Karl Kispert, Managing Director @ MGO Technology Group, LLC
Ascent Conference 2019
[00:00:04] 14. Every 14 seconds, a new ransomware attack is launched 77 percent. Seventy seven percent of the companies do not have an incident response plan to take care of those ransomware attacks.
[00:00:24] 43 percent of attackers focus on small business. And this is the scary one, 60 percent of small business who suffer a cyber attack go out of business in six months. To.
[00:00:43] I have two beautiful children, I wanted to end on a very positive note. My name is Karl Kispert, I run MGO Technology Group, we’re here in New York City and we’re a global company. Thank you for coming this morning to this presentation. I have 900 seconds to tell you everything I know about cyber security and awareness. When I told my wife that, she said that’s not a problem. You really don’t know much. Again, 28 years of marital bliss. What I’d like to highlight to all of you is why we think of cybersecurity, why is it important to us, regardless of where you are in the stage of your company, whether you’re an entrepreneur in a garage, you’re looking for funding, you’re perhaps getting ready to go public or your well-established company. We all have to think about cybersecurity. And there’s three aspects of cybersecurity that we really want to focus on. We call it the security triad, confidentiality, integrity and availability, the information that you’re using every day, perhaps intellectual property, if you’re in the cannabis space, perhaps brain development if you’re in marketing, it could be marketing plans or a new technology that you’re going to adapt. The information you deal with on a daily basis has to remain confidential integrity. The data that you work with, the numbers that you deal with every day have to remain secure to you. I’ll give you a real quick story, because I only have nine hundred seconds. We were asked a few years ago to hack a pharmaceutical company that just implemented an H.R. module of SAP. When you ask a group of hackers to do that, it’s quite a challenge. We found the server. They asked us to go in. We went in. They said, what can you do? We found a file that said bonus fifteen thousand nine hundred seventy employees. We took that simple Excel file and we moved the decimal point one place to the right. So instead of a beginning, a five thousand dollar bonus, she now received a fifty thousand dollar bonus. Congratulations for your hard work. We backed out of it. And when we told the CIO, the chief information security officer and the chief audit executive, what happened, it was sort of the mike drop moment. I said if we altered one file, how do you trust the integrity of all your data? They didn’t know and they were perplexed. Availability. You want to make sure your data is available 24/7, 365. If there’s an outage or any type of natural disaster, you want to make sure you have availability to your data. So let’s talk about quickly, how does the data breach occur? Fishing, if there’s no one if someone here doesn’t know what fishing is, you’ve been living under a rock or you’ve been spending too much time in your garage because it’s the number one attack vector and we see it in data and on the news. Fake news or not, we see it. And it’s the number one attack vector out there today. That is one way that a data breach occurs. The second is missing laptops. Years ago, I had a laptop stolen out of my car. People don’t steal laptops for the information that’s on there. They steal it to fence because they probably have a habit that they are looking for an easy turn around. The people who buy these laptops are usually the data brokers and they’re looking to take the information on that laptop and either sell it or hold someone for ransom. With that information, inadvertent disclosure. Accidents happen sometimes. All right. It happened to me. You you want to send an email with the confidential document and the sender sending it to Joanne Smith. You send it to Joanne something. It was the next person on the email and you sent it out. And it’s gone forever. No matter how hard you try to get that back, that document is gone. That’s how a breach happens. And that’s inadvertent disclosure week passwords. We’re going to hold off on passwords for a minute because I have a slide that is probably going to be very interesting to you. Vendor access when you’re working, especially in a startup and you have a team of people supporting you, you really want to think about what access and what information you’re sharing with them, either hard copy or electronic. You’re sharing things for your email, Dropbox, or they’re on your network. You have to be very careful on how much access you’re giving a vendor because the vendor, you don’t know if that vendor is using another vendor to help support that. And you want to. You want to be very careful, if you remember Target in 2013, they had a H.V. AC vendor on their network to send invoices to them in November, December twenty thirteen, a hacker got into Fazzio Mechanical, 18 people. They found a road that said Target. They got onto Target’s network and downloaded forty three million credit