Video transcript: Cyber security

Transcript for a video about cyber security

Title: Cyber security, Alan Clifford, Director Information Systems Audit and Assurance, Audit New Zealand

Alan Clifford, Director Information Systems Audit and Assurance, Audit New Zealand

I spent the last three months going through, I had three months, 90 days, to learn some stuff to get formally certified, because you can get all these things now, online; just pay some money and learn some stuff. Ninety days to become a CSX, which sounds like some sort of brand of a Honda car doesn’t it; that’s one of them.

So, Cyber Security X, I don’t know what that was; expert maybe? All the guys in my audit team, they’ve all been through it and it was just a way of upskilling us; because we kept on being asked by clients, “What about cyber, what about cyber,” and I said, “Oh, hi-di-hi-di-hi.”

We take the view – and this is my last slide, I’ll get it out now in case I never get to it – that the cyber security thing, we take them all broadly; so, information technology security. So, it’s broader; it includes a little bit of physical security as well, and the second to last slide, will tell you the things that get covered as part of your audit, and before then, there was a little bit of journey.

Blah di blah, blah di blah, blah. So, lots of words linked, come to mind when you think of cyber security; viruses, malware. All those kinds of stuff, and on the face of it, it could be a very deep and exciting technical topic.

But, I did check in advance who I might be speaking to, and I’m either gonna get this right or I’m going to fail badly, but I don’t want us to go into all the stuff about encryptions and algorithms and the benefits of simple passwords, long passwords, complex passwords and all that kind of stuff, and firewall monitoring. All these techie things, because primarily, I don’t really see the biggest risk to do with the technology.

So, that’s the big thing. You would think it was otherwise, with all the media pressure you see; it’s all sort of tech focus but I want to strip it back. I thought the easiest way of doing this was an analogy, and apart from the fact this is a wonderful picture, very moody and atmospheric, the analogy is quite a simple one.

When I was asked to speak at this session, the original title for the session said something like: “Cyber security in an information age,” and I thought, “what would cyber security have been like if it wasn’t the information age?” Bit of an oxymoron; if it was medieval age, perhaps’. So, we’re going back to a castle; you’ve got this wonderful castle, you’re king of the castle and you’ve got your nice big fortress and the barbarians are at the gate. No, they’re not, they’re touring the country aren’t they, or they’re doing something?

Barbarians at the gate, trying to hammer down the doors and a lot of effort goes into protecting against those hordes, but there’s Bob. Now Bob is one of your resident drunks. So Bob is inside the castle and just before the evading hordes arrived, he came wandering down here past the graveyard, down the hill, and he bumped into one of these potential invaders, who realised he was a bit of a drunk, and they did a deal.

So, for a couple of barrels of mead, said, “Right Bob, on the allotted hour I want to do you a favour, I’m going to give you some beer,” and he goes, “Oh cool.” So, the allotted hour came and he opened up the little sluice – because there’s no matter invaders will not go through, they’ll do anything – and in he goes.

So, they’re then wandering around your village, inside the castle walls for ages, you don’t even know about it. I mean, they’re making good of your woman folks and all the rest of it, and the damage is done. So, the analogy there, is quite a simple one.

We always talk about firewall protections and monitoring and all these perimeter controls, and a hell of lot of investment goes into that. It is money well spent, but the greatest risk really is the people inside the wall. Right, which might come to a bit of shock to you because we think about the hooded hackers and all that sort of thing, and there’s state nations who are doing stuff.

Those things are all true and they do exist and they do represent a high risk, but research after research shows that the greatest threat that you have is the people within your wall. So, who’s responsible anyway, this whole cyber thing, who’s responsible; is it your CIO, your IT manager?

Oh, you’ve read my slides; we all are. We all have a responsibility to play in this topic, and how we play that out is a simple one. It comes down to education, and I’m basically going to be pointing you in a few directions – which is why there’s so many slides – to really good resources that exist in New Zealand for you to go off and read at your leisure; watch webinars, take quizzes. Do all sorts of stuff, and I guarantee if you go and look at any of this stuff, even if you just went to one of them, you would be so much the wiser and so much the safer for yourself and everybody else.

So, I’m going to focus on a few people. We’ll start with the Accountant, and I’ll just say I’ve spent a while clicking on the internet trying to find images that didn’t have "Shutterstock” or something on them, but gender bias. You put “accountant” in and it’s all these blokes sat there with abacuses and stuff like that.

Anyway, so what about the Accountant? We had an Accountant earlier today, didn’t we, Paul; he’s an Accountant, still, technically. What was he? Chief, chief, and I think he shared this with you.  As he was coming up, he got an email sent through with a click-on-link pay some money, which is a good example and it was the one I was going to use for this Accountant.

