The podcast for project managers by project managers. In this episode we’re talking with Dr. Don Hunt, an expert in cybercrime and cyber security, to get advice on how to implement effective cyber security measures.
Table of Contents
01:02 … Meet Don
02:35 … Cyber Security, Cyberattacks and Cybercrime
04:31 … At-Risk Systems for Project Managers
06:51 … File Sharing
10:14 … Dropbox
11:59 … A Weak Link – Coke Story
14:25 … Virtual Private Network
16:50 … 2 Factor Authentications
20:00 … Password Policies
22:36 … Password Manager
24:29 … Creating a Cyber Security Culture of Awareness
27:53 … Phishing in Cybercrime
31:17 … Ransomware
35:25 … Cybercrime Recovery
36:49 … Future of Cybercrime
40:21 … Personal Cyber Security Actions
42:29 … Get More Info
44:11 … Closing
DON HUNT: Every time you touch that Internet, every time you click that button, you’re vulnerable.
NICK WALKER: Welcome to Manage This, the podcast by project managers for project managers. This is our time to meet and get to the heart of what’s important to you as a professional project manager. We talk to the people who don’t just observe what is happening, but actually make things happen; people who have been right there in the thick of projects great and small and are willing to share what they’ve learned with us.
I’m your host, Nick Walker, and with me is the one who makes this podcast happen, Bill Yates. And Bill, today we’re going to talk with someone involved in something that has either already affected many of us, or perhaps eventually will.
BILL YATES: Cyber security is in the news for all the wrong reasons.
NICK WALKER: Yes.
BILL YATES: Just about every day. And I’m thrilled to have Don here to help give us some advice.
Meet Don
NICK WALKER: Well, let’s meet our guest. Dr. Don Hunt is a postdoctoral research fellow in the Department of Criminal Justice and Criminology at Georgia State University. A former global head of fraud and cybercrime analytics for one of the largest digital payments processors in the world, Dr. Hunt directs his primary research toward understanding, preventing, and offering policy solutions for computer-based crime. He focuses on phishing, social engineering, and ransomware attacks.
Dr. Hunt is an integral part of the newly formed Evidence-Based Cyber Security initiative at Georgia State. As a doctoral student, he was awarded the Bureau of Justice Statistics Graduate Fellowship in 2015, which came with a $95,000 grant for his research in crime and digital payments. In addition to his work in the U.S., he regularly performs research with colleagues in the U.K., the Netherlands, Israel, and Italy. Don, thank you so much for joining us here on Manage This.
DON HUNT: Thanks. It’s good to be here.
NICK WALKER: Okay. We probably all know of businesses or individuals who have been the victims of cyber attackers. They try to gain access to or destroy sensitive information, extort money, or interrupt normal business processes. And just when it seems we’ve got a handle on it, the hackers become more innovative. That’s got to be frustrating, particularly for folks like you.
DON HUNT: It’s completely frustrating. It’s the entire focus of what I do.
NICK WALKER: Just trying to stay ahead of them.
DON HUNT: Just trying to stay ahead of them, or just stay with them.
Cyber Security, Cyberattacks and Cybercrime
NICK WALKER: So when we talk about cyberattacks, what kinds of attacks are we talking about?
DON HUNT: Oh, gosh. There are so many ways. And here becomes one of the problems with trying to prevent cyber is that we really don’t even have a handle on the definition of it.
NICK WALKER: Wow.
DON HUNT: So if you look at the FBI – and they have a specific website that you can go to – over the years, probably the last 15 years, they’ve changed that definition of cybercrime at least three or four times. So the idea of what is cybercrime; what’s not cybercrime; does it work with computer-assisted or is it completely computerized; are people just using the Internet to commit a crime. For a good example we can take theft, someone who would steal something out of your mailbox.
For instance, somebody stole a check that you were expecting. That’s a normal kind of a crime; right? But if they steal your credit card, and then they use that credit card over the Internet, it becomes cybercrime. Then again, local law enforcement would say, “That’s just a theft that’s done over the Internet, so we should prosecute that locally, and we should investigate that locally.” The FBI, the Electronic Crimes Task Force, things like that would say, “Oh, that’s my jurisdiction. Let me do it.” And then, if it becomes boring, they kick it back to local. If it’s really exciting, local doesn’t want to give it away.
So it’s hard to actually say what is cybercrime; how do we prosecute it; how do we investigate it. And so just starting right there, already we have problems.
BILL YATES: And I know, from my standpoint, every project manager is concerned about cybercrime.
DON HUNT: Yes.
BILL YATES: You know, however the FBI or local authorities want to define it, it keeps us up at night, too, in some cases because we have very sensitive data, either within our company or with our vendors or with other organizations that we’re working with. And so we’re trying to figure out, okay, how do we secure it? How do we safely share it? And also I’m just excited to have you in to be able to talk with us to give us advice on that.
DON HUNT: Yeah, it’s exciting stuff. And it continually changes every day, so it’s a fun place to be right now.
At Risk Systems for Project Managers
NICK WALKER: So when we’re talking about project management, so many different kinds of programs we use, or online. What are the most at-risk systems for project managers?
DON HUNT: So that’s a great question, and that gets to the heart of a lot of what we do. We’re finding that a lot of IT managers, information security managers, officers, these types of people, they’re not worried about how much they’ve spent on cybersecurity. Also, they’re not worried about whether they have the right product, there are a lot of good products out there. And you can spend a good bit of money, or you can spend a little bit of money, but they’re all very viable. So the problem is the most at-risk system, or the at-risk network, is the one that faces the public.
So, for instance, if I have a system where I need the public to interact, that becomes more at risk than a system that is what we call “air-gapped.” So it’s just all inclusive, I don’t need the Internet for it, I don’t need people to see it. A lot of databases are stored that way on networks. So you might have big companies that have two different networks, you might have a network where the customer is able to interact. Typical example is your online banking system, and then there’s other information that you don’t want the public to be able to get to. In fact, you don’t need for anyone to access that but your own internal people. So you’ll probably have another network along that line.
