For this edition of The Means Report and the three Means Reports that follow, we are going to do a series on what cyber really means. Today looking at cyber breaches and hacking, we report on this all the time on NewsChannel 6. We’ll find out what kind of efforts are going on to thwart the bad guys as they try to hack into our systems, and the practice of cyber security right here at home. Where are we headed? What are we doing right now to protect our nation and the world? You know, a lot of people do see Augusta, Georgia as the world headquarters when it comes to cyber, and so, we thought it appropriate to bring in a couple of folks from the Georgia Cyber Center at Augusta University to help break things down.
Brad Means: Sarah Rees is the director of Cyber Workforce Academy. The Cyber Workforce Academy, doing a lot of great work at AU. Sarah, thank you for being with us today.
Sarah Rees: Thank you, Brad.
Brad Means: You’re welcome, we appreciate you. Nicole Cliff is the cybersecurity program manager there at the center of AU. Y’all been busy lately, right.
Sarah Rees: Oh, absolutely.
Nicole Cliff: We have.
Brad Means: Yeah, it’s been nonstop.
Nicole Cliff: Extremely busy.
Brad Means: My first question is really generic: what is cyber? We hear it, you think cyber is the internet, cyber is computers, cyber is those fancy new buildings downtown. What do you think of when you hear that word cyber?
Sarah Rees: You’re right, Brad, there’s a lot of using cyber as a buzzword. It’s funny, because we have smartphones, not cyber phones, right.
Brad Means: Right.
Sarah Rees: And cyber is, a lot of people think cyber is just the internet, but it’s a lot more than that. If we look at the word cyber, I like that word. It was used a lot as slang in the 1990s. If you remember, around that time when the .com boom happened, you had cyberpunk and cybersex, and all these cyber slang terms, and most of them went away. But one thing, if you remember the Terminator movie, Cyberdyne Systems, that was the name of the company that made these high-tech, military-grade machine weapons, and cyber warfare was something that stuck around. So, that was a piece of that slang terminology that just carried into what we see today as cyber. But back to what cyber means, what that really means, it’s a combination of the people, processes and technology that we see and use in our daily lives, right. We’re all digitally connected. And it’s easy to understand, I think, if you put it in the context of cybersecurity, because we hear that a lot. So, if you imagine your phone, it’s a piece of technology, right. And the app that you use to go to Starbucks and order your coffee, that’s a piece of technology. But when you put a password on your app, or your Starbucks Wallet, of 123456789, you know that allows hackers to then steal all your Starbucks money, well, that’s a piece of you, that’s people, and that’s how people are involved in cybersecurity and a part of it. By the way, that’s actually the most common password for 2018.
Brad Means: You’re kidding.
Sarah Rees: No, so I hope that’s not your password. If it is, change it.
Brad Means: It’s not. But it is pretty basic. But you’re right, people are always trying to find out those passwords, trying to hack into things. And we see it all the time on the news, cyber attacks, big and small. Is it as bad as it seems, people attacking our cyber systems? Does the media blow it out of proportion? It feels like it happens 24/7.
Nicole Cliff: Well, that’s a great question. And yes, it does happen as often as described in the news, and you know, people shouldn’t take the worrying effect. They have to be educated.
Brad Means: Yeah.
Nicole Cliff: Education goes a long way, and knowledge is power. So, if you look at it as, I always try to teach my kids, and we have this family thing in our home that when we go get gas or we go to a grocery store, we always pull on the point of sales terminal. Why? Because I have educated my family on the threat of the point of sales terminals being installed by the bad guys that collect all your credit card information.
Brad Means: So you pull on it to see if it comes off, to see if it’s been, you know, a secondary scanner’s been installed by a bad guy?
Nicole Cliff: Absolutely, they have these systems that actually sit, it’s an overlay, and it sits on top of the normal point of sales system, and if you’re at a gas station or a grocery store, you can actually pull on it and it will come off.
Brad Means: Has that ever happened to either one of y’all? You found a fake one, you found one that’s meant to steal your data?
Nicole Cliff: You know, no, but–
Brad Means: I do too that by the way, I do the same thing.
Sarah Rees: Yeah, I’ll tell you that we just had a conversation with the GBI folks that work in our building, and the other day, they said, you know what, we found a credit card skimmer. It was a gas station up in Evans.
Brad Means: Yeah, skimmer, that’s it.
Sarah Rees: Yeah, and I was like, tell me which gas station.
Brad Means: Lemme ask you guys, are some systems that we have in our homes, whether it’s Microsoft that we use, or whether we use Apple products, that are less susceptible to hacking or to cyber attacks? You hear, and I hope it’s a myth, that Apple’s stuff doesn’t get viruses. Any feelings either way on that from y’all?
