Cybersecurity and Ransomware

Welcome to Building Better Developers, the Developer podcast where we work on getting better step by step professionally and personally. Let's get started. Well hello and welcome back. We are continuing a whole bunch of interviews and this episode we're continuing an interview with Evgeny Kudrym. We are, and I totally missed his name again. I apologize all over the place. Not my skill, but his skill is cybersecurity and he really sort of blew us away in the first episode and get ready to have your mind blown because he's going to continue this time. We're going to talk about why cybersecurity matters, what these measures that we can take will do for us and how we do our best to avoid becoming a target. So let's get back with the person that knows the most about this and talk with Evgeny. Yeah, as you said, like, you know, chat GP shows up a couple of months later, people are starting, the bad guys are finding ways to leverage that. So back to that idea earlier where you mentioned about the idea of having an assessment when you, you know, if you don't know where you're at or if you're making a big change, is that maybe a tool that a company or organization should use to do a periodic update to sort of catch up with where the bad guys are or how, if not, what's the, what's are your recommendations? How do you keep up or ideally stay ahead of the bad guys out there to make sure that you're secure and as safe as you can expect? Yes. So there is a number of tools on the market. The best to help you with this. One of them, the domain called threat intelligence, it's a company's aggregate information about new tools, about new attacks, about bad guys and what they're trying to do or what they're doing and providing this information. This information may go to emails, information may go to your ticketing system or to the systems that basically aggregate all the logs, what we call SIM, in the companies as well. So this is one way to understand and keep it consistent and to understand what the bad guys do. There's also exchange of that intelligence between companies and even between countries as well. So there is a lot of companies that basically help each other as they find the problem. There is also new techniques, architectures, new attacks where people write on LinkedIn, Medium and other media to explain. We also have conferences. The two big ones are probably going to be RSA and Black Hat. Black Hat just happened in August recently. When in Black Hat, the guys that come in and they tell about the new attacks, they tell about the new, not malware, but basically the new ways they were able to hack different systems. If you go to Black Hat, you will see ATMs, you may see a smart car, you may see Tesla. I think this year they were actually showing the ways to how they can hack different flying systems and planes, not in the sky definitely, but it was basically on the ground. There's always a ways to indicate this. There is also something called CFP, capture the flag, is basically almost like games where people play, but the idea is to be able to log in, hack and find a new way to get in the system. And when they learn how the bad guys operate, then they can see how they can protect it. In the correct terms, we call it Red Team and Blue Team. Blue Team is our defenders and the Red Team are attackers. And by simulating this game, you can see up to stay up to date. Sorry, I remember it was not just playing those actually satellites. They were trying to hack this August to show vulnerabilities. Beside this, companies have pen tests. Pen test is a penetration testing where you hire a company where they go and try to simulate attack and understand if you have issues. So this is not staying up to date, it's basically checking your defenses and how you design an architecture and your procedures and your Blue Team working effectively to do this. We have a new trend as well called Bug Bounty. It's basically you say, hey guys, I am this company and this is my application and you're free Bug Bounty, come and try to find a problem in my company. And if you find a problem in my company, I'll pay you money. So a lot of freelancers, this house makes the money as well right now. So there's a lot of ways to stay up to date. You can also have VARS, Value Editorial Seller, is the company I used to work for 15 years, where we will work with the enterprises and will come periodically once a quarter, once a month, tell them what's new, new companies, new architectures, new design, new trends. We also have companies that basically doing like analytics. There is Gardner, there is Forrester and they're constantly reviewing and providing information about the new state. And they also come up with new acronyms, unfortunately, unfortunately enough to confuse everyone or even more. So there's multiple ways to get information. And one of them is podcasting, like you're doing right now and I'm doing as well. You can, I should subscribe to podcasts that you like or industry podcasts where you can see. There's actually one podcast that has been running for I think eight years and it's released every day for two or three minutes. And the only thing they're saying is like what's new today in the world, what's happening for literally two, three minutes. That's a nice quick way to keep up. And I did want to swing back also about, you mentioned ransomware and that's one that I think it's been a, I would say it's sort of been a hot topic in the news. It seems like that shows up pretty regularly that there's a ransomware attack. Is that something that is because people are more open to talking about it or is that something that has