ALA Lunch & Learn - Event Recap
The Cloud & Cyber Threats
iCorps Technologies assembled a panel of cybersecurity, cloud computing, and compliance experts to address your most pressing questions at our live ALA Lunch & Learn. Watch the full event recap below.
[Question #1] Let's say you're on-prem versus in the cloud and someone is working in the office, but then they go to their vacation home. They go on vacation, and they take a laptop to their house, and you're really—those are your weakest points, where you're—you know, they're not patched correctly or is what you're saying, you know they, you know—
[Lauren Looney - Datto] Or secure, just physically even.
[Question #1 Continued] Yeah, because sites can move themselves higher up based on, you know, positioning. So if you typed in "How to login to here," you get a fake site, you follow that, there's your in the cloud version, but ultimately it seems like there's so many more devices that you really need to manage.
[Jeffery Lauria - iCorps Technologies] You do, and you know, and on average, I think I've recently done this, the average person has seven devices. You know, between their phone, their laptop, you know, work computer, a few maybe at home. You do need a managed service, and you need to be aware. It's a very good point about patching. You know, there are really two conversations. You know patching and unpatched machines are about those exploits, are about taking advantages of the flaws in the code, right? And you do need to maintain those, and I would strongly recommend that you use a, you know—it's called a Mobile Device Management System. So if anything is touching your network, it's under some form of management so I can push-patch it there and make sure. I won't let you log onto the network if you're not patched, right? Those things, we can take care of.
So, you know, I think managing devices is very, very important in patching them. But also keeping in mind that if I have 10,000 devices or one device if I still use my username, and password incorrectly, it doesn't matter. So, more devices, sure, risk of—and this actually comes back to where Sophos does very well—is, you know, what happens when you lose that device? I've, you know—I'm guilty of this. I value my car. I left my laptop in the car. I've got my car back, and there's been no laptop. And you know I'm the guy saying lock it up, put it in the trunk, this is what you should do. I tell all the employees to put it in the trunk, lock it up, don't ever do that. Yeah, I don't practice what I preach apparently, but my laptop is encrypted. So great, I'm out $800-900 for the laptop, but my data is encrypted. So I think utilizing solutions from Sophos, utilizing solutions from Microsoft—your iPhone should be encrypted or your Android phone. So you just plan on losing it right? Because you're going to lose it. You're going to lose your iPad you're going to lose your iPhone, you're going to lose your computer. Just make sure they're encrypted. It's very important. So now the number of devices, you know, becomes less important, per se, it's just—plan on losing your device and how you can protect that.
[Justin Walker - Sophos] Yeah, the expensive part of the loss is the data that's on there, more than the laptop itself or the phone. You know, a couple hundred, a couple thousand bucks for a really good laptop is pennies in comparison to a data breach, and the damage to the brand, and the things that go along with that. There's a really staggering number from a mobile-loss perspective. So I don't know, somebody in the room I'm sure has left their phone in a car, or at a restaurant. 200,000 phones are left in London taxis alone every year, just in, you know, in proper London. Forget the rest of the world we're talking almost a quarter-million phones that are lost in taxis. So it's just kind of staggering. If you have sensitive data out there, you've got to put restrictions on where it can be, what devices can people access that data from, because it is all too easy to lose a laptop or phone.
[Jeffery Lauria - iCorps Technologies] Think about this. Most state reporting laws, most, not all, if the data's encrypted, and the keys aren't compromised, then it's not an event. So it is—you know, you using encrypting is very important as well. So make sure your mobile devices, whatever they are, are encrypted.
