Episode 91: Information Security with Duncan McAlynn
Monday 15 January 2018
Duncan McAlynn joins Chase Raz to talk about InfoSec, Information Security. Duncan, a former Principal Security Engineer and now a private InfoSec consultant and evangelist, writes and speaks on the topic throughout much of the year to a wide variety of audiences. Duncan can be reached on Twitter with the handle @InfoSecWar. Within this episode, Duncan and Chase talk about the Meltdown and Spectre vulnerabilities, the daily work life of an Information Security Engineer, how malware spreads, cloud-specific threats, and ransomware. Tips for small businesses are provided as well as guidance for students of all ages wanting to learn Information Security.
Episode Show Notes
Episode 91 Outline
- Opening and welcome
- Meltdown and Spectre information and tips
- Duncan McAlynn Introduction
- The daily work life of an Information Security Engineer
- Malware sources, sponsors, and services
- Drive-by Infections using advertising networks
- Cloud computing threats and risk transfer
- Social Engineering is the leading cause of threats
- Information Security services from the financial sector
- Tips for small businesses to protect themselves
- Guidance for students looking to learn Information Security
Episode 91 Summary
Duncan McAlynn joins Chase Raz to talk first about the most topical security volunerabilities, Meltdown and Spectre, which impact virtually all computing devices made within the last couple of decades. After that unpleasant business is out of the way, Duncan introduces himself further and he describes the daily work life of an Information Security Engineer for Chase.
Over 100,000 new pieces of malware appear on the Internet every day. Some are manually coded, others are automatically generated. There are even Ransomware-as-a-Service providers that eliminate the need to code as a part of deploying a ransomware attack. Malware and ransomware aren't just for disgruntled programmers, however. State-sponsored malware originates from the United States, Russia, Eastern Europe, as well as China and other parts of Eastern Asia. The 2017 WannaCry ransomware attack was attributed to North Korea and the subsequent NotPetya attack was recently linked to the Russian military.
The cloud can be considered more secure in some regard, but also less secure when considering that human error still persists and the end-user configuration of cloud services is often a vulnerable attack vector. Duncan asserts that, "[Cloud computing] is not a transfer of risk." Chase agrees and notes that there is a slight transfer of liability in some instances, but that cloud providers would do well to require end-users to connect via VPN or SSH tunnels in order to upload information into public cloud services.
Duncan confirms for Chase that social engineering is still the number one method of attack for most businesses and individuals. He describes that phishing attacks can be evolved into something called "spear phishing" by using public social media profiles to custom tailor the attack for a particular individual or business. This freely available information assists the hacker in creating phishing attacks that seem legitimate and relevant. Chase then briefly complains that financial services should be doing more to combat the effects of this without charging a monthly fee for such behavior. He asserts that it is the duty and obligation of financial services to protect their account holder's information, not a value-added upsell.
To conclude the episode, Duncan provides small and mid-size businesses and enterprises (SMBs and SMEs, respectively) tips on how to stay secure. Suggestions and guidance for aspiring Information Security students of all ages are also provided.
Small Business Security Tips
- Create and store data backups using the 3-2-1 Method
- Have 3 unique backups…
- In 2 distinct locations…
- One (1) of which should be offsite.
- Don't pay the ransom if impacted by ransomware
- Always have good antivirus and antimalware software
- Stay current on software and operating system updates
- Utilize a solid paid VPN
- Always utilize the HTTPS (encrypted and secure) version of a website when available, and never send sensitive information over a site only available via the HTTP (unencrpyted) protocol
Guidance for Information Security Students
- Learn to build your own computer systems and networks to better understand the physical components and connections
- Run your own non-critical services to gain real world experience
- Supplement your experiences with academic or structured learning
- Read books, textbooks, and websites on the Information Security
- Prepare for Information Security exams, even if you don't ultimately pay to take them (Business tip: some employers will pay for employees or potential employees to take these exams)
- Utilize free resources that are available (listed in the service links below)
- Follow prominent InfoSec professionals on Twitter, starting with Duncan McAlynn
Resources and Links
Links for News:
Meltdown and Spectre, https://spectreattack.com/
Links for Information:
Meltdown and Spectre, Graz University of Technology, https://spectreattack.com/