Cyber security is relevant for everyone. Not everyone realizes it, however, and not everyone understands what those in the infosec industry take for granted. So how should security-minded individuals communicate with friends, relatives, colleagues and the general public about this important topic? What are the misconceptions regular folks often have about infosec, and what could we in the industry be doing better? Security consultant Laura Kankaala joins Janne for Episode 30 of Cyber Security Sauna for a discussion that touches on perceptions about hackers, FUD, data breach communications, and more.
Janne: Laura, you host a kickass podcast called “We Need to Talk About Infosec,” so you talk about infosec quite a lot. In your experience, what does infosec mean for Joe Average?
Laura: Well, I think it means multiple things. But first of all, I think if we take a person who does not work with computers, or they have a day job doing something separate from computers, they may use a computer as a part of their job, but it’s not their job to investigate the computer, like how to do things wrong, or they are not coders or stuff like that. So for them, I feel that infosec is how to keep my accounts secure, and how to keep hackers from hacking into my accounts and stuff like that. And then maybe if they have IoT devices they are concerned about those, like what if someone is looking at me through my surveillance camera? So I think it’s kind of an abstract thing –
A little bit vague, like I don’t even know how hackers operate, but I’m worried about them.
Yeah, kind of like – you have these things that you use on a daily basis, but you’re not actually sure how they operate. Like you use social media services, so you log into Facebook and you see that it works, you see that your friends are online. But what happens beyond that? It’s kind of like a black box, or something going on behind the curtain. So I think that also brings into the picture the kind of vision of a hacker who can do basically anything, so they can hack into your accounts just by looking at your phone –
But it seems to me the average person doesn’t really care that much about what happens in that black box. So is part of the mystique of a hacker the fact that they understand something that I’m not even remotely interested in?
Well, when it comes to someone who uses these kinds of services, but doesn’t work as a coder or a hacker, I think for them, they are interested in how their data is being handled, for example, or how you’re using your phone and how the phone is obviously communicating somewhere else, like how do these communications work? But I also think maybe people start to care about their privacy and about the status of their own security when they get hacked. So for example I get a lot of questions like can I hack into a hacked Instagram account, and these sort of things. I hate to be the person who goes and says “You should have used multi-factor authentication,”
Like after the fact.
Yes, because that’s not really helpful. But in a case of let’s say your Instagram or your Facebook or any of these services has been hacked, as a hacker, the easiest way for me to hack a person would be that I send them a phishing email trying to get their credentials by forcing them into a login page that is actually controlled by me. But if the user doesn’t know their password, then it’s hard to do it that way. And then I’ve gotten a lot of questions like “Why can’t you just hack Instagram? Why can’t you just hack Facebook?” And that’s not really something that I want to do or that I can do legally, and on the other hand, if it was so easy to hack into Instagram and Facebook and services like this, then I think we would really live in a very terrifying world, if someone would contact me and then that instant I could just basically hack into Instagram.
That’s more polite than just saying “Because hacking doesn’t mean what you think it means.”
Yeah, I think a lot of people have maybe a bit of a misconception, especially if you have a case of hacked accounts, or a case of lost credentials. Basically what you could do is brute force the login page, or try to see if the user has been part of another breach where there password has been leaked, and see if that works. But these things are – it’s not really doable. So what I typically just tell the people that come to me and ask these things is that basically, you just need to contact Instagram or Facebook and try to recover your account.
Yeah. But it would be ideal if people didn’t have to get hacked before they get interested in information security, so what do you feel when you hear a person say that they don’t care about infosec?
I hear that a lot less nowadays than I used to. I think the public mentality of infosec and accounts being taken over, it has shifted somewhat. That’s my perception of it, I don’t have any statistics on this –
Or at least people have stopped saying that.
Yeah. Or at least they don’t ask me, like, “Why should I care?” Because it’s also on the news all the time, that this breach happened and this data was found to be sold on the internet. And I also think that identity thefts for example, when it comes to these Instagram accounts being hacked, or these kind of things happening, and they are happening quite often, so the overall notion of security, it has changed. Like, “Yeah, I really need to focus on this and I really need to see that my accounts are secure before something happens.”