Now, those two networks could be stored on one server or multiple servers, and so how you map that depends on what your business needs are. But the general idea is the most at-risk system is the one where you can have people-facing, what we call “Internet-facing systems.” So you might have an administrator that needs the Internet, you might have a sales force that needs to communicate back and forth. Hey, I need this report written, or this report on a merchant, or the sales, or the marketing data or whatever, so you’ve got people grabbing data from an internal source and then sending it out. And that’s when it becomes a problem.
BILL YATES: So public-facing, that makes sense, yeah.
DON HUNT: Public-facing, with internal people who are dealing with the public.
BILL YATES: Yeah, yeah. Okay. So this is going to get wacky, Don, this is almost like a rapid-fire session, just all the random questions that I was thinking of when I thought, okay, we’re going to have Don Hunt in the room.
DON HUNT: Yeah, you’re talking to a former Marine, so bring it on.
BILL YATES: Okay.
DON HUNT: We shoot back.
File Sharing
BILL YATES: Good to know. All right. Good to know. So one of the things that I’m interested in your feedback on is file sharing. Just last week I was with a group of 30 project managers, and I was asking them, how do you guys share files? And, you know, as we talk about it, again, there’s file sharing within the organization, that’s fairly safe, sure, you can make mistakes, but that’s safe.
DON HUNT: Sure.
BILL YATES: Then we engage, or our project managers are engaging, vendors or contractors or outside the organization.
DON HUNT: Right.
BILL YATES: So sharing data there, file specs for the work they’re to do. Drawings. You know, so it can take on many forms – spreadsheets, large data files, databases, you name it. But then, many times, our PMs are managing customers, they have customer engagements where it’s a small customer or a large customer.
DON HUNT: Right.
BILL YATES: Local, global, you know, so just talk to me about what are some methods for safely sharing files?
DON HUNT: Great question, so unfortunately, there’s not a short answer to that.
BILL YATES: I was afraid of that, yeah.
DON HUNT: So the first thing you need to look at is what types of files that you’re sending out, what type of security you need on those files, the sensitivity of those files, whether you’re sending private information or publicly known information. How much then do you care if that information gets skimmed as its moving? The easiest way to think about how you would do that is how many touchpoints it takes between getting the file from where it is to getting the file where you want it.
BILL YATES: Okay.
DON HUNT: And so everywhere there’s a touchpoint, there’s a vulnerability. All right? So you have – you want to go from Point A to Point E, it has to go from A to B, B to C, C to D, and D to E, right? Every gap in between there is a vulnerability. So you need to think about what type of data is going from A to E, who’s going to have access to it on the way, and then how is the system secured or configured for the security that way. Now, you’ll have FTP, which is File Transfer Protocol.
BILL YATES: Yeah, so is FTP the safest in terms of this?
DON HUNT: It’s certainly one of the safest.
BILL YATES: Okay. So FTP, I mean, that’s old school.
DON HUNT: It is old school.
BILL YATES: That was, you know, before Dropbox, before Google Drive, et cetera.
DON HUNT: Correct.
BILL YATES: FTP was kind of the way to go.
DON HUNT: Right.
BILL YATES: So it’s interesting to me in some projects that’s the way that people still need to do file transfers. Certainly an IT department for an external organization may say, no, that’s the only way we’re going to exchange with you is through FTP.
DON HUNT: Right.
BILL YATES: But then so what about the practical things, though? Like Dropbox, so what’s wrong with Dropbox?
DON HUNT: Nothing’s wrong with Dropbox, if you want everybody in the world to have access to your stuff.
BILL YATES: Okay, so there’s something, if I think about Google Drive, Dropbox on kind of the, okay, you’re really exposing – you need to know what risks you have because there are some there, versus FTP or maybe higher end.
DON HUNT: Yeah.
BILL YATES: You know, what does the poor project manager do? How do they pick the right tool?
DON HUNT: Ah, yeah. So the poor project manager has to think more than that.
BILL YATES: Yeah.
DON HUNT: They have to think about budget.
BILL YATES: Okay.
DON HUNT: A lot of people still use File Transfer Protocol, I’m just going to continue to say “FTP” if that’s all right.
BILL YATES: Sure, yeah.
DON HUNT: We use those types of things because it’s core, it’s cheap, it’s embedded in most systems.
BILL YATES: Right.
DON HUNT: Easy. You don’t have to pay extra money for it, and so we use it, and in most cases its fine. So if you’ve got internal communications going on, and you’re transferring files department to department or division to division, that’s not necessarily an issue.
BILL YATES: Sure.
Dropbox
DON HUNT: You could certainly go to the cloud, and you could – there are many, many different sources to go to for the cloud right now. But that’s expensive, and you take away some of the risk involved in it. And we can talk a little bit more about what that involves, but you certainly are going to pay for that service. Dropbox is good, and Dropbox is generally secure, the problem with Dropbox is social engineering.
BILL YATES: What do you mean by that? So if I’m in Facebook, I can get to Dropbox, is that what you mean?
DON HUNT: You could, but it’s not what you would want to do. No, so I’m talking about things like we know that there happens to be a Dropbox out there. Pretend that I’m in your system, but I haven’t mapped it all out yet, but I’m watching your email, okay? And, you know, hey, just drop this in to the Dropbox, so now I have an IP address for your Dropbox, right? And I have an email communication, so I can send you an email that’s going to look very official and say, “Hey, I can’t get into my Dropbox. What’s the dang password again?”
BILL YATES: Got it.
DON HUNT: What’s something on it, and you’re in, and so it’s not hard, anyone can access it. Dropbox.com, go to whatever file it is that, you know, the IP address or the file address, so there are several ways to get in. You have URLs and all those things. I can break it pretty easy.
BILL YATES: Okay. Got it.
DON HUNT: Which is, again, why things like Google Drive have come up, and OneDrive, and then you have a lot of universities and other kind of government issue.
BILL YATES: Are using OneDrive?