become a more common approach to hacking and attack, sort of a way to attack a company or an individual? So it is new. And I just remember that I can add to your answer to your question about what was in the past. In the past, 15, 20 years ago, the bad guys will come and break your system. They're going to format you this because they're going to make your system unavailable. So it basically was kind of vandalism majority of the time, but vandalism doesn't give them anything because okay, I need to go pay money and buy a new device and I lost my information. So ransomware now is a way for them to make money because even if I am going to provide another example, DDoS distribution denial of service is a way when you push a lot of packets to different companies from different companies and you basically make one company or one server unavailable. Again, I'm preventing someone to do work, but I'm not making money with ransomware. I'm taking ransomware, not in this case, you know, in movies, usually see hostages and people, but here we take your data and if your data is important to you, you're going to pay money to give the data back. Now we also need to think about how important it is. If somebody was able to take over my accounting person or your accounting person and they have all our information, would they pay $1,000 to get it back? Probably yes. Would they pay $15,000 or $20,000? Maybe not. Maybe they're going to ask it again. That has to be reasonable. But if you take your ransomware or big company, that's a multimillion dollar company, then the sums become bigger. There was a point in the industry where the bad guys will go and hack individuals, but mainly they're going to focus on gamers. So gamers will spend a lot of time and money in World of Warcraft, for example, and they're going to basically go find the save file and put it in ransomware. Now your kid, 15, 20 years old, or an adult, that maybe put thousands of dollars in your gaming and now it's lost to you. Would you pay $500 to get it back? Probably you do. So the bad guys, multiplying this economic scale, can make a lot of money. So ransomware is definitely growing and we definitely see it. And majority of the attacks are ransomware. And it can go bidirectional. Not just give me money, I'm going to give you back the data, but give me money. And because I encrypted and took your data as well, I was able to access the data. I'm not going to release the data to the public. Probably around seven years ago, remember when Sony got hacked and they kind of released how much Tom Cruise made and other people made and Mission Impossible. There's a lot of story about this because they basically released all the salaries of all the people that are in the movies. So back to reputation, back to financial information, company who pay money for it not to be released. That makes sense. I mean, if you're going to put that kind of work into to hack a system, then you're going to, if you have a way to make money off of it, then obviously you're going to want to be paid for your work. There was a couple of interesting stories about wrong people being hacked. So basically, if you get ran somewhere, you can communicate back to the bad guys. And there were stories about people like, hey, I don't have money. I'm just a simple person. I'm a student. Okay, sorry, it was a mistake. And basically give you the data back. And there was a couple of interesting talks in the industry when they did the research on these companies. Europe, doesn't matter where they are, China. It's a company. Think about this. It's a company with HR, with benefits, with days off, people coming in, they have offices. It's not just people that sitting at home with the hoodie and coffee, cigarettes. It's a company. So they have a way to do it. They have their targets for the year, for the month with benefits. So it's almost funny, but not funny that it's become so commercialized. And there was an interesting story in Canada. I'm in Toronto, Canada. We have a hospital called SickKids. I don't remember exactly the entire story, so I don't want to quote exactly, but basically the SickKids got malware and ran somewhere. So it got ran somewhere. And they told the guys like, we are a hospital for kids. And the guys gave them the data back. But I don't know all the details. I need to actually go research to make sure I have all the parts. So don't quote me on this exactly on the details. Wow, that's interesting. And yeah, we've talked about that before. I think that's something that very few people, particularly outside of the security realm, realize that, or the cybersecurity sort of world of business, that there are organizations that literally like your James Bond, Specters and stuff like that, but they're hacking organizations. They punch a clock and they go in and they go hack whatever their targets are. And so knowing that there are people out there that that's what they do, what are some ways for the average Jane or Joe to be able to protect themselves better so that they don't have to basically plead poverty or something like that and say, please don't charge me because I don't have enough money to pay for it. Before I answer this, I'm going to actually raise the bar even higher. We also know there's government institutions, this is what they do. There was examples in Ukraine, there was examples in other countries where there basically was a level state attack to bring something down and show how it's working because everything is connected. Let's go back to individuals. I think individuals are used to what they're used to. So if we used to close our houses and our windows and check our water before we leave