So, this Accountant clicked on the link. So, whether it’s a spoof email, easily done, people do it just for the fun of it, but some people are obviously doing it because it links through to your fraud and their loss.

Back in the day when you got a letter arriving in the post from one of your key suppliers and they said: “We’re changing our bank account details,” you’d go through it and check it, and you’d probably phone them up, and all these other things because it came in the post.

I don’t know what’s happened since, but if that comes through as an email; it gets acted on and it happens quite frequently. You think, “oh, surely that doesn’t happen at my place”, but it does and they’re so easy to spoof up. You know, one-time-hit bank accounts; people act on them or you’re clicking on the link, you’re introducing the malware.

So, you’ve all heard, “WannaCry” and all these other things that happen. One of the great things, from a New Zealand perspective, that happened around WannaCry, was that you didn’t hear much about it, as in, impacting New Zealand businesses or impacting the public sector in New Zealand.

That’s because we’ve been reasonably well placed over the years to actually put things in place, and despite what you might hear to the contrary, a lot of our infrastructure is relatively up to date.  So, we were reasonably well placed to respond and things have been patched, and what have you.

I would say, boldly, that a lot of the recommendations that we’d made for our audits over the years, have been acted on. So, some of the basic things are in place to limit the impact. Well, if you stop it getting through to the point from turning from a threat into an impact.

Who likes freebies? You like your freebies, oh, the rest of you must be paid too much? Freebies, you know when you go to conferences; we haven’t got any here. You know, you see this sort of thing: “Get a free squishy ball thing,” and whatever else do you get; t-shirts? USB sticks, classics, the number of people who take free USB sticks. I mean, how much do these things cost? Bugger all, but you’re still happy to take one, and you go back to your office and you plug it in. You’ve just introduced whatever threat might exist on that USB stick.

We haven’t got sneaky when we’re doing our audits, and leave infected USB things lying around, but our opposite numbers over in Western Australia, they have done this. So, their IT audit team – just for a laugh, or to prove a serious point – they used to leave USB devices in car parks at client sites.

So, some well-meaning person, they pick it up and go into the office and leave it on the desk for a while. Even if they didn’t do it, somebody else will see it, “Do you have the,” “yep,” and they hand it over. One way or another those devices always get plugged in, and once they’re plugged in; they were then using that to create a backdoor and make the hacking thing a lot easier.

You know I was saying about gender roles; here’s one for the cleaner. So, you all have clear desk policies. So, clear desks, I know that’s a physical thing, you think, ‘what’s that got to do with cyber’, but it’s the same kind of stuff. You know, you printed it out, you left it lying around so the cleaner or any other visitor can see some stuff.

Cleaners aren’t vetted, but the cleaner could quite easily just put a small USB device into your machine, to act as a key logger. Logs away; gets your username, passwords during the day, some sensitive information, starts collecting it all.

You know you can get these little things, they’re a terabyte; you can take a hell of lots of stuff on one on those. Just collects it during the day, comes back the next night, take that away. Very easily done.

You leave your device unlocked. Oh, it’s a farce isn’t it, that bloody screen saver’s always coming on and you’re having to go back in and do the password. Oh, sod it, leave it and don’t switch your machine off, or don’t have your screen savers come on. Really basic things, but who are these people wandering around having a look at the stuff? The same goes for other visitors; they might be accompanied but they may be not. They turn up early for a meeting; you’ve got some meeting rooms with ports.

We had a client recently, they engaged some specialists to come and do some work. They were trying one of these penetration tests, and it was disclosed IP addresses but they were attacking it from the outside; they come up with whatever they come up with. One of the other things they did; they came on this side of that wall and they just sat in a meeting room, and just plugged in and used some readily available password-cracking software. This stuff is all free; it’s all freeware.

In fact, you can do password cracking as a service. It’s in a huge boom for enterprises over in Estonia and Russia and other places, you can just do it as a service. If you specify the address that you want somebody to have a go at, off they go and you pay them whatever.

But, for that client, they had complex passwords, eight characters, all the good stuff that you hear recommended. A key password was guessed within five attempts, and it happened to be a domain administrator’s password, and once they got access to that, off they went, they were into the pot of gold.

Less than five attempts; it was complex and eight characters. Right, and you think how the hell could that be? It’s really straightforward, really quite easy.

Those people who like cats, there we go, a cat; it doesn’t get more technical than that. Other than the fact that I mentioned earlier, look, the use of the internet; apparently one of the greatest use of the internet is wasting time, and looking up cute pictures and funny things to do with cats, apparently. I thought the other use of the internet was something different, and those people who remember the 1970s sitcom might get some inference of what I might be talking about there.

