Category Archives: Leadership

Canadian cybercrime expert looks into the depths of social engineering

Christopher Kayser admits he was once suckered by a phishing lure, which is ironic considering he’s a cybersecurity consultant, researcher and author of a recent book that tries to explain why people fall for such scams.

It was supposedly an email from an airline he regularly uses, Kayser said in an interview from his Calgary home. The email featured special pricing on fares. He clicked a link. Nothing happened, but that’s because the malware was silently downloading.

“And I looked at the screen and thought, ‘You silly bugger.'”

Christopher Kayser

No serious harm was done. It did mean Kayser was one of the thousands of people around the world who have been duped since the age of the personal computer began. And it sort of makes him competent to write about social engineering.

His message to anyone with a computing device is “don’t be quick to click,” which, of course, he was that day.

“I try to tell people to slow down, think about what they’re looking at, understand that they have to be right every time they touch a keyboard, but the cybercriminal only has to be right once. And that one time can change your life if you lose your identity, your social insurance, if your bank account gets cleaned out, or if your credit gets ruined.

“So what I wanted to do is write a book that did two things: One is helping people that weren’t super-literate in how to protect themselves as best they could using technology [and] to remind people that becoming too close to technology is not necessarily a good thing. Sometimes the more advanced we get the less cautious we become, and that can be catastrophic.”

His book, Cybercrime through Social Engineering, is a 290-page distillation of cybercrime (hacker tools, ransomware, CEO scams, phishing, the phases of an attack) and how people and organizations can protect themselves (multi-factor authentication, cyber insurance, penetration testing the need to create effective cyber policies). Non-tech managers and individuals will find it a useful introduction to a vast subject and warning signs to look for.

The centre of the book is a concept Kayser and a Boston University colleague are developing called Required Elements for a Social Engineered Cyber Attack Theory (RESCAT) to explain how users of technology react to social engineering attacks.

Briefly, they believe two factors — human nature and human curiosity — determine what people will do when faced with an enticement. As many infosec pros know by now, attackers try to manipulate people through emotions including fear, urgency, greed, guilt, helpfulness and obedience. But they also believe generations play a role in decision-making. For example, Traditionalists – those born before 1945 — are cautious and less likely to click. Younger groups who are more at ease with technology and think rules don’t apply to them may be more trusting. Which is why, Kayser writes, that a “one-presentation-fits-all” approach won’t be effective.

There’s a lot of research and testing of the model to be done, Kayser acknowledges. But if it’s accurate, he says it could help develop awareness programs to help users of technology be more aware when faced with something that looks convincing.

Actually, it wasn’t that supposed airline fare offer that triggered Kayser to write a book. It was a CBC interview with a firewall vendor who said his product catches 92 to 98 per cent of cyberattacks. Asked about the rest, and the rep said it was up to the user to catch. “That just about floored me,” Kayser said, figuring it left a “staggering” number of people who could face a cyber attack.

‘People need to know’

“Think of 4 billion people around the planet who are using smartphones, computers and look at cybercrime rates, look at legislative restrictions that inhibit the ability of law enforcement to successfully detect, charge, extradite, prosecute cybercriminals. Look at the wealth, look at the Darknet. Look at the risk-reward that goes on with being a cybercriminal.

“You have, I think, the most invasive and destructive form of crime in history going on and people need to know about this. They need to know how to reduce the rate of potential cyber victimization and how to become more cyber safe and cyber-savvy to the best of their ability,” said Kayser.

A 23-year veteran of the computer industry who started as a programmer and rose to become lead manager for a software project for a major Canadian bank before switching careers to manage financial portfolios, Kayser did well enough to go into semi-retirement. Then he studied criminal justice, eventually earning a Master’s degree at Boston University in criminal justice and cybercrime.

“Social engineering is ingrained in us,” he said, meaning at a young age people learn to manipulate others for a reward: Babies cry until they get fed, children throw tantrums until they get a toy. Parents tell their teenagers, “Clean your room and we’ll go to McDonald’s.” Bill Gates, Kayser observed, once said he uses “negative motivation” to spur employees.

