Kevin Beaver, author of Hacking for Dummies, has been working in internet security since the advent of the "world wide web". Now he's a security consultant who trains employers to fraud-proof their businesses. In this episode, Kevin shares how businesses can patch up their weakest link in the fight against data breaches: their employees.
Evan: Welcome to “Trust & Safety in Numbers” presented by Sift Science. I’m your host, Evan Ramzipoor. When Kevin Beaver was younger, his mother suggested he go to college and study these things called computers.
Kevin: She thought they were gonna be really big someday and, man, did she hit that nail on the head.
Evan: He took her advice and when he was still in school, something called the World Wide Web came into existence.
Kevin: As you can imagine, it was sort of the Wild West back in those days and it was a real challenge.
Evan: But Kevin survived the rattlesnakes and gunfights of the Old West and he came to write a book you might have heard of. It’s called “Hacking For Dummies.” The sixth edition was released recently and you should definitely check it out.
Kevin: Since 2001, I have worked for myself. So, I’m an independent information security consultant based in Atlanta, Georgia, and my company’s called Principle Logic.
Evan: Today, Kevin and I are chatting about whether tried and true methods like phishing are still a threat at an age when you can buy stolen Social Security numbers on the dark web for just a few bucks. Kevin also has some great insights into how businesses can train employees to avoid pitfalls that leave the company vulnerable to attack. But first, let’s warm up with a quick fraud fact.
Did you know that fraudsters have started preying on unsuspecting victims by creating fake free gift card sites? To learn more, check out “Digital Gift Cards: Fast Gift Giving, Even Faster Fraud” on the Sift Science blog. Now, onto the interview.
So Kevin, some of our listeners will already know your name from the book, “Hacking For Dummies.” How did you come to write it?
Kevin: I started out writing articles and I still do. I just wrote my 1,000th article earlier this year. But I also branched out for writing books early on and that really helped. And my most popular book is “Hacking For Dummies.” I wrote the first edition of that book back in 2003 and fast forward to today it’s now in its sixth edition. Back in the day, this was sort of after the dot-com bust. And I saw a need. This whole concept of vulnerability and penetration testing and hacking and internet security at the time, it was what it was called it, it was just becoming more and more popular. And I proposed it to Wiley and we went back and forth for a few weeks and they liked the idea and boom.
Evan: One thing we’ve learned from recent high profile data breaches is that businesses can do everything right to protect customer data. They can choose a robust fraud prevention solution and implement it quickly. But if their employees aren’t trained to avoid certain pitfalls, businesses can still fall victim to scams. What are some mistakes employees make that lead businesses vulnerable to attack?
Kevin: I will say that the most common issues are people using weak passwords, using shared passwords across various business and personal systems. Of course, clicking on malicious links, opening up malware infected attachments, and just generally being careless with their mobile devices, their laptops and so on. So, you know, looking at the bigger picture, it’s overall gullibility when it comes to using a computer system.
And it’s interesting. There are two sides to this coin. You know, it’s users making bad decisions and dumb mistakes. What I often witness is business leaders and mid-level managers and even IT and security staff not setting their users up for success. You know, they, they often have written policies but no one knows about them or even cares about them. If they do or if people are aware of what’s expected, that the policies are not enforced. I would venture a guess that 80% to 90% of the documented security policies I’ve seen, you know, a lot of businesses go through the motions, checking the boxes and making it look like things are getting done with security when in fact it’s this facade that’s covering up a lot of the underlying problems that will surface eventually. If you want to minimize your security risks, then, you need to not let users make security decisions wherever possible. It’s really that simple.
Evan: In the wake of last year’s major data breaches, a lot of user information is available to buy on the dark web. It’s shockingly cheap too. Passwords, email addresses and Social Security numbers available for just a few bucks apiece. With such a buffet of information available to fraudsters, has that led to a decline in methods like phishing attacks which target employees or are fraudsters continuing to rely on tried and true methods like phishing?
Kevin: I do a lot of email phishing in my security assessment work and it’s crazy how many people are not only willing to click on unsolicited links and open random email attachments, but also to provide their network usernames and passwords when prompted. So, you know, the problem starts as soon as that link is clicked or as soon as that attachment is opened and that in and of itself can constitute a malware infection or a subsequent data breach, whatever.
But when people are willing to provide their usernames and passwords, then all bets are off. Yet I see it all the time. And you know, it’s one poor decision after another that leads to an incident or a confirmed breach. And those, in turn, lead to fraud, identity theft and, you know, all the scary things that we’re hearing about in the news.
So I would say no because it’s still an easy method of attack. You know, there’s very little resistance that’s put forth. In many cases, these emails can go undetected and the users may not even want to report what they did into IT or security staff or management. I think the fraudsters are going to continue seeking out these paths of least resistance. You know, going after that low-hanging fruit is gonna provide the highest payoff like phishing.
Evan: When it comes to phishing and similar attacks, are there certain industries and verticals that are more vulnerable than others?
Kevin: If I had to pick one, I would probably look at healthcare. You know, I’ve seen some studies that show that they are targeted the most and consequently have the most breaches. And there’s truth to that. In many situations, regardless of any HIPAA compliance mandates, a lot of organizations operating in healthcare simply don’t have control over security. You know, they’re not nearly as resilient as their contracts or their business associate agreements or even their notices of privacy practices would lead you to believe. And I think that’s a problem. I don’t want to pick on healthcare too much, I do a lot of work in that space, but it’s certainly a challenge. But looking at all industries, you know, everyone is fair game for attack. There are certainly some motivators for attacking the financial services industry, you know, with the money that’s involved and the same goes for pharmaceuticals and manufacturing, with all their intellectual property, but still, everyone is at risk.
Evan: So I’m sure everyone who’s listening is now wondering what they can do to avoid falling prey to attack. So what are some actionable steps businesses can take to help employees avoid pitfalls that can lead to security vulnerabilities?
Kevin: I do think a lot of executives and managers just assume that things will work themselves out because IT and security are spending time and money addressing whatever. They’re staying busy therefore things must be happening, but that’s not the case. You can’t secure the things that you don’t acknowledge and there are untold IT-related risks in any given network environment at any given time. This very moment, regardless of how sophisticated the security program is, regardless of how big or small and simple the business is, this is going on, you know, just around the world. And I think that’s the big challenge that we have and it’s really just a matter of time before all the stars align and something is exploited and you end up with an incident or breach. Again, all it takes is one bad decision on the part of a user. Businesses have to do what it takes to set their employees up for success. And you do that by properly setting expectations through policies and ongoing training and then you follow up.
You know, in many ways I think we expect too much of our users. At the end of the day, they are not computer or security experts and you have to minimize their decision making power and replace it with business workflows and systems and technologies that keep them from harming themselves and the business. It’s okay to have documented policies. I don’t want you to think that you shouldn’t document and set people’s expectations and whatnot. The thing is, you just can’t rely on them. It’s a great idea to train your employees. You just can’t expect that users are always gonna make the right decisions. And you know, it’s essential to test your users via phishing and things like that. You just have to know that they are going to make mistakes. You sort of have to expect the milk to spill.
I give a lot of presentations and I have the slide of a glass of milk that’s falling and it’s splashing onto the ground. And it’s a great visual because it totally ties into what we’re talking about here. You have to expect bad things to happen. Expect that the worst is gonna happen, but then have systems and plans in place to minimize the impact on your business. It’s a lot of small pieces and moving parts that you have to pull together over time that will help contribute to a functional and effective security program.
Evan: Thanks for joining us on “Trust & Safety in Numbers.” Until next time, stay vigilant fraud fighters.