Academia, I’m not quite sure who might be from academia, in the room, and I’m sorry that they’ve got an Aran sweater but that’s what came up. Academics love academic freedom, and it’s often used as an excuse, why they’re not going to be corporatised and locked down.

Actually, I can see one academic chap over there, how’s Adrian? So, they’re a little bit feral; university campuses and technology institutes, and the like. They love the academic freedom, and they stand so proudly, “I will not be told what I can have installed on my advice. I need the freedom to go and install different software.”

That’s why they won’t allow their USB ports to be locked down. Of course, everybody else, you all locked down your USB ports, haven’t you? Who’s this fellow; is it a he, is it a she, is it your teenage son, teenage daughter?

You get a lot of, sort of movie-based stuff around hackers, and they all look like this, don’t they? All cloaked and hooded, and there’s always binary stuff going on. Who knows what they look like? There could be some in the room today.

You know, we’ve got the ethical hackers. The hacktivists; the well-meaning, they’ve got a cause. They’re not out to destroy your business, or your ministry, or your department, or your council, but they’ve got cause; they’re just a well-meaning citizen.

So, who knows who they are? It could well be anybody, but as I said earlier, those people could well be already inside your organisation because who knows what they do outside of work, or when they’re at work. They might be using your resources to do the stuff they want to do outside of work.

We had a shocking example of a council up north, where one of the people in IT – part of me smiles in admiration for the guy being smart, but at the same time, what he did was just unforgivable – he basically was harnessing the power of that council’s computer services; the storage and the speed. Basically, he was running a racket; porn and various stuff.

So, there was some really despicable stuff that he did, but the fact that they had the gumption to take advantage of those privileges, as a trusted employee; a tech person, trusted employee, been there a long time. Didn’t have all those other indicators we heard earlier about the fraud side of things, he just took it upon himself.

What was the guy thinking, what was in the mindset? Did he think he was so smart he would never get caught? These guys are having to spend… the spend on storage and the bandwidth usage was just going up through the roof, and it wasn’t because this council was suddenly doing all this kind of online citizen ratepayer focus activities, it was all this guy but nobody realised.

I think he did it for two and half, three years before something was found, and it was only found because they actually brought some specialists in to run some really low-level sort of security review and they started looking at uses of servers and various things; what’s all this stuff been used for?

But, even once they identified it and then actually dealing to that and tackling it head on; the stories. I mean, it’s alright when you encounter a fraudster; the stories that get told and spun, it’s just phenomenal.

I put this one up because this is my little girl. I’ve always wanted to have a presentation where I could have a reason to weave in my little girl. So, this is little Fabián; she’s not sat there having a cup of tea, that’s Weetbix in a cup. She’s just over two, and she’s reading a book about inventions. Well, she’s not really looking at reading, but you know what I mean.

Relevance of the child. I asked who’s got children; most of you have got children. They’re all classified as digital natives; that term that we’ve heard bandied around, digital natives. They think nothing of giving away their privacy. Obviously not her yet, although she can crack my password in my phone.

So, I’ve got my phone, I’ve got my pin number on there. I have to do the pin number thing rather than the swipey, because everybody knows your swipey numbers, it’s not hard to work that one out.

So, if you do swipe your things, stop, because it’s really easy to guess what you’re doing. But, the pin number, because she’s seen me do it. So, she’s not properly talking, yet she’s worked out how to get into my phone, and the other day she had her mum’s phone; and then she got quite frustrated as only two-year olds would, because she couldn’t get into that because she was using my pin number on that one. I don’t know her mum’s pin number, but I do now because she tried her mum’s pin number on my phone.  

So, and when she gets into the phone – I can’t even remember where I’ve gone and put all those apps – she knows where to go. If she wants to look at some photos, she gets into the right thing, looks at the photos. Wants to run the video, she runs a video. Oh, she wants some entertainment; so, then she goes to the entertainment cluster and she picks Netflix, and she picks her name of the choices that are available, to watch her little cartoons or whatever.

I don’t even have a TV at home, so it’s not like we’re sort of immersing the child in technology. It’s just, picks it up every now and again, 10-15 minutes, doing her own thing. So, that’s a two-year-old, and it just gets worse.

So, those with teenagers and all the rest of it; the school’s expectation that they will go home and get parental guidance about safe use of devices and all the rest of it, and I’m gonna point to some resources in a moment that I’d really encourage you to go to.