Do you think the general public understands what hacking and hackers are?
Yes and no. I still think that, you know the stock photo of a hacker, sitting in a basement?
With a hoodie on.
Yeah. I still think that stereotype is very much alive, and I’m not saying it’s a bad thing, but I also –
I’m not saying it’s untrue –
(Laughing) I’m not saying it’s untrue, yes – but hacking is a profession, so no one wants to spend all of their days in a basement, in a dark damp place, hacking away, when they could be sitting in an office space with brightly lit rooms and with people around you. And I think these kind of mental images, while they’re not bad in that sense, they also give out this very mysterious feel to the hacker. So the hackers are basically magicians who can get into any kind of system, or like it would be super easy to always hack stuff. Sometimes it is true that something can be hacked easily, but that is not always the case. Like for example, with the accounts.
Right. Yeah, it’s almost like a video game, like ‘press X to hack.’ And then people are like, “Why can’t you just press your X here and hack this?”
Yeah. And I think in popular media, if you think about it, there’s a lot of these kind of depictions of – what’s the game, have you played Watch Dogs, for example?
Yeah, it’s like very – you know, you just press a button and hack stuff. Or any kind of video game, it depicts hacking as more like a simple puzzle solving kind of thing.
What’s your favorite way of explaining what hacking is to someone who doesn’t know?
My favorite way of explaining it would be that what you require to be a good hacker is that you need to have good sitting muscles so that you can sit for extended periods of time. So that whenever you look at something and it cannot be hacked overnight, you just need to have patience, because maybe you are the person who just put enough effort into hacking something so it can be hacked.
I’ve tried various similes, like the TV chef, like “Here’s one I prepared earlier.” Ìt’s all about what you prepared earlier, and not so much about what you can do in the moment, and I think to my more nerdy friends I talked about how in Dungeons and Dragons, the magician has to memorize spells before he can cast them, stuff like that. Something that emphasizes that you have to do your preparations before you’re at the point where you can just hack something at the snap of your fingers, sort of building the tools and that. Do you have similes that you use?
I think the sitting muscles is the one that I use, because I feel that when I do hacking as a part of my job, it just requires a lot of patience. Not only while doing the job, but before you can do the job, you need to have some basic skill level. So I think it helps if you have patience or if you have just overall interest in computers, in coding, in building infrastructure, so that you get familiar with these things. But it takes time, naturally, as with any trade. You don’t get good at it overnight.
Yeah. I think I once said that hacking is about research. You do the research and then when you’ve done it, you know something, and then you can deliver your knowledge whenever you want.
Yeah. And it also helps if you know what kind of research other people are doing. So if you follow blogs and Twitter and see what kind of things people are hacking, because naturally you cannot be the one to hack everything, because the world of the internet and the world of systems, it’s so vast, that you simply cannot be everywhere.
We in infosec like to talk about different hat colors, but do you think white hat or black hat has any significance for the man on the street?
I think it does. Well, if it doesn’t, I think it should, because there is a clear distinction between those. A black hat would be someone who hacks something with criminal intentions in mind, so they want to profit out of hacking something or selling something, like selling exploits or selling people’s data. But for white hat hackers, the incentives are not the same. So they want to break something out of curiosity, or break something out of making things better in the future.
But also disclosing the vulnerabilities responsibly and helping the manufacturers fix things.
Yeah, absolutely. So they don’t, for example, try to sell the vulnerabilities they find.
Drop zero day on Twitter.
How could we in the infosec community do a better job in communicating what information security and the work that goes into it actually is to avoid these misconceptions, you know, when there’s a vulnerability or a malware outbreak? Are we doing a good enough job in explaining what this means and what you should do?
I think that sometimes yes, we are communicating these things really clearly and well, but sometimes – let’s say that a breach happens. And then probably you can read about it on the news, and then you may get an email notifying you that your data was breached from the company that was breached. But unless this has a direct impact on you, it can be hard to understand what’s the actual thing that I should be scared of. So let’s say that a governmental database gets leaked online, it’s not protected enough, and all of the citizens’ information ends up being accessible to anyone online. Then even though your social security number, your home address and everything gets leaked, it may not necessarily result in anything bad happening to you directly, even if your data is being sold on the internet. So I think we should make people understand that once this is out there, it will be out there forever. We cannot scoop back the things that were breached. We can, for example, if it was an account that was breached and your password was breached as well, it’s easy to change the password. But if your social security number was breached, it’s harder to take that back, unless you want to change your gender or something like that.
