May 30, 2016
On April 21, Michael Calce (AKA: Mafiaboy), a convicted hacker turned cybersecurity consultant, spoke at the ISA Automation Expo & Conference (AEC) to a sold-out crowd of nearly 200. The most impressive thing about Calce – despite his very approachable disposition and ultra-stylish three-piece suit – was his smarts.
Calce’s talk got attendees thinking about their approach to cybersecurity both on a professional level and a personal level, which has spawned many more questions, post presentation. We gave our AEC 2016 Mafiaboy Lunch sponsor, Check Point, and 2016 ISA Edmonton Section sponsors, the opportunity to question Michael further!
Here’s what they asked and how he answered…
Check Point: What do you predict the next big cybersecurity threat will be? For consumers? For business and critical infrastructure?
Calce: The biggest security issue right now which will prove to be very catastrophic is the cloud. The way individuals and businesses are storing information on a cloud will prove to be fatal. They are essentially putting all their eggs in one basket simply because the cost of using a cloud is more efficient. Mark my words, there will be some major cloud breaches in the future and it will be like plundering gold from a city for hackers.
Enbridge: Where would you recommend that companies focus investment to protect against Cybersecurity vulnerabilities, people, process or technology? And why?
Calce: This is a tough question because security is a conglomeration of all of the above. I would probably invest the most on third party pen testing because all of the above would most likely be tested. If I had to pick one though, people are proving to be the weakest link in the security chain at the moment. Social engineering has proved time and time again that people will always be the weakest link. Why not circumvent all your security measures by taking advantage of an unsuspecting victim?
Tundra Process Solutions: Many companies feel immune to a potential hack – the thought process is often, “it won’t happen to us”. I.T. security is left in the hands of the I.T. department or third party contractors. With this in mind, what do you feel is the most commonly overlooked security component for a company, or where do you feel most companies can improve with regards to cybersecurity?
Calce: This could not be truer. When speaking with businesses and CIO’s I get the impression they think they are untouchable because they have an IT department (let’s not even talk about the fact that a lot of hacking is done internally by their very IT department that is supposed to be protecting them). All I would need is 1 hour with these companies consent to show them they are not as secure as they think.
There are two underlying issues with IT departments today. The first would be the amount of education they received, they might have a CISSP or CEH certification but the reality is hackers know of these certs and what techniques the individual was taught. Hackers do not follow protocol and tend to use out of the box techniques, essentially the best person to protect against such attacks is a hacker or ex-hacker. The second problem is rhythm, eventually your work becomes a routine and you’re not being as vigilant as you can be. A lot of IT departments become sloppy and stop patching applications that have known vulnerabilities. The biggest glaring issue is not being part of a community that discusses 0Day exploits, meaning there are vulnerabilities that have not been made public yet. An example of this would be the heart bleed exploit, whilst many hackers knew and used this exploit; most IT departments remained in the dark because they are simply not privy to such information.
CB Engineering: What is your top cybersecurity recommendation for parents of teenagers with regards to their use of social media? Any apps or social media you would keep your kids away from?
Calce: All of it is quite hazardous due to the amount of information teens are putting online via social. The reality is it’s very hard to monitor and control because their peers are also using the same platforms to post pictures/information/videos. Adults are not exempt from this either, a lot of business individuals put too much information on their LinkedIn making them more susceptible to social engineering hacks. Sarah Palin’s email account being hacked is a prime example of this. I would tell parents to be weary of apps like Whatsapp and Kik, simply because of the way it connects individuals. Kik has been linked to the death of a 13 year old girl and various child pornography rings. Instagram may pose a serious threat to the well-being of an individual’s mental health; the hunger for “likes” and validation is being linked to various mental health issues.
Samson Controls: As many SMB’s (small to medium-sized businesses) have limited resources and as such are not likely to hire a security expert, what are the top three things they can do to protect their networks?
Calce: The best way for a business to protect its network is to make use of a good firewall and VPN. Make sure the VPN you’re using is not the built in windows (PPTP) because of the issues with the authentication process MSCHAP. I would use L2TP/IPsec, SSTP or IKEv2 depending on the platform your business is using. My third recommendation, which is completely free, would be to develop a system for when attachments are sent between employees. Since there is such a high use of phishing email attempts, it would be wise to develop a system to determine if the email is legitimate, I can’t stress enough how many times I’ve infiltrated a company due to its lack of policy regarding emails.
Spartan Controls: Given a limited budget, what is the one thing you’d recommend a company do immediately to stop a hack(s) from occurring?
Calce: Assuming the company has a decent firewall/VPN in place, I would spend the remaining security budget on employee training. The fact remains social engineering is still one of the most prominent types of successful attacks because people are uneducated on safe security measures. A 3rd party security pen test would be the next best option.
DK-LOK: What are the top 3 things that you recommend doing - on a daily basis - to best prevent hacking/enhance cybersecurity?
Calce: My top 3 recommendations all fall under the same category, be conscientious of what you’re doing on a computer. If it means changing your password on a regular basis and using more complex passwords then that is something you should be doing. Be wary of clicking links and email attachments, even if it’s coming from someone you know. Be careful of the sites you might visit or the applications you might be downloading, I know it might seem simple but the fact remains people are under the assumption they are not a target, making them careless.
Edmonton Valve & Fitting: Are anti-virus software like Norton and McAfee any better than the services that come packaged in current Windows?
Calce: Yes and no, the truth is there are much better third part options. I must admit windows has made a lot of progress with its Windows Defender but there are still better options out there. I personally don’t like Norton or McAfee, the better options would be Avast Pro or Trend Micro Antivirus.
VEGA: What can companies do to ensure security as they adopt communication technologies like Bluetooth?
Calce: It’s very hard for companies to incorporate wireless tech into their infrastructure, simple because of the inherent flaws that come along with it. My best suggestion would be to avoid using any form of wireless tech if possible. If you must use wireless technology it would be wise to incorporate the highest levels of encryption possible.
AUMA/Troy-Ontor: Presuming a small/medium business had: 1) marketplace anti-virus and firewall on every workstation where the AV signature files are updated at least daily, 2) created system image backups of each workstation against any need to effect a complete workstation restore, 3) (most) client variable data stored directly on a file server as opposed to user workstation, 4) no Internet accessing applications and very strict firewall settings on file server, 5) extensive depth and breadth of backup of all client variable data stored on file server (last 7 days and 4 Saturdays) where the rotational backup file system is completely isolated from any workstation access, 6) reasonably strong passwords, and 7) made an effort to educate users about accessing unknown URL's or processing any manner of attachment to e-mails from an unknown source or where the 'character' of a message or attachment seemed 'off' from a known source… what would the next most important steps be in establishing a business system security regimen?
Calce: The next logical step would be to hire a third party security firm to validate all of the above. It would be vital to make sure the VPN they’re using is very tightly knit with encryption and authentication. Make sure that all ports open are constantly monitored even if you think you have a very strict firewall setup. It really depends on the setup you have but if a hacker cannot directly hack you he might check out your subnets and see if there is a crack leading to your main network. Due to the nature of how protocols are written the best we can do is mitigate the risks, however following the 7 security steps listed above would be an ideal setup and a great prevention against most hacks. I would have to take a closer look at the setup to elaborate more on what can be done.
...
To learn more about Michael Calce, click here.
Learn about ISA Edmonton Section member benefits and sign-up to become a member online…
Read MoreKnowledge is power. Sign-up for our ISA INSIDER e-newsletter and receive the latest news delivered directly to your inbox.