So, the use of social media; the stuff that you are posting, as grownups, on social media, the stuff you put on social media it just beggars belief.  I don’t have a Facebook account, because I’ve seen the kind of rubbish that people put up there, but it’s also enough to help me get into your systems.

So, you put your date of birth, you put your dog’s name and where you went to school and all those other things. They’re all those frequently asked questions for your banking security, aren’t they, and you post them on your Facebook; and if they’re not there, they’ll be on your LinkedIn or be on some other social media thing.

It’s phenomenal what people disclose quite readily, and I’ve done it myself. I gave up my privacy to get a free coffee. I went to a conference recently, and there wasn’t coffee out there; they had a coffee cup, Mojo, making some nice coffee. The only way to get that coffee was to use your Mojo app. In order to do the Mojo app, you had to download it while you were queuing and give away some of your information, but I was prepared to do that and once I did it and I got the coffee, I thought I would understand that, but everybody else in the queue after me and before me, we’d all done the same. So, now those bloody Mojo app won, and they’re got my details including my credit card details; all for a coffee.

So, I’m no better than anyone else, other than I don’t have Facebook.

Alright, they’re all happy, aren’t they? Smiley, they’re not Audit New Zealand auditors, because they’re all busy. Well, they are like smiley like that. You know when they come to see you, they’re all like that, aren’t they? Yep. In fact, that’s a typical arrangement when they do come to see you because you squeeze them all into that one little room around one table there, “Go on.” It’s not Audit New Zealand because there’s an iPad and we don’t have those, because that’s not a good, well, Steven might have one.

They’re not really happy, are they? Who knows what’s going on in their life. They could be unhappy, the disgruntled employee; they’ve just missed out on that promotion. They might be experiencing workplace harassment, bullying or they’re gonna get that manager back. They may have a bit of a gambling issue; they might have a bit of drugs problem, they might have some money issues. You know, they’ve been trying to save for that deposit for the house. It’s just eking away, 24% increase in Auckland, they can’t get there, and something flicks in their brain. So, it ties back to some of those fraud things.

What’s a background motivator? The money thing again, and for money, people start doing stupid stuff. So, you’ve got these information assets; you’ve got this data which, trust me, it is incredibly valuable and you need to think about why it’s valuable. You might not think that it can be monetised, but there’s a hell of lot of stuff that can monetised and people do it for quite small sums of money.

There was a figure quoted that people will giveaway access to systems for $20,000. I thought that’s an incredible large amount of money, because I’ve seen examples where it’s $500. Even if it’s just the, “Oh, I’m going to give you some information, not directly, but I’ll just look up that patient record,” and we know there’s strong controls and things like that get put in place.

Well, that’s because people do it; they can be incentivised to provide that information, or looking at Police records and that sort of thing. So, the 20,000 figure I thought was a bit high, I think people do worse things for less. So, if you just think about that, and it’s all been lower level people.

What about the more grownups – those charged with governance? Phew, where do we start with this lot? They may be on various boards; directors for different boards what have you, different councils, and it’s being a little bit ageist, but it tends to be a bit of a correlation between seniority in those ranks and age; simple passwords, writing things down, having senior moments, sharing passwords.

Go and have some conversations with audit risk committees; and I went to one recently. The client has multi-million dollars’ worth of expenditure, quite complex technical environment. I did my background research, and thought, ‘oh, don’t know what I’m going to be asked, it might be quite challenging’.

I didn’t need to worry, because one question was, “Alan, tell me,” and it was a wee while ago this, “why is it that my son was able to go down to Dick Smiths,” just putting a timeframe on there, “buy some anti-virus software; come home, install it all, all done and dusted in half an hour or so, but IT here, they’ve been trying to sort this stuff out for months and months?”

Because they don’t get it, there’s just this home versus corporate thing. Not quite translating the fact that, it’s a little bit different and it’s more to do with updating servers, environments, and some of the aging systems, and the fact that some of the software won’t run on those newer platforms, and all that sort of stuff, but that was an audit risk committee. You know, and these are smart people. I don’t want to denigrate them by any chance, but it was a bit of a dumb arse question. The other thing was this obsession we’re seeing as a tech issue, and particularly at that level; it’s all tech, not them because it’s going outside a comfort zone.

They’re not wanting to embrace the whole thing fully, it’s not their place. It is their place, it really is so important and if nothing else, particularly at this level, really to get their heads around; their risks around cyber, and seeing that those organisations are doing something about it.

Oh, I think the other thing that was really, came out of the audit risk committee was, “Why can’t we have iPads?” So, there we go; multi-million-dollar expenditure, complex technical environment and the most pressing thing on their mind was why they can’t have iPads.