Gullibility and forced habit

Still, after years of (sometimes sporadic) corporate awareness training and news articles, users still fall for scams. “It’s a combination of gullibility and forced habit,” Kayser said. “There are assumptions people make.” One is IT manufacturers are doing everything possible to make sure people aren’t victims. Another is their ISP is doing absolutely everything in its power to make sure nothing resembling malware gets through. That’s part of his RESCAT theory. Many assume, “The world is looking out for me.”

Another factor is people are in a rush. Many successful cyberattacks happen on a Monday when people come into the office to face a pile of emails. Staff want to be efficient. They read too fast, there are distractions and the caution that they might exercise on other days is gone.

It would help, Kayser says, if cyber awareness was taught in early grades.

Advice for CISOs

Asked what effective corporate cyber awareness training looks like, he pointed to efforts by Canadian banks. In one institution, keyboards have been configured to have a button staff can push to alert IT if they get a suspicious email. But organizations also have to set and enforce responsible use of technology, he said, such as refusing to allow personal surfing during working hours.

And beyond training it may be necessary to make corporate directors responsible for security incidents, he added. Meanwhile, CISOs have to understand the fact that everybody’s busy, stressed, particularly today.

“Most people are trying to do the best they can within the organization, but their priority is not cyber safety and cyber awareness … So it falls upon the CISO to develop education programs and processes that can safeguard employees through automatic processes as well as supplying employee education about the real risk of potential cyber victimization.”

Training needs to be tailored to the audience, he stressed.

The post Canadian cybercrime expert looks into the depths of social engineering first appeared on IT World Canada.

Coffee Briefing, October 27, 2020 – New beginnings, plus the latest from Dell, IBM, NetApp, and more

Starting today, we are combining our CDN and ITWC Morning Briefings to deliver our entire audience the most complete news package with the latest headlines, interviews, and social media chatter.

The post Coffee Briefing, October 27, 2020 - New beginnings, plus the latest from Dell, IBM, NetApp, and more first appeared on IT World Canada.

Academic | An interview with Joshua McKenty, co-founder of OpenStack on the art of contemporary cloud computing

Brian sat down with Victoria’s Joshua McKenty, Co-Founder of Openstack and Piston Cloud to discuss what the future beholds for a medium near and dear to both of our hearts.

The post Academic | An interview with Joshua McKenty, co-founder of OpenStack on the art of contemporary cloud computing first appeared on IT World Canada.

Workflow management apps, like Montreal’s Unito, see spike in new signups

COVID-19 has disrupted workflows and processes that are helping run organizations worldwide, and enterprises are turning to SaaS apps like Unito to create clarity out of the chaos.

“A lot of people working remotely have come to realize just how much their workflows relied on spontaneous or in-person conversations. As companies shifted remote because of COVID-19, they lost the desk-side chats, the lunchtime conversations, and the impromptu check-in meetings and then their workflows fell to pieces,” said Marc Boscher, chief executive officer of the Montreal-based workflow management solutions provider company Unito, in an interview with IT World Canada. “Once these gaps became obvious, people began working to address them. In a lot of cases, this meant filling the holes with Zoom calls, but many forward-thinking companies sought out solutions that would allow them to optimize their workflows for asynchronous work and remote work. And that’s where a lot of businesses, especially larger companies, turn to us.”

In the months after the pandemic began, Unito saw a 74 per cent increase in signups among users from companies with at least 10,000 employees.

“That’s because these big companies use a ton of tools and have extremely complex workflows. We help them adapt their workflows by connecting the tools required to complete them, accelerating their transition to remote work,” explained Boscher. 

There are many ways in which workflow management factors into the new psychology of the workplace. It helps align processes, work styles, goals, terminology, and people. It creates psychological safety by removing many of the stressors associated with “the new workplace,” he said. 