DON HUNT: They’re using OneDrive.
BILL YATES: Okay.
DON HUNT: And so a lot of manufacturers now, for instance Microsoft, you automatically, when you upload Windows 10, there’s access to OneDrive and those types of things.
BILL YATES: Gotcha. So there is a tradeoff there, there’s risk versus how much you want…
DON HUNT: Reward.
BILL YATES: Yeah, and how much you’re going to spend on it.
DON HUNT: Exactly.
A Weak Link- The Coke Story
BILL YATES: So for the PM we have to really look at the data, determine how sensitive it is, think about worst-case scenario. What if this gets out there? Is it a schematic? Is it the secret sauce for a company?
DON HUNT: Right.
BILL YATES: Is it the formula for Coke? Or is this something that’s, okay, so it’s our org chart, which they could get anyway, you know, those kind of things.
DON HUNT: Right. You know, it’s funny you bring that up, from what I understand, it’s made public knowledge now at this point. So several years ago the formula for Coke got out.
BILL YATES: Okay.
DON HUNT: And so it got out through – it’s my understanding it got out through an administrative assistant of a very high executive. And that person went to Pepsi and offered that for sale, Pepsi, of course, did the right thing, called Coke. Coke said, “All right. You’re fired.” But that’s a great example about how information on your private network can get gone.
BILL YATES: Yeah.
DON HUNT: And again, so I’m not worried about how much money did we spend on securing that data, right? Coca-Cola spent a ton of money on data protection, and they do a lot of things to keep data secure. So you can spend all the money on the software, you can spend all the money on the hardware, you can have the best information security people on the planet, right? But at some point, somebody has to have access to it.
BILL YATES: Right.
DON HUNT: Otherwise the data’s useless. Think about it; right? So just because you have all this information at one point, there’s a touchpoint that’s vulnerable. And it happened to be this administrative assistant, or whatever role that person played, right, that had access to the information and had, let’s say, less than spectacular morals.
BILL YATES: Out to make a buck.
DON HUNT: Exactly. But these are the things that the people on the Darknet and those on the Internet who would have nefarious goals or objectives are looking for. So it’s much easier to go after someone with a weak constitution, and I don’t mean “weak” as in morals, I can’t tell what your morals are. But I can certainly tell you’re just an end user, and you have no idea what I can do to you to get into your system, versus a trained professional IT security person who’s got the latest network stuff, who’s got the latest firewall, the latest OS shell, all of these things doing remarkably well to protect the data. But there’s one little person who can do that.
BILL YATES: Yeah, looking for that weak link.
DON HUNT: And it is. And that’s problematic because you can’t really predict for that.
BILL YATES: Right.
DON HUNT: You don’t know who has the propensity to do what.
BILL YATES: Yeah. One of the things…
DON HUNT: That’s right.
Virtual Private Network
BILL YATES: Don, so, you were mentioning something that I wanted to talk about, too, which is the VPN, or Virtual Private Network. You know, you talked about the network and letting people in and people also accessing something that maybe they shouldn’t be able to.
DON HUNT: Right.
BILL YATES: So one of the things that I’ve been accustomed to – I did work with utilities as a project manager for years.
DON HUNT: Right.
BILL YATES: And they were external clients for our company, so we’d have VPN, we’d have VPN tokens. You know, I had like a drawer that had all these VPN tokens in it for different clients and different software that we were using.
DON HUNT: Yeah, right.
BILL YATES: How important is VPN, and what advice would you share on that?
DON HUNT: VPN is almost critical to most businesses these days.
BILL YATES: Okay.
DON HUNT: As we move further and further into a remote workforce, VPN is going to be even more critical, and you have to understand that VPN just stands for Virtual Private Network, like you spoke about. But there are ways of doing that, it’s not just one product, there’s a lot of different products.
BILL YATES: Yeah.
DON HUNT: There’s end-to-end encryption. There’s point-to-point encryption, which is kind of the same, so we won’t get into the details; right?
BILL YATES: Are we basically saying this is – just trying to think of an analogy with this. Is it almost like, when I’m getting on a flight, I go through TSA.
DON HUNT: Right.
BILL YATES: And TSA wants to check my credentials, check my boarding pass and make sure I am who – I’m legit, so I can go past this gate.
DON HUNT: Right.
BILL YATES: So we’re doing that with our – could be with our own company, with our own team members that work remotely.
DON HUNT: Right.
BILL YATES: You know, so I go home at night, I can VPN into the company assets to be able to get to the things I need to.
DON HUNT: Right.
BILL YATES: Gotcha.
DON HUNT: And so that was actually the beginning, years ago, it was actually the beginning of two-factor authentication. Really and truly it was two-step authorization rather than – there’s a slight difference in the two.
BILL YATES: Right.
DON HUNT: And I want to be clear for the people who are listening.
BILL YATES: Yeah, but that VPN token had a number that you had to type in.
DON HUNT: A token had a number that was usually revolving, and then you had to have a password to get to the VPN system. Then you had to have that password again on there, and that would allow you access to whatever you had access to if you were in the office itself.
BILL YATES: Gotcha. Right. Right.
DON HUNT: So it doesn’t give you any more or less access, it’s just the ability to work remotely and securely.
BILL YATES: So is it – I’m going to put you on the spot a little bit. As a project manager, if our company policy is we should be using VPN when we’re remote, whether we’re at home or we’re at the other, you know, the client site or whatever…
DON HUNT: Okay.
BILL YATES: …by golly, we ought to do that. Is that, you know, the PM should basically enforce that with his team? Do you agree?
DON HUNT: Sure, sure.
BILL YATES: Okay. Yeah, just good security protocol.
DON HUNT: Yeah.
Two-Factor Authentication
BILL YATES: Okay, good. All right, so you mentioned something else, explain to us two-factor authentication, and is it the savior? What can it do for us, and what are the weaknesses there? Because Nick and I are thinking, two-factor authentication, let’s just put that on everything, we’ll be fine.
NICK WALKER: Yeah, yeah. Why not?
