Breaking Myths in Cybersecurity with Grant Erickson #inch360'24
[00:00:00] Welcome to the cyber traps podcast. I am Jethro Jones. Your host. You can find me on all the social networks at Jethro Jones. The cyber chaps podcast is a proud member. Of the be podcast network. You can see all of our shows at two B podcast. dot network. And today on the show we have. A special interview from the inch 360 conference.
That's the inland Northwest cybersecurity hub. They put on a conference each year and I have the great fortune of being able to go. Go to that conference. And interview a bunch of people. So that's what you're going to hear on this episode. I hope you enjoy it. And if you want. To learn more about inch 360, go to inch 360 dot O R G.
All Right. Well, Grant, we are here at the Inch360 event here in Spokane on beautiful Gonzaga campus and thankful for your partnership in this event and making it happen. Can you start by telling us why Intellitech thinks this is a [00:01:00] good thing to be involved in and part of?
Yeah. Thanks, Jethro. at Intellitech, we really appreciate. What is happening here in the Spokane area and in the Inland Northwest around technology? And we want to be supportive of all of those kinds of things that bring the tech community together. There's a lot of events. I think this is a really great one that happens here in Spokane.
And the reason we're really a part of this is that we think as a software developer that Security inside of the software is just a part of it. People say, hey, do you guys do security? Well, you guys don't do security, you do software. I said, well, no, no, you can't do software without doing security. It is all baked together.
And to raise the awareness of folks, here in the community that are doing security, we think is a really great thing. Because so often we'll deal with our clients, some of whom are in the area, some of whom are nationwide and globally, that just don't have a lot of information. When it comes to what the realities of security are.
And so this really gives us a chance to be part of a community that's talking about these things, hopefully dispelling some myths and hopefully actually bringing some things to the forefront that [00:02:00] actually are real things that people need to be concerned about. And just like we're in a session right now, we're talking about social engineering and phishing and things like that.
Super great discussion around what this actually means. I mean, we're talking numbers between 85 and 92 percent of the attacks are because of people. And I think a lot of folks have been thinking about security. It's like, go buy a thing, or go pay a company to come in and build me a thing that makes it all secure.
But so often it's, did I leave my laptop overnight in my car parked on the street? Right? Or did I respond to that, email that I thought I got from my boss that was asking me to go down to the corner store and buy 5, 000 worth of gift cards on my own credit card? Right? That kind of stuff. You, you can't buy things that solve those problems.
Yeah.
Well, and that perspective of it is The solution is not a product, it's not a program, it's something that we, it's between our two ears, right? it's, [00:03:00] we have to make those decisions ourselves to be better. so, you mentioned that there are some myths around things, especially as it relates to security.
What are some of those myths that you hear often that are just like, either, you don't need to worry about this, or you really do need to worry about this?
Yeah, great question. Uh, and I think just a couple off the top of my head would be, Hey, you know, I, I bought Google or I bought Office 365 and therefore I'm now secure.
You know, I'm, I'm using MFA, therefore I'm secure. And those are all great things. I mean, I think not having your own servers, there's probably a significant security thing. I mean, trusting that Microsoft and Google and Amazon, they have better security engineers than you will have on your staff is probably true.
However, I think some of the myths around that are that It's possible to create very insecure environments. Now, they're doing a much better job, especially we're part of the Microsoft ecosystem primarily. And we're seeing these things that you now like having MFA is no longer optional, right? You have to be doing some of these things.
And so I think that's helping. It's not all of the things and, and you still have things like, uh, ransomware attacks, that [00:04:00] there's a lot of vectors still, even when you're using A large third party tool, a SaaS solution, where you can still get into trouble. Uh, and we see these in the news on a regular basis, where someone took all of their information, all their files, and they're now encrypted.
Because one person, all the stuff they have access to They, something got on their computer and now all those files are encrypted. And so there's a lot of different things, even when you're looking at, um, Oh yeah, I've had this application. It's been running for a long time and it's been perfectly safe and all that.
Honestly, that is probably from our perspective as a software developer, one of the single biggest issues that folks are going to have because stuff that was built in the early 2000s, I mean, it was kind of like, Hey, you know, we're just hoping people are good and maybe that'll be enough. And the problem is, is now folks want to take that and they want to put it on the internet or they want to have it exposed in such a way that maybe haven't thought about, Hey, what are the implications when I'm logging in?
I mean, there was just that case, uh, where was it? Uh, somewhere in the Midwest where, There was a guy, and he, went on to the education, Department [00:05:00] of Education's website, and was looking through the page and just opened up the development tools where you can kind of see the stuff that's being passed back and forth, and lo and behold, as he searched for different teachers, it included their social security numbers, right there on the Department of Education's website.
And it was really interesting, and I'm getting off a little bit, but I think it really kind of brings us back to a point that, What it was interesting is he sent a note, before telling anybody, he didn't publish this, he just sent a note to the Department of Education and said, Hey, you have this vulnerability and you need to go fix it.
And they prosecuted him for hacking their website. I mean, literally he pressed two keys in order to make this thing happen. They were already sending the information to his computer. they didn't end up prosecuting him. They, they realized that they were being idiots and that was, he was actually trying to help them.
and I think trying to develop those kinds of things where You don't maybe know exactly what you're exposing. And so I think any applications, especially web applications like that, written more than like 10 years ago, or even five years ago, are going to need kind of a relook and see what's going on inside, because there's a lot of things, SQL [00:06:00] injection attacks, where you can go in and actually modify the database, those kinds of things can be, can be pretty scary.
and those things are scary, so let's talk about that idea of leaving your laptop in the car overnight, or leaving your laptop somewhere, just out, right? is that, as real of an issue as it seems, can somebody do something with your laptop or would it be better to just steal it and sell it on to somebody else in the black market or something?