[Lauren Looney - Datto] But it's important to think too—what's interesting is there's a story that came out last year about a casino in Vegas. They were actually hacked, it's crazy, but through their fish tank. Yeah, and so it wasn't on the news a lot probably because it was such a big deal, but what the hackers did was their [the casinos] firewall just happened to be on literally the wrong side and they were able to access their firewall through their smart thermometer that was attached to this huge fish tank that they had in their casino. And they were able to then—this is a huge, this isn't like—not that it doesn't matter, this was a big casino—they were able to get every high-rollers information in that casino and take it with them. And you know, it kind of goes back to the question earlier, once they have it do we know? I mean maybe we can find out, but at that point, they got it, you know, took it through the server, up the cloud it went, it's gone. Right? It's in the dark web somewhere, and somebody had a really good day that day.
[Jeffery Lauria - iCorps Technologies] You know, the funny part here is a lot of these breaches you see are just because people didn't use best practices. So the fish cam should have been on an isolated network, it's as easy as that.
[Chris Stephenson - iCorps Technologies] Everyone knows that about fish cams!
[Justin Walker - Sophos] Mine is, it's on a completely separate network!
[Jeffery Lauria - iCorps Technologies] But if you think about this, even at home, these are these IoT devices that we're talking about right? The Internet of Things. So it's my Nest thermometer. It's my security cameras. It's all those things. It's your refrigerator. I can look in and see if I need milk. All of those things, they're all on your network, alright. And they're all very exploitable. As a matter of fact to a point where it's so bad that it's actually an industry issue where they're looking at some regulations about how to solve this. Once you buy that refrigerator that, you know, has a camera in it or you buy the smart tv, no one patches it, it doesn't necessarily ever get updated, and that sits on the network. There are websites dedicated to go in, and "I want to see all of the webcams that are using the following usernames and passwords." Well, there you go. And there's whole websites you can now see and get on the NannyCam, right? We've heard of the NannyCam problems, right? So these—it's a lot of best practices that we just don't do. Separating the IoT devices from production network, alright? But first, change your passwords, no basic passwords is important. So I think leveraging that common sense too, it's difficult, it may take a little work to do, but it pays off.
[Chris Stephenson - iCorps Technologies] So just one more—I don't want to stay on the cloud too long, but how is ransomware, phishing, things like that, handled in the cloud by you the providers or, you know, by analyst technologies? Is it handled differently, or are these things that are impacted differently than on-site? How do we begin to think about that?
[Justin Walker - Sophos] Yeah, sure. I don't think it's any different really. So we treat it exactly the same. It's exactly the same risks. You know, ransomware actually makes up a really small percentage of actual infections. It's less than 2% globally. All the malware out there is actual ransomware infections, but they are so disruptive and damaging that it's all you think about.
[Chris Stephenson - iCorps Technologies] Right, they make the news.
[Justin Walker - Sophos] Yeah, they also make a ton of money. I mean, in 2016, a single family of ransomware made over a billion dollars. Just one variant of ransomware. I always laugh when people say it's the A/V companies that are writing the ransomware. If we write a ransomware, we'd be making a lot more money. So you know, it is where the money is, and that's why there are such incentives to have technical support behind it. They have their own cloud management dashboards for managing these malware campaigns or selling things off. We see advanced threats nowadays like Emotet, which itself is a file-infector that then has started to auction off infected machines. So the machine gets infected with Emotet, you know, it might sell it off to a ransomware writer, the next day it might be a SPAM botnet, it might be a banking trojan.
So it really has developed into more of a business, and I don't think, you know, whether we're talking laptop/desktop, physical/virtual, on-premise or in the cloud is really any different because if it's in a system that is all exposed and has potentially sensitive data, it's just as much of a target. And that's why—it's ultimately why we put the same protections in place regardless of, you know, what operating system, where it is, physical/virtual, here or in the cloud.
[Jeffery Lauria - iCorps Technologies] I agree, and the other part to that is, thankfully, these platforms - SharePoint, OneDrive, Google Docs - they have rollback features. Mechanically, the way OneDrive works is if you get ransomware, it's not going to affect you, just because of the way it works. That said, that doesn't necessarily mean that it doesn't affect your machine or you don't get locked out. So if you have cloud data, fair enough, but you have to treat it the same way.