BILL YATES: Why not?
NICK WALKER: Yeah.
DON HUNT: Sure. Wide open again to all kinds of problems.
BILL YATES: Okay.
NICK WALKER: Well, what is it, first of all, for people who…
BILL YATES: Yeah.
DON HUNT: Okay, so two-factor authentication is the type of thing where you need two different types of information to actually access whatever it is, system you want or data you want and all the rest of that.
BILL YATES: So more than a password.
DON HUNT: Way more than a password. Okay, so it’s typically what you know, what you have, and who you are. So if you think of those three questions, two of those things are going to come into play. Think of it as two separate locks, rather than two different parts of one combination, now you have two locks. And typically it will be, a great example, when you go into your banking information.
BILL YATES: Yes.
DON HUNT: And you do it from, say, a computer that you’re not normally there.
BILL YATES: Right.
DON HUNT: Okay? That you use. It’s going to say, what’s your password? You may have that, then it may ask you security questions. Then it’s going to say, we’re going to send you a code on your iPhone or on your cell phone. And that code, you’re going to have to put that code into this system, however it looks, and then you can go from there. So that will let you in, that’s two-factor authentication.
You don’t have to use the phone, though, you could use a password and biometrics. So that’s the what you know and who you are. So your thumbprint, retina scans are huge now, right? But there’s all kinds of different ways to do it, the Surface Pros are coming out now where they have the internal camera. And when you first set it up when you’ve just bought it, that camera, you can tell it to take a picture of your face, and it will open up just by that.
BILL YATES: Okay.
NICK WALKER: And you’d think all that would be enough. It’s like, okay. Nobody else has got my cell phone, so nobody has access to this secret number.
DON HUNT: Right.
BILL YATES: And nobody has your face.
NICK WALKER: And nobody has – thankfully, yeah, but you’re saying that’s not quite enough to keep the real pros out?
DON HUNT: Oh, that’s dangerous, Nick. Not quite enough. Man, guys, you’re killing me with your ambiguous…
NICK WALKER: It’s not nearly enough.
DON HUNT: Here, Don, step on this landmine.
BILL YATES: Yeah, yeah, yeah. Well, like for instance I’ve heard that some carriers are – I could call a carrier and say, “Hey, man, I lost my phone, can you send me a SIM card?”
DON HUNT: We’re right back to social engineering.
BILL YATES: Yeah, yeah, yeah, yeah.
DON HUNT: Yeah. So the thing with dual authentication or duo authentication, two-step, whatever, is you have to do two things that scare the daylights out of me. One, you have to trust the person who’s doing it. So is there anybody in that company that isn’t just giving your information out, right? And then can I call that company and pretend I’m somebody? There are also some really scary people out there who do this really well, and they can trick people into just giving you that information. You know, look, so my cell phone’s not working, right? So there are people who are really – and that’s just the tip of the iceberg, there are ways to do this through email. Just you would shudder to know what people are doing out there.
Password Policies
BILL YATES: Nick, another thing that I feel like we have to ask Don while he’s in the room is about how to make the perfect password. So, password policies, what should we do?
NICK WALKER: That we can actually remember.
BILL YATES: Yeah, so well, there’s that, too, yeah. But for, again, thinking about the projects that we’re a part of, and our – man, oh, man, as a project manager I am entering so many different systems. I have IM. I have email. And I have my project software that I’m using. So I have – maybe I do have some way, some FTP or other means of sharing files with my customer. Then I have a separate means to share with my vendors. You know, I’ve got all these things, so I have all these passwords, just work-related, that I have to keep up with. What should I do? So what advice do you have for us regarding passwords?
DON HUNT: Okay. So you asked one question and gave example of another question. Well done.
BILL YATES: Yeah. Pick one. Whichever one you want to take [crosstalk].
DON HUNT: No, we’ll tackle them both, so how do you make a strong password? And it’s not really that hard, a lot of times when you’re asked by your system administrators, you have to change your password, they’ll give you certain rules. It can’t be anything you’ve used in the last whatever, 90 days, three times, whatever. So it can’t be a common word, there have to be special characters, it has to be so many letters long, right? These are all things that are done because they know the algorithms out there that brute force your password.
And what I mean by brute force is there are computer systems out there you can buy on the Dark Web, it’ll just continue to try, over and over and over again, until it finds your password; okay? And it’s not like some magic box that happens. What really happens is it kind of knows in general what people use for their password. For instance, that special character is almost always an exclamation point.
BILL YATES: Oh, man.
DON HUNT: And it’s almost always at the end.
BILL YATES: Yeah.
DON HUNT: Right? When you have to have letters and numbers, most people put the year or the year they were born or the year their kids were born. And here’s the problem, so if I want to know that, I’ll just go to your Facebook page.
BILL YATES: Right.
DON HUNT: Right? “Happy Birthday to my grandson Timmy,” you know, “so he’s three years old today.” Great.
BILL YATES: There you go.
DON HUNT: It’s 2019, so he was born in 2016.
BILL YATES: Yeah.
DON HUNT: Right, so there’s half the password, it might even be the full password; right? So you want to pick things that make absolutely no sense.
BILL YATES: Okay. All right.
DON HUNT: And so a lot of times we will have – great example, again, your bank will ask for three security questions.
BILL YATES: Yes.
DON HUNT: Usually, I don’t mind telling you, they ask me what street I grew up on. Right? The answer is not the street I grew up on, I’ll use another password.
BILL YATES: Ah, clever.
DON HUNT: Right?
BILL YATES: How do you remember that?
Password Managers
DON HUNT: So I don’t have to, there are lots of services out there that you can put on your computer, you can put on your cell phone. They work at both. You can sync them, which I don’t recommend doing, but, and I’ll just use one that is very popular, but I’m certainly not endorsing, it’s called LastPass.
BILL YATES: Yeah, yeah, yeah. So these are password managers.
DON HUNT: These are password managers.
BILL YATES: What are some others? So LastPass, what are some others?