to vacation, we used to this. If we used to go to a park and tell our kids, if I got separated with you, this is where we're going to meet. Here's my phone number in case you get lost. Dog tank, don't take candies from strangers. This is what they used to. We need to bring the education and awareness of cyber and Internet more to the place where people get used to this. If you are online and somebody trying to talk to you, why is it trying to talk to you? Is this business related? Is this something else? Maybe you're on a dating sites, maybe you're on Facebook, maybe you're in a messenger. Doesn't matter where you are, maybe you're in a business site. Understand what's the intention of people talking to you. Teenagers, kids, games, every game right now that you will play has some kind of a chat version. So it means they can chat in the game, Discord servers, signal servers. There are so many different options for people to communicate. We need to explain and educate everyone to understand what's the intent. If you get an email that says, oh, you password in Apple got reset, you just get a new email transfer. Please click here to receive the money. You need to put your hat on. Stop thinking about it. Like, hey, do I need to do this? Do I really need to get money from someone? Who is this person? Why is my password need to be reset on Apple or Netflix? And don't ever click on these buttons. Go to Apple, Golden athletes. Do it from there. So instead of clicking quickly, think about this. The main part is education. Taking it a bit slowly. Don't panic. And I think one important part is have someone in your family, friends that you can call and ask. And even if you're not sure, then pay somebody money. You know, have someone you can call them, you know, you're going to be paid service, but you can talk to them. Certain countries even have a government service where you can call them and say, I'm not sure what's happening with my laptop. I need help. Beside this, there are certain things you can do. Have a password on your laptop. Have a password on your mobile device. Now just leave it open. Let it lock after a certain time when you're not using it. Don't pick up USB keys, less popular, but used to be popular and put them in your laptop because they're pink, red, whatever it is. And you know, you want to know what's there. Don't click on messages you don't know. Don't download files you don't understand. There's a lot of small things that you can do that doesn't really take a lot of time. It can make you a bit more cautious. There's other ways like, oh, I need to open a file. I need to open this link and I don't know what it is. There's more advanced way to create virtual machines and isolated environments where you can do this, but you're not going to go there. So there's multiple ways, but you know, the 80-20 rule, you can still do this. There is a lot of stuff you can do with a small amount of effort, simple amount of effort. We're going to keep you protected. I don't even know how many friends I have that still not log in their phones. I'm like, why? It doesn't take long time. We all have fingerprints. Do this. So you mentioned in the beginning, oh, what if I have MFA? Why do I need a complex password? So if you have an MFA, but you don't lock your phone and I just stole your phone while you're walking and I know who you are, guess what? You're MFA going to be on my phone. So it doesn't have a password and I have access to everything. And because I stole your phone, it has access to your email. So even the MFA comes to your email, I have your email. So this is simple. Is it very hard to lock your phone? Probably not. Put a password, let it lock everything. Same as the laptops. We still hear people going to airports, leaving the laptops open and going to the washroom and not locking them. I can probably talk for a long time about small tips and tricks, but they are, I think one part I want to add is. Separate your business life and your personal life. We always talk about work-life balance. Have a work-life balance between your company passwords and user names and your personal one. Don't use the same passwords there. Don't use the same passwords in bank and Facebook or some kind of site that you log in from time to time. But it's all for self-cost. You have password management, you don't have this problem. But there is some separation of duties you want to do. Don't maybe do your home stuff on your work laptop, not to get in travel from work as well. There are stories of people getting hacked from the personal emails at their work laptops. Yeah, that's, I think that was early on. That was one of the biggest things that was, you know, this goes way, way back is that I remember a lot of organizations. That's what they did is they would just block people on because they go in and they go to work and they go download something. They'd see something on an email and be like, oh, I want to put this on my machine. And then the next thing you know, they were hacked and you know, you had the whole network come down or whatever would happen to it. And so it very much is that, you know, if you, if you at least do that, then there's a difference. I think, I think most people like that. It's a difference between if I get hacked personally and I have something go on that's different from my company gets hacked. And it's a different target. It's very different if you're just a, you know, an average person versus if you work at some, you know, fortune 100 company and they get hacked, that's a whole different game that they're. Yeah. You don't want to say in the next interview, why no longer with the company or the company got hacked