like to wrap up today tell, us about some of the work you do look, at what are some projects, you're doing right now that you're especially excited about. Think. Probably, the. Thing. I'm most excited. About is actually the the fishing petition because it's quite unique, we. We, recognized, some. Time ago that as people start to work outside the perimeter and this was before over, it's, increasingly. Common, that people work from home or work. On the road and and we're, more, and more mobile and things like 5g. And and, so on and more advanced tablets and, things are just going to make that increase, as. People. Start moving out onto these devices, and so we're working out from outside of the corporate environment. That. Protection, of, what. That I can click on and not link to malicious sites or official, sites is going to be critical, and I think that. It's really exciting to me because we're, we're. Taking a different approach even, what, we're taking a different approach in that we block on the endpoint which, is unique. The. Other thing that we're, taking a different approach on is how we catch. The bad guys so, I'm not going to divulge. Exactly. How we catch them because they. Tell. Us you. Can. Tell me, tell. Me what do you do right we don't analyze links. We hunt for new. New. Kits new, science, new so, we'll, block, frequently. There's a on, our website there's actually interesting, articles have be dated now but how we're protected, against. A hacker to, the DNC, but. And, we. Were able to take that phishing site down before, eating it up live but, I forgot. I have, to be able to steal, data so. We're. Very, focused, on how to catch. These. Bad. Actors before they. Do, any real damage and, I think that that's quite unique. And. So I'm excited, by that, I'd. Say that other thing that I am. Excited about what we're, doing at Lookout is, we're. Increasingly. Providing. Solutions, for companies, to, protect. Data on these devices, and. That's an area of research for, us at the moment and. That's. Interesting. To me because a. Couple of reasons firstly. People, are increasingly, working on those, tablets and, that type of thing so tablets, is a big focus for us right now because there. Is such a common tool for working. Intellectual. Property and so on and, the. Way that you do security. On these types of devices whether it's a phone or a tablet or any modern, operating, system needs to change, as. In on. Your, work, PC, these. Security, tools can, be very invasive and, and, monitor, everything did get sent over the wire and look at what processes are running all that sort of stuff when, it's an iPad. Or Android. Tablet or whatever, firstly. The operating system doesn't let you do that and, secondly you're. Getting texts, from your wife and all sorts of things on that so, there. Will be an invasion of privacy so. I'm. Very focused from, a research perspective on, how, to do. Protection. Of data in, the context, of this. Being a personal, device because, we see almost, all companies, having. A proportion, of BYO, devices. And the proportion, of manage devices and, it the wire proportion. Because, of just, wait oh, yeah, yeah. Yeah yeah for sure okay. So one last question mr. Lamar bells if our listeners wanna know more about Aaron Carroll or look at where can they go online, so. This. Device is Lookout calm okay, with, this really, awesome blog there that we have all, about you, know security in the mobile space that, one. Amerimike. Just your. Bio is more comprehensive I think that one, a little. Back in the beginning of the video again yeah I mean. One of the place that I would encourage, listeners. Especially that will focus on mobile phishing is to. Subscribe to the trophy fish. A.i. Which. Is could you say that again you you sort of sort of squelched for a second there digitally so what, was it again, fishing. Okay. That's. A pho. 15, um, that's. A. Twitter. Feed of. All of the latest things that we find on, at all that, many of the latest interesting, findings, that we find. Specifically, targeting, or fishing for example, and and unique novel kits, and mobile threats and so on so sort. Of providing, that as a services, like, we we, don't we. Provide a lot more down obviously to customers and so on but that's a really, interesting feed, if you want to get up to date on the most recent.
Phishing. Attacks that live on you very, cool Aaron, thank you so much for joining us today this was a really, really informative talking appreciate it thank. You and. Thank. You all as usual for watching and listening if you enjoyed today's video you can find many more on our youtube page just go to youtube.com and, type in cyber work with InfoSec, to check out our collection of tutorials interviews and past webinars, if, you'd rather have us in your ears during your work day all of our videos are also available, as audio podcasts, just search cyber work with info second your podcast capture of choice and if you wouldn't mind please give, us a five star rating and review, and you're in whatever you wherever you listen to us for. A free month of the InfoSec skills platform, that, you heard it to being the intro today's show, go to InfoSec institute comm slash, skills, and sign, up for an account and in the coupon line type, cyber, work a one word all small letters no spaces, and you'll, get one free month you. Can also use our free election security training resources, to educate poll workers and volunteers on, the cybersecurity threats, they might face during this election season for, information on how to download your training packet visit InfoSec, institute comm slash, IQ, slash, election, - security, - training or click, the link in the description, thank, you once again - aaron Cockrell and thank you all for watching and listening and we will speak to you next, week.
2020-06-18 18:24