But then again, what do you do in a situation like that? Like you said, you can’t change these things, so the information that this leak happened, what is there to do?
If there was a password, or your credentials, or let’s say credit card, then you can naturally take action and change your password, you can change your credit card, but, you know, that’s the thing. When data that should not be available to the public eye, let’s say, social security number, gets leaked, what can you do? The best thing you can do at that point is to know that it was leaked somewhere.
So can you think of any examples that you’ve seen of really poor infosec communication to regular users?`
Well I think really poor communication is, for one, no communication at all. Because the sad fact is that these breaches, they do happen, and you cannot always protect from this. But if you are a mature enough company, you should be able to communicate this to your users, just so they know that this and this data is now basically compromised. But was it last year or the year before that the Equifax hack happened?
So they got basically hacked and all of their user data was leaked, or most of it at least. And they agreed to settle some money for the users whose data was lost in that. And basically they then promised to pay 100 or 100-something dollars to the users. And not only that, they required the users to have some form of credit card monitoring or protection in place. So there were these conditions, like, okay, we kind of lost your data, but now we won’t pay you even 100 dollars to compensate for that unless you have this and this in place. So I feel that, you know, you’re playing around your responsibility and not following through. It’s not setting a good example.
Can you think of examples of good things that have been helpful communication in case of a breach?
Yeah, I think most of the notifications that I’ve gotten, they have had exact steps that you can take, or action points, like go change your password, or go invalidate any sessions if you have any extra sessions in your account, or stuff like that. So they typically do have something of the sort, if I recall correctly. So I think a good communication would be that you do it as fast as possible, and to the people who actually have been breached, and then tell them that “Okay, we suspect that your account may be breached, and go change your password, and enable multi-factor authentication,” and that you give these concrete action points for your users what they can do next.
That’s good advice. I would add, be honest. You just got caught with your pants down, don’t make it any worse. The best thing you can do in this situation is be honest about what happened.
When it comes to sales, do you have these kind of – like I know that you go to customers, and you sell our services. So do you use these things as an example? Like let’s say that, “You don’t want these things happening to you.”
That depends. Some of my contact people, the people I meet, are very aware, they understand the risk. Sometimes the case is that they know what the situation is, but they have to convince other people in the organization, and then it becomes political and they can’t get things to move ahead. So I don’t have to – like, I don’t like to scare people, without providing examples of how to do better, so it’s not so much that I have to convince the guy I’m sitting across the table from. It’s more that we, working together with him, we have to come up with a way to convince everybody else in the organization, or the people holding the purse strings. So in those cases I try to come up with an example from their industry, something that my contact person could use to highlight the issues and make his work easier. I think that’s my job, making my contact person’s work easier.
Yeah, so not to scare them to death.
No. The industry gets criticized for promoting FUD, fear, uncertainty and doubt, but where do you draw the line between FUD and informing people of the dangers of poor security?
Well, first of all, I think the things that we are dealing with, they are very severe in nature. So let’s say a company or a person gets hacked, the implications could be really severe, but when we bring this FUD into the picture, that doesn’t serve necessarily anyone’s purpose. It only serves the purpose of maybe selling more stuff. But let’s say if you are advertising hackers as these all-powerful people who can sit outside your home and with a Wi-Fi Pineapple they can just look at all your web traffic and see everything you’re doing there, without any extra effort, I don’t think it serves anyone’s purpose that we are not being realistic. I understand that people who don’t work with computers, they don’t have to understand technicalities of how these things work, but we shouldn’t tell them lies, either. We shouldn’t tell them something that is not actually doable. I think that’s happening less these days, but I still see it happening.
Yeah, but it’s sometimes hard to draw the line. I got called a fear monger once by a customer, when I was stating something like “Unless you improve the security of this and that system, you will get hacked.” And they were like, “Oh, you’re fear mongering.” And I’m like, “No sir, I’m not fear mongering. I’m stating a fact. This will happen.”
