015-craig-smith

SECURING YOUR DIGITAL ASSETS AND IT SECURITY (Part II)

A discussion with Craig Smith

John DeBevoise:Greetings everyone and welcome to another serving of Bizness Soup Talk Radio. If it’s in business, it’s Bizness Soup. I’m your host, John DeBevoise. Joining us again from BorderLAN’s cybersecurity is its President, Craig Smith. Craig, welcome back to the program. 

Craig Smith:It’s good to be here. Thank you for having me. 

 John DeBevoise:Earlier in our other serving of Bizness Soup, we talked about the threats and where some of them are, in a generalized situation. I want to get into some specifics on all of these conveniences that we have for us now, from monitors that we can tell our house what to do and ways that look like for the business and for the family that there can be intrusions from less obvious sources. What are some of those sources? Can somebody infect me from the doorbell? 

Craig Smith:Actually, they can. That’s a really interesting point. The doorbell is connected to the wifi. 

 John DeBevoise:And the wifi is obviously part of the router. 

Craig Smith:Right. What’s happened is we think, general population thinks, we are going to get a wifi connection or a router from AT&T, or Cox, or one of these providers and that they’re going to do the security, that they’re going to take care of us because we must have a connection, and that there must be a man behind the curtain protecting us from these bad, bad people. When in fact, that’s not at all true. You brought up convenience, the Ring Doorbell, and the other, Nest and some of the other doorbells, these are devices that are connected to the wifi and for convenience you can see them on your phone. But it is a path, a backdoor in, that is connected to the internet. Yeah, it’s a very, very big threat and a very big risk. 

 John DeBevoise:These devices, which could be my toaster, it could be my refrigerator, it could be any device that is connected to my wifi, which is, as we mentioned, the router. Any device that is communicating through the electronic system isn’t necessarily going to be the direct attack, but it can put an infection or a virus on my computer, on my network that will be sitting there for days, weeks, months, waiting for the prime opportunity to capture a password and then they have the golden key to everything that I have. 

Craig Smith:Yeah, that’s exactly right. The vast majority of malware, these are bits of code, are designed to find the path of least resistance. They will find the way in through some sort of an update. Because all these doorbells, and the refrigerators, and TVs, they’re all connected to the internet, and maybe they were purchased a few years ago, what happens is, because they’re connected to the internet, they are always open to receive updates. We’ve always seen, “This product is updating, that product is updated.” What’s happening is a hacker can look at that and say, “I’m just going to pretend like I’m an update,” and the system will update. They can load a password watcher, a sniffer if you will, and watch for that password. Yeah, you could have an enemy in your gates that is just watching for a password. 

 John DeBevoise:It can come from any source. My thermostat could be telling me, “Oh, it’s an update.” It is so common for us to go, “Oh yeah, all right. Update it” because it will just keep popping up, that update warnings, “Update, update, update.” So I’ll update the thermostat or any other device that is connected through the house. It could be a child’s toy or even the television, the smart televisions and such, can be looking at you, as I’ve learned that they are, and they can be tracking not only you and your personal interactions, but also having access through your wireless devices 

Craig Smith:They’re not just tracking, there’s two ways that tracking is happening. Number one is the big data, and this is the television that you mentioned, this is the ability for them to look at where you’re going and what you’re doing for the purposes of advertising to you. The other person that uses those update vulnerabilities are the hackers. In one of two ways, somebody is watching you. It’s funny, people have the Alexa and you can say, “Hey Alexa, can you turn off and not listen to me?” And she will say, “I’m sorry, I can’t do that.” 

 John DeBevoise:Wow. Well, no one’s ever going to be able to get me to do that either. 

Craig Smith:We have to be careful of the devices that we have. The fact is that we are much less secure now than we were before. 

 John DeBevoise:I’ve noticed on my phone and through convenience that I can just say, “Hey Siri,” and it pops right up. I didn’t know that, I thought I had to turn the phone on at first, but it will come up. If you ever want to be misinterpreted, just ask your phone to call somebody and it will come up with the wrong name. I’ve never had such misinformation or made a connection with people I didn’t realize I was calling than to tell Siri, “Hey, call somebody,” and they call the wrong person. 

 John DeBevoise:We’re talking with Craig Smith, the President of BorderLAN’s cybersecurity. Turning this around to the different ways in which to infect my business. Let’s say I’m in a restaurant, I have a point of sale machine. Can I get an infection through the point of sale machine even though when somebody runs a credit card, the processor and such, there is that security between the card and the processor. Are there ways in which I can get an infection into my system that doesn’t necessarily include that point of sale transaction? 