Sarah Rees: I’ll tell you, I hate that myth about Apple doesn’t get viruses, because it’s not true. That myth came about because, you know, in the beginning, there was a lot more PC than Apple, so for a criminal to, you know, go after a very small market, it didn’t make sense, right. So, they were going after PCs because there was just much more saturation. But obviously, we’ve seen that, you know, Apple has had a huge increase in its market share, and people are using Apple. It’s very, very popular, so there’s also been a huge uptick every year with, you know, Apple vulnerabilities. So, I wouldn’t say that there is a particular, you know, brand or type of device or software that you should stay away from or that you should go to. What I would say is a lot of it is research, understanding what that software or hardware does, understanding the vulnerabilities that are out there. And I’ll tell you, like, when you think about smart home devices, one thing you need to consider, is the company that makes that device actively looking for vulnerabilities and then releasing updates and patches to make sure they get fixed, right. ‘Cause Microsoft and Apple are doing that.
Brad Means: And you should accept those every time they’re offered, you should say–
Sarah Rees: Oh, absolutely.
Brad Means: Download or accept this?
Sarah Rees: Yes, sometimes those updates are for, you know, user experience or different applications, but oftentimes, you know, security patches are a part of that, so you wanna make sure that you’re always updated.
Brad Means: What does it take to commit a cyber crime? I wanna talk about large companies and how they’re hit. But first of all, does it take a genius? Our children are learning coding in schools. What sort of skillset do you need to be able to do some damage?
Nicole Cliff: So, that’s a very interesting question. There are different categories of attackers, and just to give you a rudimentary introduction to all of them, there’s a script kiddie, which is a very amateur hacker, and this person doesn’t have a lot of in-depth knowledge, but they have access to a set of tools that allows them to basically point and click to a specific target and wage an attack that way. These guys are mostly motivated by curiosity, or they want some sort of notoriety with their friends. The where we’re getting hurt the most in today’s industry and world and where big businesses are hurting is cyber criminals. In the world alone last year, it cost us over 600 billion dollars. And these cyber criminals are motivated for financial reasons. It’s a money-making business for them.
Brad Means: Yeah, mostly it’s stealing other people’s money, their data and then their money, right.
Nicole Cliff: Stealing it, the consumer information, sensitive information, stealing intellectual property from businesses is just one aspect of it. Another category that you don’t see a lot of in the news are hacktivists. Hacktivists are typically motivated by some sort of political ideology, religious belief, perhaps, and website defacement would be an example of a tactic they use. And possibly where our next war may be waged is in the cyber warfare domain. You have nation state attackers, and this group of attackers basically are what we like to call threat actors, work on behalf of an adversarial government, either directly or indirectly.
Brad Means: You’re talking about people that we would find all over the world working right now to try to do bad things to us and to our systems.
Nicole Cliff: Yes.
Sarah Rees: Yes.
Brad Means: These toolkits that these hackers have, no matter what level they are, I would think are constantly changing, much like the updates that you mentioned that Microsoft or Apple send us, we should always accept those updates. How do you keep up with the toolkits that they have, ’cause they’re constantly changing too, right.
Sarah Rees: Yeah, and you know Brad, like Nicole said, you have all these different groups and they do have different skill levels, right. So, your lower skill levels, they use those tools. Your higher skilled individuals, they’re the ones actually making new tools. So, if you’re talking about a nation state group that has a really keen interest on getting into some government system or stealing some intellectual property, they have very highly skilled technical expertise, and they’re developing new tools and techniques and ways to do that, right. When we look at those toolkits, they are always evolving, but they’re out there to be, I mean, a lot of them you can download for free, but they’re out there to be used not just by the bad guys, but the good guys. You see penetration testers using them, you’re gonna pay me and I’m gonna try to break in, and I’m gonna have to use the same tools that the bad guys used, so that I can understand, you know, if those tools are effective against you. But I would say that, you know, the reason that it’s very difficult is because the criminals and the bad guys, unfortunately, they’re actually very friendly with each other. They share tools. Believe it or not, there is a marketplace on the dark web where, you know, they have ratings. You can say, you know, how great this guy’s tool was, or oh, his tool was terrible. They rate each other, they sell these tools, you can outsource hacking. It’s crazy.
Nicole Cliff: An interesting fun fact, in regard to what she just said, they actually have malware that you can buy on the dark net, and it has full 24/7 product support.
Brad Means: Malware does?
Sarah Rees: Yes.
Nicole Cliff: Malware.
Brad Means: Are they constantly one step ahead of us cyber defenders, where we just react to whatever they throw at us? Surely there are many cases where we just block them from the outset, right. It sounds like they’re always a step ahead.
Nicole Cliff: Well, it sometimes feels that way. In the case of Equifax, to bring, you wanted to talk about–
Brad Means: Talk about the bigger companies, yeah.