“Workflow management smooths out the hardest kind of collaboration in the workplace: cross-functional collaboration. Imagine I told you I’m assembling a project team who barely know each other, have different educations and skills, use different terminology to describe the same thing, are used to different processes, work styles and goals, and use completely different tools. What would you say are the chances they’ll collaborate smoothly, much less deliver the project successfully? Those are the conditions of collaboration when you cross the usual organizational structure. It’s really hard, but it’s also really important,” Boscher explained during an interview. 

A recent IBM study of global C-suite executives titled “COVID-19 and the Future of Businessindicates global executives are prioritizing more intelligent, secure and responsive workflows that are developed using a combination of technologies such as automation, AI and cybersecurity. 

Over the next two years, the study finds prioritization of AI technology will increase by 20 percentage points. Sixty per cent of executives surveyed have accelerated process automation, and many will apply more automation across all business functions, and 76 per cent of executives surveyed plan to prioritize cybersecurity. The study includes input from more than 3,800 C-suite executives in 20 countries and 22 industries. 

The majority of businesses are trying to make their remote work environment similar to their in-office environment. That’s a natural reaction — they are trying to recreate what they knew, what was comfortable, but Boscher says he thinks remote work requires a different approach. Psychologist Kristen Shockley said, “Companies should never just implement telecommuting without changing anything else. They also need to shift their culture and norms to support the new arrangement.” 

Founded in 2015, Unito was created to integrate disparate SaaS applications. “We could transmit data from one tool to another, replicate changes from one tool to another back and forth. It was also very focused on collaboration between teams, for example – the marketing teams working out of Trello or Asana or engineering teams working with tools like JIRA or GitHub,” explained Boscher. “But we discovered along the way that the problem was much more widespread and people, business users in particular, were trying to find a way to organize and visualize the way work was happening in the organization, and then optimize it.”

Using two-way integrations between tools including Trello, Asana, monday.com, Jira, Wrike, ClickUp, GitHub, GitLab, Bitbucket, Teamwork, Basecamp, Zendesk, and HubSpot, developers use the tools they want while offering managers greater visibility into and control over their work.

The company recently launched its new workflow management offering, which Boscher says is a visual way to discover where the work is happening in a team or an organization and in which tool it is happening, understand who’s working with who, and give the team of the organization the ability to automate some of that process workflow and accelerate it through integration.

Unito’s personal plans start at $10 per month for five active users and top out at $20 for 10 users. Companies with 40 to 150 active users will have to pay $250 per month up to $770, respectively. Unito has a 4.5 star rating on Gartner’s GetApp.com, an app discovery platform that compares SaaS products. Some of its bigger competitors in the workflow management arena include Boomi and HubSpot’s PieSync.

The post Workflow management apps, like Montreal's Unito, see spike in new signups first appeared on IT World Canada.

SecTor 2020: The blonde, the smile, and the hack

An attractive blonde follows a man onto an office elevator. “Nice to see you again,” she says to him.

He pauses. She must be right, he figures, so he smiles back. Then she compliments him on his scent.

The elevator arrives at his floor, which is security controlled. He inserts his access card into a slot in the elevator panel, and when the doors open, he turns to the woman and says, “Ladies first.”

The blonde is Paula Januszkiewicz, CEO of Cqure Inc., a Polish-based penetration testing and auditing company, who has just accomplished the first part of her assignment: Get unauthorized access to a customer’s office.

It’s lunchtime at the office she just entered. Staff are leaving their desks. Company policy is employees should make sure PCs are logged off the network before leaving computers unattended to prevent what is about to happen. Even if they forget, machines are configured to log off after five minutes. One staffer leaves his computer on. Januszkiewicz sits at his desk. She yawns or coughs, enough so other staff see a stranger sitting at someone’s desk. No one comes over to ask who she is.

So Januszkiewicz is free to insert a specially created USB key and hacks into the system.