Craig Smith:You’re right on the money. It’s common for businesses to feel that they are adequately protected by using Square or some other processing. When in fact, that’s not really the case in some situations. Let me tell you the situation that we see most often in small businesses. That is where you have a internet connection, and you have a wifi connection, and you have a point of sale machine, and everything’s on the same network. That’s dangerous because the hacker doesn’t have to infect the point of sale machine if it can infect some employee’s computer in the back by having them click on something that looks real. Once they’re in that way, then they can watch traffic that goes by or attempt to update that point of sale machine, eventually hacking it. They don’t generally look for each and every transaction, they’re not looking for that. They’re looking to break in. 

 John DeBevoise:So as giving them some kind of access. May not be the direct access where they’ve got everything that they need on that one transaction, it’s just a little virus that sneaks in there that is constantly searching for other information. 

Craig Smith:Yeah. Thereafter, a typical credit card number or a transaction can probably get anywhere between 10 cents and 50 cents on the open market. When you multiply that, again, these are not attacking this small business, they’re attacking everybody equally, they don‘t discriminate. When they get this information, then they can sell it. 

Craig Smith:Back to the question that you had asked, one of the best practices that we see is that your point of sale machines should not be on the same network as the other machines. If you’re going to offer wifi to your customers or your employees, that better be on its own network. If we put these things on their own islands, if you will, then we can create security policies around that that further prevent those hackers from getting into each island. 

 John DeBevoise:Is it better for your system, say within a restaurant or a business, to have everything hardwired into the modem? 

Craig Smith:100 percent, yes. 

 John DeBevoise:Because it’s really the wireless, the wifi, where most infections in a business can occur. 

Craig Smith:Right. Not only can it occur, but we are seeing everybody tripping over themselves as a small business to differentiate by offering wifi when somebody walks in the door, not realizing that what’s happening is you’re bringing in infected computers, customers, and other would be bad guys that could do all sorts of bad things. What’s funny is often customers that may have an infection, and don’t even know they do, but when they’re connecting to your wifi, that little malware program that’s on their phone or laptop will spend its time in the background trying to spider through your network, looking for a problem, or a hole, or an update that it can take advantage of. 

 John DeBevoise:When I go into a coffee shop of no particular name, but there’s free wifi like you just mentioned. That is a great hook to get people to come into your business, is you offer wifi services. First of all, you can have that wifi service, but it’s not connected at all to your business. Everything within the internal aspect of your business should be hardwired, which is a real pain in the neck to do, but I can see that it is a necessity to protect your data from outside intrusion. You bring these people in, they get to use the wifi, is it just open season on the wifi for people to steal my customer’s identity right there in my store? 

Craig Smith:Wifi is the dirtiest, especially the free wifi, is the dirtiest of all things. It should be avoided at all costs if you can help it. It’s better to use your cell phone plan for security. Hackers are known, it’s very common to take a laptop into a crowded Starbucks, and they will share their wifi connection and call it Starbucks. So people will connect to their computer with their credentials and now you see their email passwords coming through and you see everything you need to know. They’re doing business thinking that they’re really connecting to Starbucks, and they’re not. It’s that problem plus everything else. 

 John DeBevoise:I could be paying my car payment or I’m going to sit down at the local coffee shop, without using names, and pay my bills and now I’ve just given everybody access, in particular the hacker, access to my bank account. Right there on the spot while I’m paying my bills. 

Craig Smith:Right. In the traditional way of having somebody sitting somewhere hacking, it’s still common. But what is even more common is that the malicious malware that is already on one of these systems, once connected will use that connection to see who else is on and look for vulnerabilities, and thereby spreading. One very common problem that we’re seeing, and I went to an actual, it’s an unnamed water district somewhere around here, I’ll just say that. What was happening is the employees are using their own personal devices to disconnect from their secure, hardened system in order to connect to the public wifi so that they can get to the Netflix, and they can stream movies, and they can get games, and the things they want. But what that just did is that introduced their secure corporate system into the dirty web, which is then shared by everybody and all the malicious people. One employee doing that act alone could cause the entire place to be breached. 

 John DeBevoise:Now with that in mind, “We don’t need that security.” I’m going to quote you, “We don’t need cyber security, we sell hammers.” Who said that? 

Craig Smith:That’s actually a statement from Home Depot before they had their breach of, they don’t even know how much honestly. It’s hundreds of billions of dollars they’ve spent so far. 

 John DeBevoise:They sell hammers, what do they need cybersecurity for? 