Nicole Cliff: Companies that have been affected by this sort of breach. And I think Equifax is just an awesome story to read and study from a cybersecurity perspective. So, there was a vulnerability in their Apache Struts web servers, so that particular software had a vulnerability, and it was communicated to the world, there’s this vulnerability, you need to install your patches. Well, Equifax does that for most of their servers. They missed one. And so, when we’re talking about security, we can’t have this approach that well, we got most of it, we got most of our servers. It was that one server that was a customer-facing web portal that they missed, and a lot of what we talk about too is the fact that you have to know what you have in order to secure it, and asset inventory is very important. So, obviously they didn’t know they had this web server, it had the vulnerability, and that’s how the bad guys got in.
Brad Means: We’re gonna continue to talk about all things cyber here on The Means Report as we launch our four part series on the subject, hoping to educate all of you about what cyber means, how it impacts each and every one of us, large companies, people in their homes and what we can do about the bad guys that continue to try to get into our systems as The Means Report continues.
Brad Means: Welcome back to The Means Report. We appreciate you staying with us as we continue to talk about cyber with Sarah Rees and Nicole Cliff, both with the Georgia Cyber Center at Augusta University. Sarah and Nicole, as we went to break, we were talking about the onslaught of threats that exist in our world, people constantly trying to hack into computer systems and impact everybody. So, I take from that that no protection is too expensive for people at home or for companies, is it? We should spend whatever it takes to protect ourselves, right.
Sarah Rees: You know, Brad, I think a lot of people have that idea that it takes money for good protection, and I would say it does take money in some cases. There is some financial requirements when we talk about protections, ’cause technology isn’t free, these products, to protect yourself, I mean, your home antivirus, you have to pay for that, right. And it costs money to employ skilled people to protect your organization. But it’s not just about money, it’s really a much more complex problem. So, I said earlier that cyber really was people, processes and technology, so you can spend money on technology and you can spend money on maybe skilled people, but some places where money can’t do a lot is, like, your processes, for example. When Nicole mentioned Equifax, you know, they had processes in place for making sure that they had all those updates applied. Those obviously didn’t work. And when you look at people, you know, you can employ highly-skilled cybersecurity experts, but people are a soft target, and attackers go after people, we are really the weakest link, unfortunately. And they use certain things against us, certain tendencies and behaviors. So, when you look at that old, you know, phishing thing, everyone’s heard about phishing. Don’t click on links, don’t download things, it’s a bad idea. Well, 92% of malware is still delivered through emails, and I check my email several times a day, we all do.
Brad Means: If you open it, does the virus get to you, or if you click on something in it, typically?
Sarah Rees: So, it really depends on the type of email and the type of threat we’re dealing with. Some emails come with links in them, and so, by clicking links, or clicking buttons, or doing things of that nature, that’s how you’re gonna be exposed. Other emails use attachments, and those are really nasty because they usually involve embedded malware, so you don’t see what’s happening. You get this document and it’s a Word document. We all use Microsoft Word all the time. And that Word document, once you open it, it looks normal, it looks like a Word document. But what you don’t see is that embedded malicious software running on your computer.
Brad Means: What’s embedded malware, what is that?
Sarah Rees: It just means that that code is not visible to you, and whatever it’s doing is behind the scenes, so it might be installing, you know, a back door into your system to let a hacker in, it might be installing a key logger that, you know, records your keystrokes and captures your passwords and sends that out. So, that’s really what happens, and that’s frequent. And I used Microsoft Office as an example because we all use that so heavily, and going back to hackers know what works, and they know that we use Microsoft a lot. So actually, about 40% of all the malicious attachments out there, you know, that include malware, are Microsoft Office documents.
Brad Means: Listen, very quickly, let’s say I’m an individual or a small business watching this program and I say all I can afford is the Norton Antivirus, and hopefully that’ll protect me. Is that wise, or must I bring in a firm, even a small firm to come inspect my computer and make sure I’m safe? I wanna do enough, but I don’t have the money. Either one of y’all, yeah.
Nicole Cliff: So, I would say that that’s certainly a step in the right direction, but depending on the nature of the small business, I think it’s always a good idea to bring someone on the outside, someone who specializes in security to just ask for an assessment. And that’s one of the things that we, as the Georgia Cyber Center, want to pursue as we develop our presence in and around the CSRA, is we wanna be a help to small business to, you know, come in and do a cybersecurity assessment. So, we have a checklist of things that we would look for, and just be a tool and a resource for the community in that regard.
Brad Means: Let me ask you this about safety concerns when it comes to hackers and cyber attacks, and just your general assessment, either one of you, how safe are our vital entities, our power grids here in Augusta, for holding our medical community? How safe do you think we are when it comes to attack vulnerability?