[Chris Stephenson - iCorps Technologies] So, then here's the fun part. As we've been moving more and more to the cloud, to save money, efficiencies, and so on, and also just engage with our companies over cloud, where does security play in the cloud space versus on-prem, behind my firewall? So I might have a Fort Knox that Justin's built for me behind the firewall, but most of the world we're now engaging
is in the cloud. And even some of our pieces of our networks, so to speak, are in the cloud. Where does that put us on track as far as security? Are we less secure? Are we more secure? I've heard people actually argue it both directions. So Justin, do you want to start us off?
[Justin Walker - Sophos] So the interesting thing about kind of moving things up to the cloud is, the cloud itself is very secure. But the problem is, you know when we're talking about Microsoft or Amazon, or whatever cloud provider it might be, their responsibility is the security of the cloud itself. For the things that you're putting into the cloud, that is your responsibility and our responsibility.
Alright so, the infrastructure, the back end of what builds, you know, Azure and AWS is really strong and built on a really successful architecture, but when you start to put assets up there, it's only as well guarded as you choose to guard it. You know, if you have weak passwords, poorly patched systems, or poorly implement third party applications, there's a lot of vulnerabilities that can still be inherent in what the end-users and companies are putting up there in the cloud. And so that's where we all come into play. You know, on the Sophos side, we have—we treat the cloud just like any other endpoint. So you can spin up our firewalls up there, we can spin up our endpoints if you're doing PDI, our server protection or server infrastructure, and it's just an extension of the network at that point. It shouldn't really be treated any different from the assets you have on-site. You know the uptime will be very good because of the high availability of, you know, names like Microsoft and Amazon. The big thing is, you know, it's the stuff that you're putting up there ultimately being treated just like any asset that you have I think internally.
[Jeffery Lauria - iCorps Technologies] Actually, one of the things too—I met with someone yesterday, at a very large company to talk about their email in the cloud, and I asked them "How do you back it up?" And they go "What do you mean back it up? It's in the cloud I don't need to back it up. Microsoft has my back." Microsoft doesn't have your back. At the end of the day, that data that sits in the cloud. Office 365, Google Apps, SalesForce, it doesn't matter, those companies back up their stuff, not your stuff. So we have a partner here with Datto that has solutions to back up your data in the cloud. So, you know, to your point, if you back it up on-prem, you should back it up in the cloud as well. But I do agree the cloud is probably the most secure platform. It is—when you see, you know, some data was lost from Amazon, it's because the user that was configuring it misconfigured it. It wasn't anything to do with Amazon, nothing to do with them, nothing to do with Microsoft, it is the people configuring it, you know, pressing the buttons. Those are the ones that are making it less secure.
[Lauren Looney - Datto] And I'll add on too. It's interesting, so both Google and Office 365, in their SLAs, have language in there that specifically recommends having a third party back-up of their information. And I think, maybe 30-60 days they might be able to have recovered, but you know, even on their end, they're saying you should back up these things. They're like look, we're not going to have your information stored here, but that's kind of in the fine print. So, you know, it doesn't all go back to them.
[Lauren Looney - Datto] You know, no matter what industry you're in, no matter, you know, how smart your folks are, no matter how up-to-date you think you are, they've got these companies out there, they're actual companies now. They have 24/7 hotlines that you can call. And we're talking about bad guys, not the good guys. You know this is for support on their end, and there's a lot of really smart people that are crossing over—
[Chris Stephenson - iCorps Technologies] Are you saying fake call centers?
[Lauren Looney - Datto] No, real call centers. Yeah, yeah so ransomware's a business now. They have actual brick-and-mortar stores. Yeah, they have actual brick-and-mortar stores, and they have actual folks that are, you know, coming over from the good side. To them, sometimes they don't know it—they're being employed to do some of the dark work, and they're just not aware. So people really are the biggest thing, and unfortunately, we're all susceptible no matter, you know, what industry and how much we really do know or don't know.