Like what, what really should we be concerned about there?
Yeah, right. I guess the fundamental question there is, is this the laptop worth more as a piece of equipment or is, is the data on it worth something? And so I guess at a certain level, if you have a really nice laptop, they might just grab it and be able to swap out the hard drive and, and you may be okay if you don't have some kind of tracking.
Most laptops now, at least a lot of the business style ones have some tracking stuff in them. So they know that, Hey, you can report this as lost. If you install windows, it will somehow phone home and you can detect that this laptop has come on somewhere else. now let's talk about the stuff that's on it.
Fortunately, most of the laptops that at least we're getting recently have [00:07:00] BitLocker on the hard drive, which means that the hard drives are encrypted. Now, if you have laptops that are not more than a few years old, BitLocker wasn't turned on, which meant that everything on your hard drive, which you can literally just take the hard drive out of the computer, remove a couple screws, take the hard drive out and put it in another computer, and you're going to be able to read all the data on the hard drive.
So that's a significant risk when it comes to losing your hard drive. So make sure that using BitLocker, I think it's a great first step. And then there's just some physical security things, like making sure that you have, just, your, your passwords are set strongly, that you're, you have, uh, Enough that your pins are are set if you're going to use a pin that kind of thing So if you fail a number of times and these are just kind of the standard things We're really finding that at least on the Microsoft side and a little bit on the Apple I'm not as familiar with that I use max from time to time but Microsoft's really building in a lot of those things baking it into the OS which is, so it's actually now a little bit of a hassle to try to get around.
You have to set up some extra things to not do it, which I think is good. It's encouraging people, just good, in general, security hygiene. So, yeah, I think that's a, that's a tricky [00:08:00] thing. And then when you have to, like, let's say you're somewhere and you end up, you have to go somewhere, you have your laptop in your car, what are you going to do?
You're going to put that thing in your trunk so you can't see it. And if you don't have a trunk, you're going to put it in a place where, You can't get to it, and I was even thinking about even having, because a lot of these things are just crimes of opportunity, most of the time. Break a window. My wife had her laptop, it was sitting on the front seat of her car, in a bag.
But somebody just came by, broke the window, and grabbed the laptop, because it was easy. Right, and I've been thinking about, hey, when that happens, do I want to just put a lanyard on my bag? So that, because that's going to, most of the time, it's going to stop that, the opportunity thing. Now, if somebody's targeting for you, like, let's say you're an executive or something like that, or have information, I mean, that's a whole different deal, and like, that laptop probably should never be used.
out of your position.
Well, and that, that brings up a good point that sometimes, uh, the, depending on your role and your position, you, you need to have a higher level of, uh, security awareness. So I was a school principal for a long time and my, my laptop stayed, excuse me, my laptop stayed in my [00:09:00] office. I didn't take it home ever.
I always left it there because, I just didn't want to. to risk leaving in my car having something happen. I got student information on there, their identifiable information, and I don't want to get that lost. So I would just leave it there. Now in the beginning of my career, I didn't do that. And I took it with me everywhere.
And eventually I was like, what's the point? You know, I don't, I don't need to do work at home and I don't need access to this at home. Anything I do need access to, I can access from my home computer. Getting on a VPN through the school network. So, and that's just being a principal, right?
That's not like the executive of a healthcare company or, or a, or, or a doctor or anything like that, that has more identifiable information. So those are, some good things to be thinking about. Um, so in closing, uh, how can people find Intellitech and learn more from you and get in touch with you?
Yeah, fantastic.
Yeah. One of the things that we try to do is just be a presence kind of in the community, and so we're going to be involved in, uh, actually a symphony [00:10:00] event coming up. Uh, there's, uh, Beethoven's 10th symphony was not completed, and so he didn't have time before he died to complete it, but there's just some pieces of it.
And so we're partnering with James at the symphony to, uh, who's the conductor, to, go ahead and, and have some extra AI things around that. So what they did is they had an AI create. A version of the Beethoven's Tenth. And then they had a composer, a human composer, create it. And they're going to play both, or at least a portion, of both pieces.
And so we've made some software that is going to make that more of an interactive experience. Uh, so folks are going to be able to kind of respond as a group. And the idea of, hey, we, we're We have a couple thousand people together in the Fox Theater that are going to be not only experiencing this thing, but also being able to see what other people are experiencing around them.
So, pretty excited about that. Uh, if you want to check that out, um, you can go see the symphony or come to our site. We're at intellitech. com. Uh, you can search for us. We should be pretty easy to find, but we do all kinds of software, uh, from, uh, Small things to very large things. We work with fortune 500 fortune 50 companies as well [00:11:00] as a lot of companies here in the Inland Northwest that have little software needs and like when you talk about security and things like that one of the pieces is just being able to to have a Specific application that fits your needs when you don't find something that you can just use out of the box Hey Salesforce just isn't working for us or this other ERP or whatever it is Just isn't a good fit for how we want to do business.
We believe this is kind of our secret sauce Like we're the folks to call Uh, when you want to come and say, Hey, I want something that is going to optimize my business. We've reached a point where we can't use Excel anymore. We've scaled past Excel. that's, we're there to help, to advise. And sometimes that means customer software.
And sometimes it means, Hey, we're going to point you toward an off the shelf solution. Uh, this is going to work for you. So we just try to make sure that we're doing the right thing, for all the folks here, because we're in a small community and what it's really about is being able to develop the trust of all the folks here, because that's where our work really comes from is from folks that recommend us.
Cool.
Okay, well thank you for being part of Inch 360 and thank you for being part of the CyberTraps podcast today, Grant. Thank you. [00:12:00]