DON HUNT: Oh, gosh. I don’t even know. I haven’t been…
BILL YATES: But if you google “password manager”…
DON HUNT: Oh, god, yeah, you’ll…
BILL YATES: A ton of them will come up.
DON HUNT: A ton of them will come up, and so they’ll be rated, and all those good things.
BILL YATES: Yeah, sure. So tell us about a password manager.
DON HUNT: So it just tells you things like – it’ll ask you certain questions. You know, what vendor is this, what’s your password, or it’ll ask you for different – it’ll give you clues as to what it is; right? It’s encrypted, and so it’s never out in the clear.
BILL YATES: I use one, as well. So just go ahead and explain, you have a master or a strong – what are they called? The master password?
DON HUNT: Yeah.
BILL YATES: Okay, so like when I open a browser, I would initiate that handshake.
DON HUNT: Correct.
BILL YATES: And then I’m good for all those that I’ve entered.
DON HUNT: Right.
BILL YATES: So for my, you know, again, all the things a project manager uses during the day, they’re just going to open up…
DON HUNT: Until you delete your history.
BILL YATES: Yup, then you’ve got settings you control by…
DON HUNT: Yeah. Exactly.
BILL YATES: If I close my browser, I’ve got to log back in. If I reboot my machine, I’ve got to log back in.
DON HUNT: Exactly.
BILL YATES: So, okay. So you recommend a password manager is generally a good idea.
DON HUNT: They are.
BILL YATES: Okay, cool.
DON HUNT: They save people so much trouble.
NICK WALKER: Can they be used on more than one computer? So I’ve got a computer at home, I’ve got a computer at work.
DON HUNT: They sure can.
BILL YATES: Now then, you mentioned you would not recommend syncing it with your maybe tablet or smart phone.
DON HUNT: Right, right.
BILL YATES: Okay, talk about that.
DON HUNT: If your tablet gets stolen, tablets are easy to break, computers are easy to break, cell phones not so much.
BILL YATES: How about that, yeah.
DON HUNT: Right? But they’re easy to break into, and so once they’re in, you know, you’ve kind of got that. So I wouldn’t sync that information up.
Creating a Culture of Awareness
BILL YATES: You know, Don, so you’re hitting on something else that it’s always been interesting to me, and again, I’ve got an expert in the room, I’ve got to ask.
DON HUNT: Sure.
BILL YATES: Many companies, I have a number of friends and associates that they have two phones, because the company has an issued phone.
DON HUNT: Right.
BILL YATES: And it’s for security purposes.
DON HUNT: Correct.
BILL YATES: And so they can kill that phone if there’s some kind of breach. I know for a while tablets were the object of choice for thieves at the airport.
DON HUNT: Right.
BILL YATES: Because they were so easy to hack into.
DON HUNT: Right.
BILL YATES: So many times they could go straight into the financial data or financial systems of those companies.
DON HUNT: Right.
BILL YATES: As a project manager, I’m thinking of, you know, then again, policies and protocol they should have. For project managers, they may feel like, well, that’s really personal. So if somebody on my team has lost their phone or lost their tablet, or they think it’s been stolen, I don’t want to embarrass them. But there’s a bit of a liability here, right, it could be we’ve got the door wide open.
DON HUNT: Right.
BILL YATES: So I guess what we’re saying is the PM should encourage the team, as soon as you feel like there’s any kind of vulnerability, you’ve misplaced something, lost something, you’ve got to raise the alarm.
DON HUNT: Absolutely, and so it all goes back to kind of creating a culture of awareness.
BILL YATES: Okay.
DON HUNT: Within the business, so too many times companies will have, once a year, cybersecurity training, and it consists of a PowerPoint that you can watch on your own, whenever. And you can just speed through it a lot of times, not even paying attention to it, because you just want to get through it. And then you have some kind of authentication that you watched it, or the video, or maybe there’s a quiz that you can take over and over and over again until you figure out the right answer. So you’re not really learning.
What we’ve found is if you do cyber training, if you truly do cybersecurity training, for instance phishing, or ransomware, which is really where I hone in on, and you talk to people about this is how I phished you, and you actually phish them, or you hit them with ransomware, and then you send them to a landing page that, had this been real, this would have been a lot worse, whatever, you can make the message however you want. But I would strongly recommend that you show people how it happened. And it’s not because they get smarter, maybe they do. People are just naturally curious.
BILL YATES: No, I’m with – yeah, people learn that way.
DON HUNT: They’re like, wow. How did you – you did that to me? Oh, my god. And then maybe kind of own it; right? And then give them little short quizzes and hit them every now and then with it, or maybe do a, hey, we’ve got a $100 gift card for the first person who spots the flaw in this email, right, those types of things. So continue that culture of awareness, and I don’t mean put these signs of some person climbing a mountain and say, “You can do it.” Nobody watches those; right?
BILL YATES: Right.
DON HUNT: I’m talking about…
BILL YATES: Real examples.
DON HUNT: …truly getting into their space, because at the end of the day, it’s not their space, it’s yours. They’ve invaded yours. Right? They are employees of your company, and if we all take ownership of that, that makes it so much harder, right?
BILL YATES: That’s such a good point, and Don, I know for many of the project managers that I talk with, interface with, it’s their fear when it comes to security of this nature. So it depends, but for some of them, it’s fear for their own company, for others it’s fear for the partner, the customer, the vendor that’s not a part of their company.
DON HUNT: Right?
BILL YATES: And so again, my perspective is both from, you know, I was part of a 90,000-people firm, and I was part of an eight-people firm.
DON HUNT: Right.
BILL YATES: So I’ve been on both sides of that.
DON HUNT: Right.
Phishing in Cybercrime
BILL YATES: But there’s a sense of ownership and liability on that. Now, you hit on something, and I want to – I love to go “fishing,” but I think you’re talking about a different type of “phishing.”
DON HUNT: I am talking about…
BILL YATES: So talk to us about safe email and what does phishing mean.