cards from their point of sale system and accosts Target two hundred ninety two million dollars to recover from that breach. So you have to be very careful about vendor access ransomware. Again, I hope you’re aware of ransomware. Ransomware is very prevalent in the news today, especially in hospitals and state and local government. Attackers are getting into unsecure networks, holding the owners for ransom until they give a certain amount of money. Once they do that, they get a decryption code and hopefully they get their data back. It’s not just focusing on public companies. It’s also happening with privately held companies and startups, mis configured networks. When you’re out there and you’re configuring your network for your startup or you’re an existing company, you really have to think about how you’re doing it, what areas are segmented, and especially your wireless network. You’ve heard over and over again how secure and unsecured wireless networks are. Take that to note. And it’s one of the easiest vectors that we can get into when we’re doing a penetration test for a client. You have to really understand how your network is configured. This is a slide I was telling you about last year. Five million passwords were collected and these are the top twenty five passwords that were in use. Now, look at those passwords and how easy those passwords are, how many people here have used or are using one of these passwords today, show of hands? Come on. OK, there’s one. Let me let me tell you how many people are using these in this room. I have 17 people who are using these passwords. That’s bullshit, that’s fake news. I’m not doing anything like that. Don’t don’t get scared people. But these are seriously very easy passwords to break. If I was doing a penetration test and I was at your company and I retrieved your password file, it would take me 20 milliseconds to break the word password. Now, here’s a simple trick, take the word password, change the little P to a capital P, change the O to a zero, put one symbol, it will take three point five weeks to break that password. That’s why we talk about alphanumeric symbol passwords, please use them. This is a little cartoon that I like to use. You have data security in one corner and then you have firewalls, encryption, antivirus, you have everything and then you have poor Dave in the corner. We all heard about what a firewall is. Everyone in this room is what I call a human firewall. You have to take you are the weakest link. You have to really be aware of what you’re doing, what emails you’re looking at. Are there potential viruses attached to emails or enclosures? Are you doing the right thing? Are you giving vendors the right access? We are the weakest link and we have to really be aware. That’s why I’m here for 900 seconds. Security tips, things that you can do today, security awareness. Just by sitting in here today, you’re raising your level of awareness. It’s something that’s vital. It’s not training. Security training and security awareness are two different things. Training is teaching a body of knowledge to an individual. Awareness is changing the culture as you’re building your culture or your company or your building or you’re expanding your current company, be it part of the culture. Back up your data daily ransomware. If I go in and I hold your company for ransom, the easiest way to recover is to go to your backup. You have to have backup, you have to have secure backup and you have to have reliable backup. Pat software, immediately we get these on Microsoft, we get these on our iPhones, we really want to when it says update the operating system, do so because you’re you’re fixing a security vulnerability in your operating system, limit the number of people who use or who can install software. A lot of people install software in the company to make the job easier. A lot of that software, 60 percent, is written in open code, open source code, and oftentimes there are vulnerabilities in there. So please be careful, use a reputable antivirus. This even goes for your home. Or if you’re buying your kids a laptop, don’t go with the free 30 dollar version of antivirus. Get the seventy five dollar enterprise license. It’s going to give you a lot more protection. Monitor your network 24 hours a day, seven days a week. You have to understand who’s on your network and what they’re doing, who has access to what. Don’t share passwords. Your really strong passwords don’t share information with those who really don’t have a need to know. And then use two factor authentication. We talk about password not big enough, I would say most of us use the mobile banking app where we’re using our fingerprint as one factor authentication and we have a log on as another. That’s an example of two factor authentication. Unfortunately, I’m running out of time because my 900 seconds are have expired, but I do want to let you know that MGO, wherein the sponsor area, MGO Technology Group and an NGO is an accounting firm. If you’re looking for accounting services, audit, tax valuation, taking your company public, we can help you with all of that. My time is up and I thank you for yours.