I’m Jim Love, CIO of IT World Canada, sitting in today for Howard Solomon. With me to discuss some of the news is Dinah Davis, Kitchener, Ont., based-vice president of research and development and Arctic Wolf.
But first, before we get to that, a quick look at some of the headlines and the stories Howard has been covering for the past seven days:
Many employees working from home see cybersecurity as a hindrance, according to a survey. And they admit that they’re trying to bypass security controls. That’s one of the topics Dinah and I will discuss. Another is a report showing that password brute force or vulnerability exploitation are still leading ways organization’s environments are being compromised.
Apple users should update their devices as soon as possible because the company has issued security patches for two serious vulnerabilities. One of them was discovered by the University of Toronto’s Citizen Lab, and was allegedly used to compromise the devices of activist reporters. Threat actors are also using a Linux version of the Cobalt Strike hacking tool. This means IT teams with Linux infrastructure have to worry about detecting the signs of this tool before the malware gets installed. And lastly, researchers discovered an unsecured database open to the internet with 61 million records from wearable fitness devices that apparently belong to an American application developer. That company’s website has been offline since the news broke.
(The following is an edited version of my talk with Dinah Davis. To hear the full conversation play the podcast.)
Jim: I’ve been dying to ask you one question since I’ve met you: Where did the name Arctic Wolf come from?
Dinah: We have two founders at Arctic Wolf, one based in Canada — Kim Trombley — and one based in the U. S. — Brian Naismith. At the time most of the employees were going to be in Canada. They had a few criteria for figuring out what the name could be. One was that they wanted it to start with an ”A” so that anytime things were listed alphabetically we would be at the top. They floated a few different animal names — I don’t know why, I guess they liked animals – and Arctic Wolf stuck. We’ve really leveraged it inside the company: We’re all wolves and we’re part of the pack and the pack is stronger together and all of that. And we do literally howl at meetings when amazing things happen. It’s a lot of fun.
Jim: Where I want to start is this article that says employees see cybersecurity as a hindrance. Almost half –48 per cent – of younger office workers who responded to an online survey view security tools as a hindrance. Are you seeing that?
Dinah: I have been seeing that in my world since the early 2000s. I was a security software developer at Blackberry, and we were very concerned right out of the gate about mobile security. There’s always this dichotomy between usability and security. How usable do we make it? What risks are we willing to take to make it usable enough that people will use it versus what is the bottom line on the security value? So it is this trade-off. The other thing that I always said, especially when at Blackberry, is that users don’t even know about security until they don’t have it. And so the minute they don’t have it in the minute it’s broken, then it’s a big problem. But before that, they don’t really care about it
Jim: And 31 per cent said they try to bypass the corporate security. I get interviewed on a similar topic and here’s my call: Get over it.
Dinah: But to another degree, there are things companies can do to make [security] usable: Going to a one-password-only system. That’s what we have today. We literally have one password. It logs us into everything. Everything uses SSO [single sign-on]. So I have to do my big password and multifactor MFA at least once a day, and then I’m into everything. That is really very helpful. Other things can be encrypting the computers. It really doesn’t impact the users very much. So what are the things you can do in your organization that add security but aren’t impacting high on the users? If you lock down computers too much, don’t let them put their own apps there. If you don’t have a fast process for approving new apps, that can be a pain because that’s when you get Shadow IT. When somebody really wants something then they’re going to get it.
And the other thing is education: teaching people why it [cybersecurity] is important. And I’m going to plug our stuff just for one minute. We acquired a company a year ago that builds online training. We get a little two-minute video every two weeks and everybody actually looks forward to it … And because it only takes two minutes, it’s quick, it’s easy, it’s fast. Whatever [education] product you get, you don’t want half-hour videos that are really dry and boring. Nobody watches them. So whatever you’re doing, you want training in bite-sized chunks.
Jim: There’s a couple of free videos on our sites which we made with great humour. But the point I think is you have to have a conversation about it [with staff]. It doesn’t have to be one of those ‘point-your-finger-and-be-grouchy-about-security.’
I want to go into another story. [Ransomware group] REvil’s back.
Dinah: They shut down on July 13th after their massive attack on Kaseya. And a lot of people thought, oh yeah, they’re done. They’re not coming back. They’re way too scared. Maybe they just wanted a summer vacation.
… [But] ransomware is not going to go away. And when they did go down, they left a lot of people in a bad state. People couldn’t go and get their descriptors for the files. [Editor’s note: Bitdefender just released a free decryptor for REvil victims] I mean, realistically we expected REvil to come back, but we thought maybe they would come back under a new name, a different organization. So it was really surprising when all of a sudden on September 7th their Tor payment negotiations site and their Happy Blog data leak site all of a sudden came back online. It proved to us that they were back when, on September 9th, someone uploaded a new REvil ransomware sample to Virus Total.
Jim: This goes back to our password discussion. I was amazed that brute force attacks are still so prominent because Kaspersky is sharing new insights in their incident response analytics report. In 63 per cent of cyber attacks investigated adversaries used password brute force or they exploited software vulnerabilities. That means we still have the world’s most awful passwords.
Dinah: We totally do. Account takeover is one of the most effective ways to get into a system where you log in as somebody else. You get all their credentials and all their power and everything,. And the easiest way to do that is with brute force attacks. Now, unfortunately, no one has learned that they need to have a different password for every single thing they use. Every single thing you use needs a different password, unless you’re using a single sign-on application. So the key there is password manager, password manager, password manager.
Jim: And they’re not expensive. I don’t care which one you use. There’s three or four that are out there that are just perfect. And you got to have them. The other thing that I found out from my own research is length matters more on a password than [using] these crazy [special] characters, and especially putting four numbers at the end of your password. Forget it, it’s stupid, easy to brute force. And that crazy one, when you think you’re so good where you put the ‘@” symbol instead of the letter “a”. Hackers got that one too. There are dictionaries for this stuff, folks. But the longer the password the better it is. And can put password phrases together. They don’t have to be hard to remember, but length matters. Is that what you’re hearing too?
Dinah: Absolutely. Even an eight-letter password isn’t really enough anymore. Anything, anything I do is 12 plus. I use a password manager, so it just generates them.
Jim: Which is the best thing to do. But you need a password for your password manager and it doesn’t have to be hard to remember as long, but never use anything you’ve ever used before.
Dinah: And when you’re doing a new password do not increment the old one, because as soon as attacks get one password in their dictionaries, they’re going to add that password plus 100. So that ‘password one.’ ‘password two,’ ‘password three’, they know we do that.
Jim: That’s our talk for today. Thank you so much, Dinah.
I’ll be appearing on Thursday, the 23rd of September at our newest event, Analytics Unleashed. And if you’re interested in security, data’s a big topic. We have a great headline speaker, Douglas Hubbard. You might know him as the author of How To Measure Anything, but he’s also the author of How To Measure Anything In Security. Doug’s not only headlining, he’s around for a live workshop. There’s a link to the event agenda and registration here.