DON HUNT: Sure. So phishing in the sense of cybercrime normally takes place in the form of an email that comes out, that goes to key people in the organization, and it looks very real. And usually within that email there’s something that’s embedded in there that’s malicious, so banks are notorious for this, they’re great targets for their customers. It’s called “phishing” because you can throw a bunch of hooks in the water and see what comes up. It can go to many, many people.
So, for instance, all of Gmail, you can just – everything ends in @gmail.com right? So you can just put a whole bunch of stuff on the front end of it, have an algorithm, send a bunch. And then this thing that looks like it’s from Bank So-and-so, but instead of .com it might say .net or .org or dot – right? And so it says your stuff is in danger, you’re going to lose all your savings, you’re going to lose all your thing, we need you to follow this link and answer the questions. Which you can google how to do that and set up one in about an hour, and then you’ll have everyone’s information that responds.
BILL YATES: Wow.
DON HUNT: So that’s one way to phish. Another way would be to have an email sent to the Chief Finance Officer and their one-downs and say, “This is the CEO,” and make it very demanding. “I don’t have time, you guys have messed up before. So I need this check or this money wired to this account right now. This customer is angry.” And the thing is how do you find out whose customers they are? Well, the thing that makes everything so wonderful to do business is the same thing that makes everything so vulnerable. We advertise it. Right? We put out so much on social networks and just on our website.
BILL YATES: Right.
DON HUNT: When I was in corporate, and I was doing this type of stuff, I would argue with our web designers and our marketing people all the time. “We should have –so we should put this on our website.” “No, we shouldn’t.” “Yes, we want to boast that we have the largest client, and aslo we just took on this big thing.” “Super, you just told some would-be hacker that we’re doing this.” But the problem is, is the marketing team doesn’t see it that way.
BILL YATES: Sure.
DON HUNT: We need more business.
BILL YATES: Yeah, yeah.
DON HUNT: If we don’t put this out – so it’s a fine line, isn’t it. And so you have to have good communication between the upper echelons; right?
BILL YATES: Right.
DON HUNT: What can do it, and so when you’re going to put something out…
BILL YATES: Boy, that’s a good – yeah, absolutely.
DON HUNT: …talk to your project managers. Talk to your IT people. Talk to your security people. If we’re going to put this out, fine. Ten minutes, 20 minutes, a day, two days before you put this out, send an internal email to your people saying, look, this is going to happen. If you get any emails about this, please direct them to so-and-so, whoever that person might be, just a little more forethought. And business moves very quickly, and so what was great today might not be great tomorrow, and if you’re dealing with yesterday’s stuff, that’s problematic today. However, right, if you can just slow down a minute and think about what are the ramifications of this, who can take what I’m about to put out there and turn it against me.
BILL YATES: Got it, yeah.
Ransomware
NICK WALKER: Let me ask you about ransomware, we’re hearing so much more about this, companies being attacked, hackers demanding ransom.
DON HUNT: Right.
NICK WALKER: How does this happen? So how does this even get into their system?
DON HUNT: Well, it starts with phishing, most often, so instead of you giving me information when I send you this email, you’re allowing me access to your system. So when you click this link, or you open this attachment, you’ve just allowed me into your system. You don’t know it, but you have. And so I can set up what’s called a “botnet,” which is basically a system or a program that runs around your network, maps it for me, does certain things that are super, super technical, and sends me information back out. Usually I’ll ride that out on an email and so by the end of, I don’t know, a couple days, I’ve got your entire network. And I’ve set up anyone who opens that email, so now those computers, unknowing to you, are talking to each other and talking to me.
BILL YATES: To you.
DON HUNT: So I’ve got a network set up within your network, and I have the keys to the kingdom. Now, what ransomware does is it encrypts files, so it usually will change the extension of the file. So for a Microsoft Excel, it’s usually .xls. It’ll change that .xl something to another thing, it’s not super, super complicated to do that. But when you open this Excel worksheet, Microsoft Excel needs to see that extension on the end, that dot something on the end, or it doesn’t know what to do, right? It’ll tell you this is not an Excel, and that becomes a problem, and it does to all of your files.
BILL YATES: Yeah. My fear then, as a project manager, is me or a member of my team is going to be the gateway, right? That we’re going to make that mistake.
DON HUNT: Yeah, you don’t want to be the gateway.
BILL YATES: Exactly; right? So as a PM, as a leader of a team, what do we do to help our – to raise awareness, like you said, maybe it’s a culture of awareness. It’s not a one-time thing. It’s not a bring in doughnuts.
DON HUNT: No.
BILL YATES: Talk about it.
DON HUNT: Right.
BILL YATES: It has to be a normal protocol.
DON HUNT: Well, so it brings us full circle, back to your first question. You know, what’s the most open network? The most open network is the person who has an end user who’s going to be able to give permission to anyone they want into the system, so how do you do that? You raise awareness, it’s really and truly the only way at this point to stop it.
BILL YATES: Show examples, like the phishing example, the email. Show examples.
DON HUNT: Perfect. Right.
BILL YATES: Maybe even play games.
DON HUNT: Play games.
BILL YATES: Set them up.
DON HUNT: Sure. Trivia questions, these types of things. Because if you’re a big company, and let’s say you have 500 customer-facing people, I might have spent $100 million securing the network, doing everything compliance is asking me to do, doing everything that my vendors are telling me to do. So update this patch, you know, do all of those things, the ransomware attacker needs one person out of those 500 to click on it.
NICK WALKER: Wow.
DON HUNT: And so he can defeat everything that they’ve done.
NICK WALKER: So it changes the file extensions.
DON HUNT: Yes.
NICK WALKER: And so you can’t get into any files.
DON HUNT: Right.
NICK WALKER: And then they send you some sort of message that says I’ll change it all back if you give me some money.
DON HUNT: Right, which they usually won’t, so only, about 40 percent that we are aware of actually do that, would it surprise you that about 30 percent of them are actually state actors?
BILL YATES: Huh.
NICK WALKER: Actually what?