Nicole Cliff: So, I think we’re definitely safer today than we were yesterday, but we’re nowhere near where we should be. We have a long way to go, and we can approach security as this snapshot in time. You know, we measure our security posture by a picture we took at a particular time. We have to continually go back and monitor and evaluate the mitigation techniques and controls that we have in place. That takes a team of people, as we integrate new technologies and we have different people that we bring into our workforce. Those people have to be trained, we have to continue along the awareness track, so no, we’re nowhere near where we should be, and we have to continuously go back. And you talked about the power grid. We have so many threats here in the CSRA, and Sarah, do you wanna speak to those?
Brad Means: Now I would imagine. SRS too, I didn’t mention that. Somebody told me right now, a political science student at AU, I believe, that if the Chinese wanted to turn off our power grid right now, they could. You know, that the skill level, the technology for them to do that to use is there already.
Sarah Rees: You know, and that’s been a reality for years, it really has been, and it’s not just for us. There’s plenty of other countries in the world that that’s a reality for. I mean, you remember, perhaps, Russia taking down Ukraine’s power grid. I mean, that could happen here, right. So, it is something that we need to be concerned about. And you’re right, we have nuclear facilities, we have a large medical district, we have dams, we have power, we have an airport. All of these are pieces of critical infrastructure, and so that’s something that the Department of Homeland Security says these pieces of critical infrastructure, they are necessary for our safety, wellbeing and prosperity as a society. So, we do have to make sure that we’re staying on top of cybersecurity and working that. And the Georgia Cyber Center, you know, it’s a state mission, and part of what we’ve done there is different than what’s been done anywhere else in the country. We have academias, we have, you know, college and university researchers and students, we have government entities, and we have private industries all under one roof.
Brad Means: Yeah, and that’s already happening right as we speak.
Sarah Rees: Absolutely. Everything is cranked up down there. Absolutely. And the idea is, you know, if you talk about the critical infrastructure, you know, I think a lot of people would say, well, shouldn’t the government be helping protect that? They don’t own it, private companies do, and that’s why you need that collaboration between all of those entities in order to fully realize the solution for a lot of these complex problems.
Brad Means: What cyber threat concerns, either one of you can answer this, please, the most and I don’t wanna just make people walk away from this program afraid, but there are areas we should be concerned about. Which one concerns you the most?
Sarah Rees: I wouldn’t say there’s one thing that concerns me the most. What concerns me is the speed at which things are evolving in cyber. It’s very, very hard to keep up with, right. You mentioned earlier, the attackers, you know, are they always one step ahead of us? You know, unfortunately, a lot of times they are a step ahead of us, and so that’s very, very scary to me. Last year, there were twice as many known vulnerabilities as there were in 2016. I said known vulnerabilities. That doesn’t account for the vulnerabilities we don’t know about that could be used against us. So, for me, those are the kind of things that I think are important to pay attention to. But, you know, again, it goes back to what Nicole was saying with, you know, education, being aware of the vulnerabilities that are out there, and knowing that, if I use this particular product or this software, what are the vulnerabilities? Am I making sure that I’m protected, you know, by updating my software, by putting whatever other controls are available to me in place?
Nicole Cliff: And do you mind if I use a good football analogy?
Brad Means: No, please do, we love football on The Means Report.
Nicole Cliff: Yes, so, I think about the Championship game with Alabama and Clemson.
Brad Means: Easy. Go on, you’re wearing Clemson-ish colors, so my hopes are high.
Nicole Cliff: No, no, no. I won’t tell you what colors these actually are, but you might really be offended if I told you that. But at halftime, Nick Saban was interviewed and he was asked the question, coach, “what do you think’s going on? “Why are you down?” And he said, he answered with this statement, he said, “they’re not really doing “anything new against us.” He said, “they’re running plays “that our opponents have ran against us.”
Brad Means: Correct.
Nicole Cliff: And that’s exactly what’s happening in the cyberspace domain. The attackers aren’t really using anything new because they’re studying, they’ve done their research, they’ve done their homework, they see that phishing attacks, as Sarah mentioned, are still working. Why should I develop a new tactic when this one is still effective? And, you know, that’s exactly what happened in the game, as Coach Swinney said, “hey, I don’t need to dream up “all these new plays to put in my playbook “when I can just look at what the opponents did “and use those same plays “and they were obviously effective.”
Brad Means: Listen, Nicole and Sarah, you all have provided a wealth of information. You invoked the name of Nick Saban, so you’re one of my favorite guests of all time. And I appreciate your expertise very much. A lot more where that came from. If you’d like to continue to learn more about cyber, we encourage you to email the folks at AU at the address you see on your screen. Don’t forget to watch part two as we continue our exploration into all things cyber on The Means Report.