Yeah, and then I think in that case maybe it’s just that their reality is quite scary sometimes. And then you just need to be real with yourself and admit the risk you’re taking as a company if you’re exposing too much.
How do you handle a situation if you see somebody do something that’s risky security-wise like leaving their laptop open and unattended?
I travel quite a bit, so I constantly see people in cafes, in the train, in the plane, they leave their laptops open, or they leave basically all of their belongings there, they leave their phone there, so let’s say that if I was with bad intentions, I could just take their phone, and if they haven’t changed their PIN code from one of the default ones, 0000 or 1234, or one of these, I could just basically potentially access their social media accounts, reset their passwords, because we use our phones to log in to Twitter and to Instagram and to these services. So it tiny bit gives me the creeps whenever people do this, and once I’ve told a person who left their computer open in a train that, yeah, maybe you shouldn’t do that. But typically I just look at them very…very long…(laughing)
In that typical Finnish passive aggressive way.
Without saying anything, but they get the message.
They get the message, I hope. (Laughing)
One of my pet peeves when traveling is when people want to charge their devices, and they’re just looking for a USB port anywhere. And wherever they can find a USB port, they just stick their device in. And I’m like, “Don’t do that. You don’t know where it’s been…what’s coming from that port.”
So talking about building awareness in the workplace, are there any techniques you think are particularly good for educating employees about security?
I think that if you can do some kind of hands-on training, that’s the best. Because to be honest, with all the love and care in the world, I know these people who make these trainings, the slides, and there’s multiple options and you need to pick one, and then after you’ve done one hour of that you have no idea what you actually did. So I think those have their time and place naturally, and you shouldn’t disregard those. But for me personally, I feel that if you can do something more concrete, more hands on, it’s better. Like the service where they send the phishing emails periodically to your employees…it’s gamifying the phishing. But I think those kind of things, if you can somehow make it more concrete.
No, I agree. Phishing simulation is a great way to build employee awareness, because you get the training. It’s a mini training, it takes a minute, and you get it when you need it, like when you’re facing that situation. I think that’s wonderful.
Yeah, and then another things is that if you can somehow raise awareness by having kind of like a red team exercise, but have people just come to your office, and then see when your employees spot them out, and whenever they spot them, you can hand out rewards to your employees who spotted them.
Yeah, like where you get a reward for challenging the guy, like “Where’s your ID badge?” “Ï don’t know, but here’s movie tickets for you.”
Yeah. I mean, you don’t have to tackle them to the ground, you can just ask who are you, why are you here, why don’t you have a badge with you.
Yeah. We also did an exercise where we were tailgating people, having somebody open a door for us and walking in after them, and when somebody did that and didn’t challenge us, we’d give them a flier, like “Here’s a flier, check it out when you have time,” and the flier was like “You just got tailgated, and this is how that happens, and don’t let it happen again.”
Yeah, and I think those things, they are so concrete and you are participating in it, so these things are really good. I think in some cases these things go a longer way than just having a Powerpoint presentation about information security.
You mentioned inviting everyone to the auditorium for a two hour session, an infosec infodump. Are there any other bad examples of “This is not how you build security culture”?
I think if your employees are scared of admitting that they made a mistake, like let’s say they clicked on a link they shouldn’t have clicked, then you’re already breeding bad culture into the workplace. So you should have open culture, like open for mistakes. Because any one of us can make a mistake. Like I once lost my company phone and I was terrified, like what kind of a whipping am I going to get? But then I just instantly called our CISO, and it was fine, it turned out to be fine. Nothing happened, and the phone was wiped remotely and everything. So typically these things are not as bad as we imagine them to be at first when they happen. So it’s actually better if you actually do click on a link and if you actually do give your credentials to a shady website, that you actually do contact someone, or anyone responsible for security at your office. So I think just having an open mind and reminding your employees that we all make mistakes and it’s okay, and you can just tell us whenever these things happen, I think that goes a long way.
Should those kind of stories be communicated within companies, like “Yes, Lisa here clicked on a link she shouldn’t have but that will happen to people, but then what stopped a really bad thing from happening was that she reported it super fast, and we got in front of it, and we were able to prevent anything bad from happening, so this is what you should do.”