because of people in the link. So it's going to be a bad story. One part of the inventions that it's fundamentally important is use backups. So backup the information and not just online backup. You can potentially, this I'll recommend to take a hard drive and from time to time, a couple of months, copy documents on the hard drive and put it somewhere else. Yeah, that's, that's amazing how, because that, that pretty much right there can block, depending on how you do it, could almost block the value of a ransomware attack. If you've got that stuff out there, it's like, okay, I've got access to it. I don't need to, I don't need to worry about it. I'm, you know, I'm good. You guys can ransom all you want. I'm just going to go, you know, change some passwords, change some user IDs, and then just start back where I was, wherever I did my last, uh, or I did my last backup. Now I want to be, um, I do want to, wow, there's two things. I guess I do want to be respective of your time, but one thing I did want to talk about before we wrap this one up is that 80 20 rule is I have heard it describe that, Hey, like simple things like a password on a lock on your iPhone is going to mean that people are less likely to steal it because then they've got to go figure out how to get through it. And so it is sort of that 80 20 to the, on the flip side to the black hat, do the hacker types feel that too, or it's like, Hey, if there's certain levels of security, there's like ads too much work versus, Oh, Hey, this is going to be easy, you know, the easy picking type of, of a hacking attacks. I think majority informed, I see as well. There is not a lot of targeted attacks. The target attack is going to be in probably in the five to 1%. Majority of them is going to be like a spring and play cause the hacker can just distribute it because they, for example, got a list of emails from a website is a good hack and they're going to email all this list of people that the password got three sets on the net or something like this. You're not going to target somebody. I'm not saying there is no targeted attacks. There they are. But majority, especially the end user us, I don't think they're going to be targeted only if somebody really don't like you because of something that I hope not for myself as well. So they are not going to know, but the bad guys that I mean on the street, they're going to steal your phone. They're going to be a bit different. They maybe just want your phone or they maybe have some other ideas in mind. But now when they have your phone, there is no password. Like, Ooh, I could steal your phone and I can do factory reset. And I have a phone. I can steal your phone, but it's not locked. So now I can do even more. Maybe you get something else. Yeah. So don't give them more than they, you know, more, more than you have to in that kind of situation. Yes. So after this, after spending this time, I'm sure a lot of people are like, wow, I really, this guy knows his stuff. Got a great company. My company needs to talk to him and get together and get more serious about security. So what are the best ways for them, people out there to get ahold of you? There's two podcasts, one actually under another. So the main one is security architecture and cyber inspiration is under security architecture. Each of them is a bit different. Cyber inspiration is more about founder story and security architecture is more about technological and design. So you can find me there, but the best way it's probably going to be LinkedIn. So if you go with Genicram at LinkedIn, not too many, you've getting easier. So you were able to find me and connect with me and I'll be happy to chat with you. Excellent. So I want to thank you so much for your time. This has been great. This is like you said, you could talk all day, but boy, you piled a lot into a very, you know, to a short period there, walking through a lot of, a lot of very actual things that we can take to, you know, to make ourselves a little bit secure and to do our best that even if we're not targeted to make it so that, Hey, people don't get that much out of us. If we do handle end up falling in the line of fire. Thank you very much. It was a lot of pleasure. You're a great host and you're asking very good questions. Well, thank you. You have a great day. And that obviously wraps it up. I want to thank him for his time. It was a great conversation. There was a lot packed into just this, these two parts, sort of one discussion that we had, and I think as you probably picked up, there's a lot more that he could bring to the table. There's a lot more that he can offer to somebody to help yourself be secure, help yourself avoid being the next target or worse yet being on the next front page because you got hacked in some way, form or fashion. That being said, we are not done. We've got a couple more interviews to go. And if you enjoy this, if you've got some more information that you would like to get from, we'd like to have a conversation yourself about cybersecurity. There will be links in the show notes, check them out, tell them we said hi. And hopefully that'll just, it's one of those that just, hopefully we all will be a little bit smarter, a little bit safer out there. So the bad guys have a few less wins to brag about. Go out there and have yourself a great day, a great week, and we will talk to you. Next time. Thank you for listening to building better developers, the developer podcast. You can subscribe on Apple podcasts, Stitcher, Amazon, anywhere that you can find podcasts, we are there. And remember just a little bit of effort every day ends up adding into great momentum and great success.