Cyber Security Means Not Clicking On That Link

COVID changed the way we used the internet. Whether for streaming TV, buying groceries, or video-calling, many people created new online digital accounts during the pandemic. As we spend more of our lives online, it’s increasingly important to keep information safe online.

October is Cybersecurity Awareness Month, and experts are urging consumers to protect their accounts. That includes being mindful at work where ransomware attacks on companies often happen when an employee clicks on a link that they shouldn’t have.

To find out what we all need to know, Eric Douglas spoke with Bill Gardner, a white-hat hacker and a cybersecurity professor at Marshall University. He says there is a tremendous demand for people trained in the field.

Douglas: October is Cyber Security month. Where did that come from?

Gardner: That was originally floated by the federal government because we need to do better with cybersecurity. Every breach we have is the worst one in history. Right? There’s things users can do to protect themselves, and that’s the whole thrust behind it.

Douglas: Let’s talk about the ever-escalating breaches for a minute. What’s going on for the average Joe? What should I know about my personal cybersecurity?

Gardner: From the top-down approach, agencies who work on this problem need to share data. And they’re not always doing it. We need to keep an eye on threat intelligence, who the bad actors are, so we can do a better job defending against them. As a person, it’s the same old adage. It really hasn’t changed a lot. Be suspicious of email when you don’t know where it’s coming from. If it sounds too good to be true, it probably is. If you get a text message from AT&T, go to the AT&T website or through the AT&T app to see if it’s legitimate or not.

If you’re expecting a package from Amazon, or through FedEx, don’t just click on links that are sent to you saying it’s been delayed. All those things are the things that hook you. We call it phishing. It hooks you into clicking on an attachment or going to a web page that’s compromised. If you look at breaches, probably 97 percent of them are caused by what we call social engineering — phishing. People posing as people in power or authority are who’s getting information from you or from your organization. Look at every large breach. There was phishing as the initial compromise. So it’s a matter of fixing human behavior.

Douglas: It all comes down to social engineering. They’re trying to trick people into doing something to give up personal information.

Gardner: Yeah, it’s basically being a con artist on the internet. That’s as old as civilization itself. It’s just that with technology, it makes being a con artist a lot easier. They can reach people across the world. And you can be in a country where what you’re doing isn’t a crime, or you’re being protected by a host country because you’re acting in their national interests.

Douglas: There are some bad actor countries that are encouraging people to hack.

Gardner: Look at ransomware. Ninety percent of ransomware is coming from Russia. They’re living in Russia and they’re being protected in Russia. There’s videos of the ransomware gangs out driving their Ferraris doing donuts in Kremlin square. So we know who they are, but we can’t reach out and touch them. We can’t go arrest them because they’re being protected by the Russian government. And the Russian government also has ties to organized crime. So all this sort of fits together in this little puzzle.

Ransomware actors have actually started targeting critical infrastructure like pipelines, pipelines, meat processing. I was talking to someone who worked at Budweiser who said that the people that make their brown bottles they put beer in got hit by ransomware. They were offline for two or three weeks. All these things put kinks in the supply chain. Any sort of ransomware hacker that’s acting against the American national interest or is working to destabilize the United States actually helps the national interest of our adversaries, whether it be Russia or any other adversary.

Douglas: We’ve talked about two different levels. There’s the direct human interaction, the phishing, and then there’s this whole other level of ransomware going after the big companies.

Gardner: The initial footholds of ransomware are phishing. Hackers don’t attack firewalls anymore. We’ve done a good job of building these super deep, wide moats around our castles where our data’s housed. Social engineering is directly attacking the inside of this fortress. For example, you can be in the most secure network in the world. But as long as you click on that attachment or open that email that’s when you become compromised. From there, the bad actors can actually pivot through the network.

Douglas: It’s not hackers forcing their way in anymore. It’s somebody opening the door for them.

Gardner: They’re talking their way in. It’s an email, it’s a text message, it could even be a fax. It’s just some way of getting someone inside that organization to give access, whether that’s verbally over the phone. If you call in and pretend you’re part of that organization, and say you need to change your password, that’s a very common one too.

The people doing this are spending a lot of time studying their targets. They’re going to find out who works at the organization, who’s responsible for what, they’re looking at an org chart, they’re going to figure out what technologies are being used inside that organization based upon employment ads.

It takes a lot of time, it takes a lot of money. And in the case of ransomware, gangs, and other organized hackers around the world, they have money because they’re stealing it, and they’ve got time because they don’t have to ever write a report, they don’t have anyone to report to, they’re just trying to sustain themselves. They’re not worried about business processes. It only takes a defender one time to be wrong.

I think the reason we see so many compromises, you’ve got armies of these foreign countries that are using hacking as a way of destabilizing the United States of America.

Douglas: Whether it’s Russia or North Korea or China, it’s actually part of their governmental process.

Gardner: We’ve documented that. The most important thing we do now is share that information across verticals, government, private industry, people who engage in critical infrastructure, power companies, pipeline companies, water systems. These are all things that we depend on. We don’t always think about it, but they’re major targets.

Douglas: One of the aspects of Cybersecurity Awareness Month is some of the educational opportunities. What are some of those?

Gardner: We’ve got a couple of different cybersecurity programs here at Marshall. We are actually in the College of Science. We teach a very vocational, very hands-on program. That makes it different from most cybersecurity programs. You actually use the tools used in the field. We have a cybersecurity program in computer science, which we do a lot of collaboration with, and I actually teach two classes for the College of Engineering computer science cybersecurity program, as well as in our program and College of Science.

There are hundreds of thousands of unfilled positions because we can’t produce the number of graduates to fill the jobs that are needed. So it’s a growing field. It’s an exciting field. It’s high-paying jobs once you graduate. Our students go on to do exciting things.