Catch Denim Group at RSA – Booth 3440

John Dickson TEDx Vail

The Resilient User – The First Line of Defense Against Sophisticated Attackers

Presented by Denim Group Principal John Dickson

TEDx Vail 2018

If we can become more resilient users, we just might change that equilibrium, and just might make it harder for hackers to steal our money and information.

Watch my presentation from TEDxVail or read my prepared remarks below.

Following a long day work, you get home, fire up your computer, and look forward to an evening of well-earned Internet surfing and gaming when you see a message stating: “Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible.” Your heart starts to beat like a rabbit, you have a sinking feeling that something is very, very wrong… You start to process information, and realize you have to pay the unknown hacker in something called Bitcoin to unencrypt your hard drive. All the photos of your children for the past five years? Gone. All your financial records? Wiped out. The first chapter of the novel you’ve been working on for a year? Deleted. You tell yourself this type of stuff does not happen to me! Sadly, when it comes to being hit by ransomware or malware, for most it’s no longer a matter of “if” but “when.”

I’m John Dickson and I’ve been a cyber security guy for over twenty years. I’ve spent the better part of my career protecting large companies and other organizations from attack by a rogue’s gallery of bad guys and hackers. I’ve always been troubled by the fact that individual users like you and I continue to struggle to protect ourselves. I can’t help but feel from time to time that the odds are increasingly stacked against us.

Such is the case in May 2017 when the now infamous Wannacry ransomware first debuted on the world stage, locking up an estimated 230,000 computers in over 150 countries, humbling large organizations such as FedEx. After several days we realized most of our clients had dodged a bullet with Wannacry … until I got a phone call from my parents. They couldn’t access the files on their computer. I whispered to myself, “Oh no…”

They had been hit, but luckily had recently backed up their PC and were able to restore their pictures, family tree research, financial data, and the rest of their sensitive documents. As the triage session with my parents wound up, my mom asked me “what could we have really done to prevent this?” I answered by providing a standard laundry list of computer security basics – don’t click on unknown links, keep your computers up to date, etc., etc.   Unlike me, they are what I call “civilians” – “lay people” they are regular users not involved in the titanic behind-the-scenes struggle between black hat hackers and white hat defenders. They are users with enough computer skills to navigate Word and Outlook and the browser of their choice. They are not IT professionals, or “elite” security experts, nor do they understand operating systems, and they sure as heck have never looked at source code. I kept thinking, and I arrived at a harder question. How can “normal users really protected themselves from increasingly sophisticated cyber security threats?”

We need to start with ourselves. Hackers know that if they cannot break into your systems via technical means, they will attack the weakest link – the human being – us. So, before we fix the Internet, we need to look inward to ourselves to fix the weakest link. To that end, I would like to introduce the concept of a resilient user. The concept is exceedingly simple. The resilient user is someone who changes the equilibrium by adopting online habits that make them less susceptible to hacking. In my worldview of security, this boils down to three habits that will change what experts call our “attack surface” – our online exposure to hacking.

The first concept involves technical protections – we have to be more “Rigorous” to make sure our systems are up-to-date and prepared for the onslaught of attacks once connected to the Internet. The second concept around resilience involves being more “Mindful” – being far more aware of our online behaviors because they have such a direct bearing on our personal security. Finally, my last thought around resilience involves being far more “Private” online. What I mean be this protecting our personal private information better. It’s not only because that’s the right thing to do, but increasingly important because hackers many times use your own information against you to craft their attacks.

Let me make a point here. Despite the warnings, we still download apps that we know little about…. We click on link sent to us by friends, and we don’t update our computing devices as quickly as we should. In case you thought it was only other people who do this stuff, let me introduce you to my little friend, the Pineapple. The wifi Pineapple is a wireless auditing device with a cool Yagi antenna that does some particularly interesting things. First, you can set up a fake wireless access point. Take a look at your wifi settings on your phone for a second – Do you see “Free_TedX_Wireless?” that was me, or should I say this guy! Unsuspecting users looking for wireless access find this available public wifi and log on, giving me all kinds of juicy password credentials. It can also download the saved internet profiles you have stored on your device, including work and home access.

So let’s have a mind shift in the way we conduct ourselves on line. Let’s adapt a concept from the physical world, defensive driving. Most of us understand concepts like the “two second” rule that provides drivers a safe distance between themselves and another car or the idea to not put yourself in a risky situation so I can’t think of a more fitting metaphor. So many of the problems we have with internet security involve users putting themselves in dangerous positions, then doing something seemingly innocuous that creates catastrophic results. The key is to not put ourselves in dangerous situations.

Let me address the more “tactical” approaches to becoming more resilient. First, we need to be more rigorous in our technical defenses. You wouldn’t jump in a car a head somewhere knowing you brakes are about to fail or you drive at night if you knew your tail lights were out. Yet, we often times hop on the internet with computers that haven’t been updated in months, or who don’t have the latest anti-virus updates installed putting us into a dangerous position and exposing us the latest sophisticated malware that’s just one click away. Part of increasing our defensive rigor is to keep pace with the fast-changing updates – most of which are security-related these days. These updates – “patches” as they are called fix vulnerabilities that hackers use gain access to your systems.   That also might mean having a backup process that you are confident contains your most critical information – those family photos and your first novel – so that when you do get hit with ransomware the results are not catastrophic.

The second thing we can do is be mindful of our online actions. That can include being more suspicious of wireless access points we try to connect such as “Free_TedX_Wireless.” We’ve been also trained not to click on links or open files, but too many times we still do so. These actions allow hackers to gain entry to your systems. Trust your intuition. What seems fishy probably is. Following internet security good hygiene rules that have parallels to the physical world of defensive driving are a positive start. If we accomplish this, we ultimately will make hackers jobs harder, which is a good thing. No longer be the weak link that hackers think you are.

Another thing we can do to make hackers jobs’ harder is to do a better job protecting our most private data. That includes no longer giving up our most private data in exchange for “free” in many instances.   Why is this important? Our private data can provide attackers important clues – or pretext – that they can use against if they target us. A Denim Group client used his “favorite vacation spot” as his shared secret for his domain registration and got completely hacked. The hackers just looked it up on Facebook. Oh, by the way, my first girlfriend was Marilyn Monroe and my first car was a Lamborghini, so you don’t actually have to put down the true answer to easily researched shared secrets!

In the behind-the-scenes Internet security “fight” between powers and good and evil, you may get the sense that we, as a society, are losing. That might be the case at this precise moment, but if we apply the concepts of technical rigor, become more mindful of what we do online, and are more self-aware of the private data we easily give up, I believe we can alter the balance of power between the attackers and the attacked. If we can become more resilient users, we just might change that equilibrium, and we might make it harder for hackers to steal our money and information, making the Internet a better place to exist

About John Dickson

John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years' hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO's) of Fortune 500 companies, including major financial institutions, launch and expand their critical application security initiatives.
More Posts by John Dickson