The lesson

There’s a lesson from this incident, Januszkiewicz told the SecTor 2020 virtual conference on Wednesday: If an attacker does things with confidence, they may get through anything from physical security to anti-phishing filters.

As the keynote speaker for this year’s conference, Januszkiewicz emphasized the importance of understanding how cyber attackers your infrastructure: As an object to be manipulated by knowing human behaviour.

Behaviour like being lazy in picking passwords. On assignment to penetrate an energy company Januszkiewicz found no problem guessing some employee passwords. She assumed at least one person would use the firm’s name and just add “2020.” She was right. Twenty-nine of 6,000 employees had that password.

Bad behaviours

Other bad user behaviours hackers take advantage of include:

  • Falling for dropped USB scams. One study showed 90 per cent of people who find USB drives with a company logo in a parking lot will plug it into a company computer to find out who it belongs to. In fact, 60 per cent will do it even if there is no logo. Infected USB devices could run unapproved code. One solution is a whitelisting policy that prevents unapproved code from executing;
  • Falling for phishing and clicking on infected attachments. There’s no shortage of examples, but Januszkiewicz spoke of a new one: A seemingly empty Excel spreadsheet with an infected picture hiding behind an empty cell. If an employee clicks on a cell trying to see if the spreadsheet has hidden information, the malware executes. One solution is strict access management to prevent admin accounts from being taken over by malware;
  • Hacking lost smartphones. Seventy per cent of smartphone owners don’t password-protect their devices, one study shows. One solution: A strict company policy of reporting the loss of company or personal devices that access corporate data;
  • Careless use of public Wi-Fi with devices that access corporate data—one solution: Better user awareness training.

Thinking like a hacker, Januszkiewicz said, will allow organizations to design successful cybersecurity strategies.

The post SecTor 2020: The blonde, the smile, and the hack first appeared on IT World Canada.

New CIOCAN president wants to ‘strengthen’ the CIO’s voice

Chief information officers across Canada have been driving change in their organizations, and in some cases, have helped accelerate digital transformation projects during the COVID-19 pandemic. But the role of the CIO is constantly changing and sometimes stays shrouded in mystery due to the many ways it touches business operations. Philippe Johnston is hoping to…

The post New CIOCAN president wants to ‘strengthen’ the CIO's voice first appeared on IT World Canada.

ITWC Morning Briefing, October 22, 2020 – Dell Technologies World news, plus new news and old news

To keep up with the firehose of news, we’ve decided to deliver some extra news to you on the side every Tuesday and Thursday morning. Some of it is an extension of our own reporting that didn’t make its way into a story, while others might be content we’ve bookmarked for later reading and thought…

The post ITWC Morning Briefing, October 22, 2020 - Dell Technologies World news, plus new news and old news first appeared on IT World Canada.

ITWC Morning Briefing, October 20, 2020 – SK hynix acquires Intel NAND memory and storage business, Technicity is back, and more

To keep up with the firehose of news, we’ve decided to deliver some extra news to you on the side every Tuesday and Thursday morning. Some of it is an extension of our own reporting that didn’t make its way into a story, while others might be content we’ve bookmarked for later reading and thought…

The post ITWC Morning Briefing, October 20, 2020 - SK hynix acquires Intel NAND memory and storage business, Technicity is back, and more first appeared on IT World Canada.

Social media causes polarization – so where do we go from here?

The social dilemma described in the recent movie with the same title exists because technology groups think that they are not responsible for the content and data that people put in their applications. We think we can build the technology and let people decide how they will use it.  The truth is we have always…

The post Social media causes polarization - so where do we go from here? first appeared on IT World Canada.

Women in tech regressing in 2020? These strategies can help – Dallas Business Journal

Accenture's Anju Bhagat shed light on some alarming data that suggests that the proportion of women in the tech workforce has declined despite an increase in the number of female tech workers employed today.

The post Women in tech regressing in 2020? These strategies can help - Dallas Business Journal first appeared on IT World Canada.