Craig Smith:That’s what they say. Everybody says that, “We’re not under attack. I’m just an accountant, why would they want me?” Home Depot has a massive amount of credit card data, loan data, employee data, health data, you name it, they have it. It’s a gold mine, as is any business who processes anything. Even a small business who does business with Home Depot, or let’s say a tax service who does business with someone, that tax service and that employee of the tax service might be the way in to the larger firm because they have a connection, they’re doing some connection with them. More and more, the Home Depots of the world are going to start to say to us small businesses, “You guys have to be secure in order to do business with me.” 

 John DeBevoise:So if I am a small business owner and I’m doing business with Home Depot, like they do business with, and it could be Costco, it could be any business. A bigger business is always doing business with the small business owners, my audience. I come through the door with my product, it’s likely that if the big box doesn’t already require it, they’re going to say, “In order to do business with us, you need to have this type of security protocol before we will take your inventory and put it on our shelves.” 

Craig Smith:Yeah. We’ve seen it now starting, it’s starting in the counties and the cities and the municipalities, they are beginning to require certain security protocol checklist prior to doing business with a small business firm. Further, we’re also seeing a movement with banks and people that do loans. In order to get a loan, or secure a loan or a line of credit, now they want to know for small businesses, “What is your security posture? What are you doing to defend yourself? Can you fill out this information?” We are not in the point where as a small business we can say, “Well, Cox set up our internet, I don’t know.” That’s not something they’re going to be okay with. 

 John DeBevoise:That’s not acceptable. What would be, say the top three things that would be on that list that I would be asked to provide if I came in and said, “I’m going to be doing business with you.” What top three questions would you be asking me about my security? 

Craig Smith:They asked, “What are you using for your antivirus? Are you monitoring this antivirus? Who is watching the antivirus and how do you know?” That’s the first thing they’re going to want to know on this form. The second is, “What is your firewall? Who watches it? Who monitors it?” This is not set and forget stuff, it’s the active defense. Then the third is, “Where is your data? How are you protecting it or encrypting it and ensuring that it is protected?” Those are the three things they look for. 

 John DeBevoise:If I don’t have all three of those, they may say, “Come back when you have them.” Where would I find that type of service? 

Craig Smith:Obviously, we provide it. BorderLAN provides the service to small businesses to ensure that they are properly protected. Even if it’s two users, even if it’s three users, we go in and we can land, we can border you, to ensure that you’re properly protected and that you are able to answer those things. Also, what’s an interesting point is that not only can we protect that, but we can help you with those types of surveys so that in the event that you have a moment of a policy, let’s say you’re applying for a general liability policy, which is something they’re requiring now, we can help them fill that out if we’re providing a service to our customers 

 John DeBevoise:In other forms of invasion to my business here, and of course my focus is always around the small business owner, we’ve talked about how it can be from secondary devices, those convenient items, as well as most of the dirty work comes from the wifi. What about these devices that I have seen that goes between the wifi and my computer? Is there any way to protect myself with a physical device that creates, is it a local area network? Encrypts the signal from the wifi. 

Craig Smith:Yeah. Most wifi connections need to have proper security, most devices need to support proper security, and most importantly these devices need to be on a network where it has been structured properly to use the island scenario. That each device has its own role and that role is specific for what it does, a thermostat does what a thermostat does. What we do it as a company, we see with small businesses, we can program all the little convenience things that you want, but we keep them in their own island and we make a policy saying, You can do that and only that.” By doing that, we can help protect people. That’s really what small businesses will need to do. Unfortunately, it’s a little beyond the scope of what most business owners can do because it’s very, very technical. 

 John DeBevoise:As far as the software that is available, that comes either with the computer or as a subscription that protects your personal computers as I know I have, are they a cure all? Do they fix it? Can things get past them? 

Craig Smith:I only have one word that comes to mind and that is garbage. What’s happening with these freebies that come with the computers, that they are freebies, they’re bloatware, they’re very, very heavy and they’re often either infected themselves already or they are coming with an enormously heavy subscription that you’re going to have to, as a small business owner, pay for. It’s not going to do you any favors. The stuff that we see that we provide, and by the way, our company provides something north of 3 million computers for protection. We handle about 3 million computers, 2,200 companies. Some of our customers are very large and so we know the ones that work and don’t. The stuff that comes for free is for free, it’s no good. 

 John DeBevoise:You get what you pay for. 

Craig Smith:You get what you pay for every time. 

 John DeBevoise:We’ve been talking with Craig Smith of BorderLAN’s cybersecurity. For more information, visit us at bizsoup, that’s B-I-Z-S-O-U-P, .com. for more information on covering your assets. Craig, thanks for joining us again on Bizness Soup. 

Craig Smith:Thank you for having me.