DON HUNT: State actors, so they’re working on behalf of a country.
BILL YATES: Wow.
DON HUNT: Espionage. Getting information. What we’re talking about in this podcast is just the tip of the iceberg, so there is cyberwarfare going on right now, as we speak. There is cyberterrorism going on right. We’re hiding our information on the ‘Net. Right? We’re not – boots on the ground and all of that kind of stuff, it’s whatever it is, but it is going away. Information is now the key to everything, so if I can shut down your power grid, why do I need a war?
BILL YATES: Yeah, right.
DON HUNT: Right?
Cybercrime Recovery
NICK WALKER: So what does it take for a company to recover from this kind of attack?
DON HUNT: Ah, so ransomware can be easily stopped, aside from the awareness thing, just back up your files. So the City of Atlanta breach, which is now pretty much out there in the open, there’s not a whole lot that I can’t talk about. But one of the key systems that made them vulnerable was they did not patch their software as it came in. So a Microsoft shell will tell you, even Microsoft 10, when it’s on there, and even on your personal computer, it’ll say, “Hey, you need to update this.” What they’re telling you in essence is we found a hole. We as Microsoft found a hole that makes you vulnerable. Fix it, simply by just saying “update my system”, okay, and so you will, and everything’s secure. If you don’t do that, you don’t think these hackers are getting that same email?
BILL YATES: So again back to the PM, the PM says, okay, my team, when you are asked to upgrade your software to the latest and greatest version, do it.
DON HUNT: Do it.
BILL YATES: You know, click yes. And even backing up data, making sure that we have good backup protocol in place.
DON HUNT: Right.
BILL YATES: So we do have a place to fall back on.
DON HUNT: Right.
BILL YATES: If we were to have that awful day happen where ransomware or something else hit us. Good practices.
DON HUNT: It will be the number one small business hack within two years.
Future of Cybercrime
BILL YATES: So you’re talking about the future now and we wanted to go there a bit. Just give us a sense for, as we continue to have better, more accessible, easy access tools as project managers, we also know there’s a price to pay with that. You know, we’ve talked about some of that, so how do you see that playing out in the future? Where do you see cybercrime going?
DON HUNT: So we go back to the beginning again, this is what keeps me up at night. Thus as technology becomes better and better, the loopholes in it become better and better. We, especially as Americans, we like the convenience of everything.
BILL YATES: Yes.
DON HUNT: Okay? There’s a point where we’re not even going to go shopping for groceries anymore.
BILL YATES: Right.
DON HUNT: We’re just going to have it delivered. Whatever; right? But every time you touch that Internet, every time you click that button, you’re vulnerable. So the easiest way to stop doing that is make less clicks. Make it harder for people to get those gaps in between. How many times, how many people touch this in order to make whatever the action is that you wanted to happen, happen. So there are people out there who are working night and day to figure out how to make it more secure and better and faster and more convenient. But with convenience comes the loopholes, and there are people who are up night and day, 24/7, trying to figure out what that loophole is and exploit it.
In general, though – and I know I painted a pretty dark picture there. But in general it’s as simple as be vigilant when you’re out there. Think twice before you click on something. If it seems too good to be true – it’s the old adage; right? I don’t even need to finish it, and then just think it through about what am I doing, and do I need to do what I’m doing to get there.
And just as something that we haven’t talked about, but I’d really like project managers to know, watch your sales force. Salespeople in general are good people, they’re willing to help, they’re willing to do whatever they can to make a sale. Number one, their livelihood depends on it. But they’re just wired that way, right? Because they’re wired that way, hackers know that.
BILL YATES: Right.
DON HUNT: And so they know that salespeople have access to a lot of information. And if I can pretend I’m one of your salespeople, if I can hack your email and then send an email to someone, they can send that information to me, and you are in trouble then, right?
BILL YATES: Great advice.
DON HUNT: So you really don’t want to forget your sales force, you have all these people internally, but you’re forgetting about your salespeople out there, sitting in their car, sitting at a coffee shop on public WiFi, right, doing their things. Which isn’t – unfortunately, that’s necessary. But again, what makes it necessary to do business makes it absolutely vulnerable, and just hang out at a coffee shop for a couple days, all day. Just spend some time and look for people with a backpack, and also it might have an antenna sticking out of it. Normally it’s an Alpha 4 hooked to a Raspberry Pi, and we don’t need to talk about all of that.
But these are all things you can just go to any store and pick up, and you can do all kinds of damage with that, you can change even where it looks like you’re from. So if we had a laptop in here, I could make it look like we’re in Saint Petersburg, Russia, right? So that’s one of the loopholes that everybody knows about. Salespeople have access to the system, and they’re also traveling, so they stop at these coffee shops. Because it’s free WiFi. So think about it, it’s free., how much security is it really going to have?
BILL YATES: Right. You’ve got to use VPN; right?
DON HUNT: Yeah.
BILL YATES: So you have to bring your own security with you.
DON HUNT: Yeah.
BILL YATES: I feel like we have a bright future ahead.
NICK WALKER: I’m just sitting here thinking, okay, so go home right now, change all my passwords.
BILL YATES: Yes.
Personal Cyber Security Actions
NICK WALKER: So change my email addresses, I mean, what should we as individuals be doing right now to become more secure?
DON HUNT: So one of my academic mentors and a very good friend, who is a prominent scholar, and when I tell you what he told me, it’s going to sound stupid, but it makes perfect sense. He envisions a future where we all go back to paying things for cash and don’t use the Internet, and it sounds silly, you know, but that’s one future that could very well happen. However, that’s not going to be for a super long time. And so how do we interact? How do we move throughout those things? I would say very carefully because it’s only going to get more technical, we’re only going, I mean, think about it. Ten years ago you didn’t know all these things an iPhone could do.
BILL YATES: Right.