Don’t mention any names, because then it goes to public shaming, like “Oh no Lisa, why did you do that?” It’s more like, “Yeah, we had this case of someone clicking on a link, and then we were able to react to it quickly, because we had the information.” So I think you should always try to protect individual people from getting ashamed, because these things, they do bring a lot of shame to us.
I’m noticing, even with all the positive things I was saying about Lisa, the thing you remember is that she clicked on that link in the first place.
Yeah, absolutely. And then you’re like, No, I don’t want to be like her. But that’s not the lesson you want to teach. The lesson you want to teach is react quickly, and tell someone. Because these things, even if it was a mistake, or if you did something by accident, it’s still, there’s a lot of stigma around this, you don’t want to be the person who is on the news and everywhere, like yeah, this person f****d up.
Yeah, and like combined with the fact that a lot of people don’t know what they should be doing. You’re put in a situation where you’re not sure what you should be doing, like what would be the correct course of action, but then you’re afraid of being shamed if you don’t do the correct thing, which you don’t know.
Yeah. I don’t know if we can ever get rid of the shame we feel, because it’s part of human nature to be ashamed of a mistake happening, but that’s why I think it’s important to protect the individual from being shamed publicly.
Yeah, right. So what’s the best advice you can give, what’s the advice you find yourself giving most to your friends and family and whoever?
If something is too good to be true, don’t trust it. Nowadays the issue is not so much with email because email filters are getting quite good, but even still, we do get some spam email that somehow ends up coming through –
Well, it also tends to be better than it used to be because it’s been through all those filters, and now by the time it gets to me, it’s like super good.
Yeah. But always what I tell my friends and my family is that if someone is asking you to log in, and they are providing you the link to log in, then always think twice before clicking the link and logging in, and also –
But some legitimate companies do that as well.
Yeah, they do, but then if your bank is asking you to go log in quickly, like go as fast as possible – then you can just type out the URL for the bank yourself, you don’t have to click on the email link. And then also, I think recently there’s been a lot of cases of those text messages, where for example someone pretending to be the postal service is sending a text message asking you to pay X amount of money in taxes, or something like that. You can fake the sender phone number easily, so always take them with a grain of salt if it seems to be coming from Posti, or the postal service, you can always take a second and think before committing your credentials anywhere or paying anything.
Actually one of the things I like to do for my friends and family is about credentials, specifically. I talk about password managers. I even did this little event where I invited my friends over and gave them a little talk about “This is how passwords get cracked and leaked, and this is why you should have a good password, and this is what makes a good password, and let’s all think of a good passphrase right now and register a password manager.” And I made everybody in the room get a password manager and I had my TV screen display my phone screen and I was showing them “This is how you use the password manager,” and I called them a week later and made sure that everybody started using the password manager.
(Laughing) It’s kind of like, you know, those Tupperware parties.
Absolutely. Yeah, yeah.
Only regarding infosec.
No, this was more like cult recruitment. But I was like, “But I’m a force for good.”
So we were talking about fooling people and sending them fake SMSs and fake emails. Do you think a part of the reason people fall for those is that it’s hard for a regular person to know what is possible to fake and what isn’t? So do people know that it’s trivial to fake the sender of an SMS?
Yeah, I think when you get a text message, you don’t think twice. Because if you have previous messages, legit messages from the postal service, it will come under those, because it’s coming from that same phone number. I just always think that what you should keep in mind, no matter what kind of medium you’re using, if you’re using text message or email, or if someone is contacting you on Facebook, you should always ask why. Why am I getting this? Did I really order something? Do I really have to pay something extra for this? Or am I really that good looking that this handsome guy is now sending messages to me? Just you know, there are so many scammers out there, and it’s so easy to hide behind a fake profile. Or it’s so easy to fake the text message, or it’s so easy – well, easy if you can get it to go through the email filters – but it’s easy to make a phishing site where you can just harvest credentials. So all of these are trivial to do.
Yeah, absolutely. Hey, I want to thank you for taking the time to be here with us to talk about infosec. This was an awesome conversation.
Thank you so much Janne, for having me.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.