For those people who like dogs, there’s a dog picture. I've got nothing to say about that other than the fact that I used to have a newfie. I promised you that I would point you at some resources. You’re going to have to write really, really quickly or wait until these slides become available on our website because this is where I’m going to start rattling through.

We are blessed in New Zealand, we have got huge amounts of resources. Loads of agencies that are all touching on the topic of cyber, and for those that didn’t know, New Zealand is one of the members of the digital five; global nations digital five.

So, there’s the UK, New Zealand, Singapore, Estonia, and Israel. Strange bunch, but we’re up there and leading the charge in a whole bunch of topics. I think the guys from the GCIO have been out leading a few channels for discussion around, you know up in the world and they’re always getting requests from other countries to come to New Zealand.  Well, of course they want to come to New Zealand, don’t they, “Where can I go that’s further away, let’s go to New Zealand.”

No, they come to New Zealand in the summer time for an extended holiday, but while they’re here, they come just to find out how the hell we’re managing to do it. So, we heard before, the transparency international number one around corruption, non-corrupt; D5 for the tech thing.

Now, you might be thinking, “Well, I don’t think we’re that good about tech”, but in context and in comparison, we’re actually doing really well as a country. So, that’s something to be proud about, and these resources are something else to be proud about.

So, I’m gonna whiz through. Take those photographs off the screen, so we go. So, New Zealand recently established a cert, I think the 20-odd million have been put into that, over the next few years.

This is my first go-to place now. Connect Smart; if nothing else you do, tonight when you go home please go to connectsmart.govt.nz, and start doing the quiz and start trawling around that site. You will find it invaluable, and I can’t say more than that.

For those institute of director members, there’s governance resources in there; there’s a cyber-risk practice guide. It gets more technical, there’s the national cyber security centre. These guys, it’s all part of the GCSB; they’ve been set up to protect the country, as a whole. They’re critical infrastructure, that type of thing; the key banks and the like. They’re out there giving help and guidance to those larger players, because they need help as well.

So, it’s not a thing to do with ignorance, this is a whole scalable topic. ICT.gov; this is part of the DIA, the government chief information office. Huge amounts of resources. If you didn’t go to Connect Smart, go to Netsafe. So, I’m doing that for you, as individuals, and for your family, as well for your organisations; definitely go there.

Department of Prime Minister of Cabinet. There’s a national policy around all this; they’ve got a strategy around cyber security. Worth a read because that’s where we’re going as a country, and your organisations all have a role to play in the country achieving its objectives, because it just takes one weak link, amongst the whole, to let the side down.

And I keep going; there’s the Police side of things linked back to SFO, but Police have some responsibilities there.

There’s protective security requirements; this is more for the geeky side. I mentioned the GCSB’s security manual; that’s the shoulds and musts. It’s hundreds and hundreds of pages; really leave it for your IT guys but it’s worth reading the summary, just to understand the responsibilities that are made.

You might not have to follow because you might fall outside the agency remit, but even if you do it’s still worth considering. There’s stuff that specific to sectors such as the IT board. I think they’ve changed their name to be a digital advisory board now.

There’s professional bodies, so ISACA.org. That’s one of the bodies I’m a member of that’s basically membership for IT auditors around the world, and that drills down into the Cybersecurity Nexus; the CSX thing which is what I’ve been covering recently. You’ll have this on the website.

It’s just about risk management, the same as you cover any other topic. Understand your risks and you could put in this column of stuff against a whole bunch of other considerations, not just for cyber. Manage them, treat them, minimise them, transfer them.

Lots of insurance policies coming in now, be sceptical because you’ve kind of got to have controls to a certain level before you can be accepted as an insuree. You might have got to the point where you might not need the insurance, you might have already got your systems up to a point and then you accept the residual risk.

The basics really do make a difference. When you go to all those resources, and I really encourage you to do so, you’ll find so much more and it gives you hints and tips, and if you want your…what five things can I do, what nine things can I do. It’s got all that kind of thing; quizzes to test your knowledge and the like.

Just keep on improving, just learn more and more about this topic, and I’m going to stop. The next slides are basically, just going to focus on the future. It’s only going to get harder, so you really need to, if you feel a little bit behind on the topic, upskill yourself because it’s gonna get harder because we’re entering into huge investment.

There’s an arms race going on around artificial intelligence and machine learning, and those things can be harnessed back on us, but when you embrace them as an organisation which you will do over the next five to ten years, you’re gonna introduce a whole plethora of new risk into your business.

Title: For more information and to download presentations, visit www.auditnz.govt.nz

Watch the original video.