I was recently asked to speak with Mansoor Tamweer, a reporter with Ryerson University here, about what the public should know as a general overview on Cybersecurity. For me, it’s a privilege to be asked, and my calling to help others.
I don’t come from a traditional technical background. Infact, as I’ve often shared, I really didn’t think I could learn “tech”. Until I sat down and took apart a computer and discovered the fun of learning hands on. That morphed quickly into becoming a software junkie. Back in the day when software suites were the thing: Lotus, WordPerfect, Microsoft. Like Pokemons, I had to catch ’em all. Again though, learning for myself dispelled my old fears and hesitations. Instead, I understood things at a more user-based level, and was able to to explain “how” and “why” to non-technical people, equipping them with not just the skills but the confidence in themselves to try on their own. This is my biggest win. And I’ll keep doing that as I learn more, because everyone needs to know. We own our own security.
The recent ransomware attacks on Canadian universities prompted the call to me, because I had spoken with the Ottawa Citizen about a ransomware attack on Carleton about a month ago. Credit where credit is due: the information I share comes via others in our security community who really are the experts on malware, ransomware, threat intel, securing systems etc. I learn from them, then try to make the awareness and understanding happen for a broader base. Imagine that we, the security folks, are the tip of the iceberg. We know and understand a lot. But everyone knows the mass of the icerberg is submerged. Like 95% of it. To me, those are the end users. The non-technical folks who trust in the products and services they buy. And who need us, more than ever. My theory is that if we can help those people do one or two basic security things better, then we may flip this table in our favour. Like a numbers game. You know the adage “Teach a man to fish, and he’ll eat for the rest of his life”. When I explain things to friends and neighbours, they want to learn. They’re scared, intimidated, but they want to protect themselves, their families, their homes. We can make that happen.
There is lots of FUD – fear, uncertainty, doom – being peddled. And the ubiquitous images of hackers hunched over keyboards in black hoodies. Clarification: hackers aren’t all bad guys. There are way more good guys, striving to learn things nobody else can, to improve things nobody else will. My hoodies are purple and red, and hunching is bad for my back. I’m not a “1337” or elite hacker – I’m still shiny new to this realm by many standards. But I’m learning the skills to understand how to protect based on how to attack. Break. Fix. Break again. We’re hackers – that’s what we do. And you need us to do this. How else are you going to know where your weak spots are? Really, your best offence will be a solid defence because attackers go after the low-hanging fruit. They move on if there is anything in the way. That’s where teaching basic security at a level everyone can do comes in. And I know we will have to keep trying – this isn’t going to be easy. People are resistant to change, hesitant to learn new things. But if you are persistent, it will happen.
Tameer was a great host, and I really enjoyed talking about security with him. One thing asked was if there were places for people to go and get a basic understanding of security. I said he could start here with my site. I am trying to make it a resource, a one-stop or a first-stop, for people at all levels. I’ll make sure I regularly feature security for beginners in this blog area as well as a resource page. Since we need to learn to walk before we run, what are the basics? Here’s my quick list:
1. Passwords. Do this right. It really is your first line of defense and a deterrent to the attackers. They will move on. There are rules, and passwords only work if you follow these rules: do not share your password; do not use the same password across multiple accounts; when you buy something, change the default password it comes with. And if you feel overwhelmed by trying to manage all your passwords, consider using a password manager like LastPass. I’m not endorsing anything but just giving you a starting point. Jessy Irwin, @jessysaurusrex on Twitter is a fantastic and funny resource on security for us all. Follow her.
2. Wifi. If you like using free wifi, or wifi hotspots, please do not believe those are safe. You need to surf protected, with a shield around you. This shield is called a VPN. A Virtual Private Network. You can get some for free that will buy you a few hours of security at a time or you can spend about $5 a month and get something really good. Why do you need it? When you go online, your IP address is visible to anyone. They can track you, mislead you, and attack you. A VPN switches your IP address which throws an attacker off your scent. You can go online without them knowing where exactly or who exactly you are. I use PIA Private Internet Access for my VPN if that helps. And I use this on my cell phone. Easy to set up. No more excuses ok?
3. AntiVirus. It isn’t a silver bullet but it will catch things and help protect you. There are loads of free versions. At the bare minimum, you can use the one that comes with Windows. And i use it on all my devices. Avast is good. ESET. And if you want to spend more for extra protections, go ahead. Monitor all the connections. 
4. Think before you click. Everyone has heard about phishing and ransomware. Yes. People send you stuff with attachments or links. You click it and “boom”! But even the smartest people can be fooled. You can test that link before you click it to make sure it really is legit. You can enter the url or link info here: http://scanurl.net/. As for that attachment, you can use you AV to scan it first. This article by Lifewire has lots more info to help.
5. Backups. Set yourself up with backups. And multiple ones. Keep one off your network because your network gets contaminated. And when you get hit by ransomware, or malware, you have something to restore from. All your files are not lost forever. You won’t be held in some attacker’s grip.
6. Encryption. That sounds pretty technical for some. But the fact is, if you are using any mobile device, you need to encrypt the hard drive, or set up a passcode to lock the screen. Do you have any idea how many breaches have been caused by laptops stolen from cars or desks that were not encrypted? Windows will walk you through encrypting your own hard drive. And at the very least, secure your lock screen on your phone or tablet. Those SMS messages we love to send? Texting. That is out in the wide open for everyone to access. You can use a secure encrypted messaging system that is just as easy and free. Signal. WhatsApp. Wire. Download. Set up your username and password. Done. No more prying eyes.
The interview with Tameer airs on January 23 on The Scope, Ryerson’s radio station. Thanks so much for the opportunity to share what I know. Stay safe!
Red teams, Blue teams. Attackers vs Defenders. But what happens when you combine the best of both? Purple teaming!
CyberWatch 