DON HUNT: Right? And the technology that’s coming out now is exponential, not only technology on the hardware, but the way we do things. Look at the banking industry; right? Look at the payments industry. All of these innovative new ways to do it. And so, we have got – there are a couple of Scandinavian countries who do have chips in their forearms and can pay that way and get paid that way. So we are getting to that. So dual authentication and all the rest of that, how about putting it right there? You’ve got an RFI chip in your arm, so you’ve got your [crosstalk].
BILL YATES: It’s an idea for project managers.
DON HUNT: Sure, sure.
BILL YATES: Hey, why not just take the whole team, get a tattoo, just happens to have a card in it.
DON HUNT: Yeah.
BILL YATES: But seriously, the advice you’ve given for the project manager to create a culture of awareness is huge. So that’s a great starting point in something that should be as routine for us as risk management, as looking at the schedule, looking at resources needs to be a part of what we do on a regular basis.
DON HUNT: Right.
BILL YATES: I appreciate you sharing that.
DON HUNT: Yeah, great.
NICK WALKER: Well, I tell you what, Don, a lot of things to think about here as we go forward. And obviously this is going to be a topic that we’ll probably be talking about for years and years and years. But we thank you for sharing your expertise with us today.
DON HUNT: Oh, this has been fun.
Get More Info.
NICK WALKER: Hey, before you go, how can people get more information about just what to do to prevent cybercrime? Also, are there places we can go on the Internet to find out more about how to protect ourselves?
DON HUNT: Of course there are, Microsoft is a great example, they have all that information. There are also other companies out there, like one of the bigger ones is Symantec, they’ve got all kinds of open information for anyone. Go to those types of places, you can certainly go read some of the literature and some of the data we’ve put out. If you go to evidencebasedcybersecurity.org, we have a bunch of information out there, and you can certainly go there.
And we’re also wide open to suggestions, we do help with companies and individuals and all of these things. We’re always looking for partners and people to partner up with, which is a nice tautology for you. You know, we want partners to partner up with. But we do look to partner with individuals and companies, and we look at the new trends. We want to see what are the problems you’re facing, so I would encourage you to reach out to us. We’re happy to come to your place, especially if it’s in Hawaii. You can come to our place. You can tour our labs. We are wide open. And this is one of the biggest initiatives that any university has ever taken on, so we’re happy to help, too.
NICK WALKER: Well, thanks again, and we’ve also got a gift for you.
DON HUNT: All right.
NICK WALKER: The Manage This coffee mug.
DON HUNT: Nice.
NICK WALKER: Yes. Use that with our compliments.
DON HUNT: And why do I have this one instead of that one?
NICK WALKER: This is mine. You can’t have it.
DON HUNT: Oh, it’s got your DNA.
NICK WALKER: Yeah, yeah.
DON HUNT: I can make my own Nick. Just need an incubator.
NICK WALKER: Well, thanks again.
DON HUNT: Yeah. Appreciate it.
Closing
NICK WALKER: All right. What a great topic today, and so I want to encourage our listeners to suggest topics and guests for us to have here on Manage This. If you have a suggestion, just email us at manage_this@velociteach.com. Meanwhile, don’t forget to claim your free PDUs, those Professional Development Units, for listening to this podcast. Go to Velociteach.com and choose Manage This Podcast from the top of the page, click the button that says Claim PDUs and then click through the steps.
So that’s it for us here on Manage This., we hope you’ll tune back in on July 16th for our next podcast. In the meantime, we’d love to have you visit us at Velociteach.com/managethis to subscribe to this podcast, to see a transcript of the show, or to contact us. And tweet us at @manage_this if you have any questions about our podcasts or about project management certifications.
That’s all for this episode. Thanks for joining us. Until next time, keep calm and Manage This.
Comments
This was excellent. It is so important that cybersecurity be considered at all stages of project management and lifecycle management. It is often impossible to retrofit a product with adequate security once it has been produced.
Thanks so much for your comment!
Great podcast on such a widespread area of concern. I had to chuckle out loud regarding the special character. Duly noted to change my passwords and what to avoid doing! More and more stories come out each week on risks and breaches in security.
Thanks for the insights.
While keeping focus on scope, time, cost and quality of a project, the security requirement has become increasingly important with advancement of technology that it has become like a default project scope. The podcast is a good reminded for us PM practitioners not to overlook and take for granted cybersecurity risk when managing our project.
this is the best and the most informative podcast on the subject matter I have had the privilege of listening to
Thank you for your comment. We all learned so much from our conversation with Don.
This podcast was really helpful in understanding the common terminology of cyber security, not just for PMs working in a technical space, but also for those who use simple tools like file transfer with their clients/stakeholders. In my last position, I worked to implement and acquire our Payment Card Industry Data Security Standard (PCI-DSS) compliance and I felt like this podcast reinforced something that was critical for us- security is a culture you teach your team. It rang true for me that having a day in which your team participates in a webinar/conference and we discuss security best practices is not meaningful in today’s environment. It has to be something that is ingrained in the team’s day-to-day routine. Reviewing scams like phishing and techniques like social engineering was a great refresher for me and I would recommend this podcast to anyone who is interested in heightening their knowledge/skills in the security arena.
We’re hoping this podcast inspires many conversations among our audience with regards to implementing a culture of security. Thanks for your comment!
Hello there,
I was using the password generator tool you mentioned.
While it does the job overall, I found another tool to be a better alternative. I thought other users might also appreciate it if you update your page.
It is clear and free: https://www.safetydetectives.com/password-meter
It creates passwords from words, that should be easier to remember, which is why I use it.
For example, the word “benediction” will be b=nedicT10n – super easy to remember (you need at least one password to remember as a master password, no?)
hope I helped back.
Thank you for your comments Adam! We appreciate your helpful advice.
This is great! We take things for granted when it comes to the internet but this is a real threat in every aspect of our life!
I write this 2 years after the broadcast – but this was a superb podcast. Don is a rare breed – truly an expert but extremely skilled at getting his points across in an accessible & digestible manner.
Thanks for your comment Brendan. We were honored to have Don on our podcast, he is the expert! 🙂
This was great. It is critical that PM to cybersecurity at all stages of projects.