<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">

By not complying with the requirements laid out in NIST SP 800-171, your government contracts may be at risk. Even though the deadline for compliance was 12/31/17, it’s not too late to protect your business. Get started here

NIST Compliance - Are You Overdue? 00 : 00 : 00 : 00
Blog Feature

By: Matt Kozloski

Print this Page

August 16th, 2018

The Most Pressing Business IT Questions of the Day on Real Estate Radio

Cybersecurity | Business Continuity | BCDRaaS | Disaster Recovery | it ct | cyber security Connecticut | IT Connecticut | Connecticut cyber security

Last month, I was thrilled to be invited back to the 94.9 FM CBS Radio airwaves for another episode of Real Estate Radio (listen to my first appearance here).

I actually love this radio show. It seems so random—a full hour about real estate—but the hosts Byron Lazine and Pat Kenny use real estate as a jumping off point to talk about a wide range of topics that affect quality of life and where people choose to live.

This time around we focused on hot topics in the tech world including Facebook privacy and the GDPR, ransomware, and phishing following high-profile cyber attacks in Connecticut.

You can listen to the full audio of the show below, and I’ve pulled out some of the highlights in text if you’d like to skip to a particular topic.

 

GDPR and Facebook Privacy

Here’s a bit of our conversation on Facebook privacy and the GDPR, the new data privacy law in Europe. Facebook has stopped allowing developers to do what I’m describing—build apps where users can unwittingly share their friends’ data—but currently, it’s not illegal to do so in the U.S.

MATT: If you look at what's going on in Europe right now with GDPR, there's a huge push for privacy, and it's difficult because look at how much data is out there, how many people have access and are writing apps that plug into Facebook. When you accept a request, you don't exactly know what you're sharing, who you're sharing it with. It's huge. 

Let's say you accept a request for some kind of app in Facebook and it's publishing, not just your information, but information that you know about your friends. Do your friends know that you've accepted a request for an app and their information through you is being shared out now? There's so many complications…

BYRON: You're sharing your friends' info. 

MATT: Yeah, yeah exactly. 

BYRON: Did you get permission from your friend? 

MATT: Well, I don't know. Probably not. Did you know you were doing that?

 

What is Ransomware?

Following the recent ransomware attack on the Derby Police Department, Byron brought up an important question—what exactly is ransomware?

MATT: It's relatively simple. Somehow malware gets onto people's systems. Usually it's through a phishing attack where someone gets tricked into clicking on a link and running some kind of software.

This malware encrypts all the data on your network and it makes your systems and the information that you have just inaccessible. Then you get a popup saying, "Hey, if you pay us this many bitcoins, we'll give you the key so you can de-scramble your data." That's how this goes. 

BYRON: Mm, bitcoin. What if you don't own any bitcoin?

MATT: That’s part of the challenge—getting a bitcoin, or part of one. 

BYRON: $8,000 right now, bitcoins are. 

MATT: Yeah, so usually you get a fraction of one. You don't have to get a whole one to do it. 

BYRON: I'd be asking for a whole bitcoin.

MATT: In [the case of the Derby Police Department], they didn't actually have to pay anything. They had a really, really good backup.

BYRON: What could've happened if they didn't have a good backup system?

MATT: So, then you get into two versions of it. You attempt to pay the money and maybe get the key to unscramble your data, which unfortunately just feeds into the whole thing. But, if you're a business and organization, you have to get back online. It's definitely something you would consider. Otherwise, it's going back to your backup or re-keying data if you have to, too, which is pretty ugly. 

BYRON: Correct my ignorance, they're not taking any information from the police department? 

MATT: No, they're not. That's the frustrating thing—your data is there, it's just scrambled. You can't read it. 

BYRON: We're not going to let you read because we can't read it—until you give us something. 

MATT: That's right, then we'll give you the key and this key unscrambles all the data. 

PAT: It's literally just a bully breaking something.

BYRON: Are you able to come in and fix that without the key?

MATT: We cannot decrypt the data. Some of the variants…after these guys get busted, the keys get published and then we actually can come in and decrypt some of it. But generally speaking, it is near-impossible to just decrypt data. If it was that simple, this wouldn't really be a thing.

BYRON: Wow. That's pretty scary. 

MATT: It's super frustrating because you can see your files and everything on your network, you just can't read them. 

 

How and Why Did Hackers Decide to Target the Derby Police Department?

PAT: Is the theory that they're a smaller population, so you might be able to pull it off?

BYRON: Is it totally random? When they're spreading this [malware] stuff, is it totally random? 

MATT: Yeah, it can be random, in a way. Really, they just send out massive phishing attacks, just to get people to click on stuff and eventually you get the malware in. That malware phones home and now they kind of know that it's there and they can ask for money. 

PAT: This is not a targeted marketing campaign by any means.

MATT: Sometimes it is though. And those are the scarier ones.

BYRON: Real estate agents have targeted attacks all the time. It'll be an offer for your listing and you'll open it and it'll be like, "Click here to download the PDF of the offer." There are so many agents that are like, “Oh my gosh! I got an offer! I got an offer!”

PAT: I don’t have to eat ramen tonight!

MATT: What if I was a hacker, and I sent you that email. You pull up the offer and there’s a splash page and it says, "Something went wrong. Enter your email address and your password," and I made it look like a Google page. You're like, "Oh, okay I'll put in my email address and password."

Well, now I have your username and password and I can forward all of your emails to me now ongoing and I can watch all the activity that you do.

BYRON: Most agents in the game are pretty accustomed to it at this point. So, they know—Okay, I'm not opening that, if it's not coming from an agent that you know is in the game, right? Ten percent of agents do 90% of the business. Or, if it's not from an email you recognize, you're just not opening it. 

 

What is Phishing?

We established that most ransomware attacks start with phishing, and we even had a great example of a common phishing attack in the real estate world of the phony offer on a property. But Byron and Pat wanted to know, more broadly, what is phishing?

MATT: Phishing is trying to trick someone, usually through email, into giving up their username and password, clicking on a link, altering a money transfer, doing something along those lines.

PAT: We get attacked constantly in financial services with account verification. "Hey, we're from the bank. We're trying to wire money. Give us this number."

BYRON: We're from the Norwegian Bank.

PAT: Or the Nigerian lottery winner that everybody's gotten. 

MATT: Yep, we all know that one now. So, we conduct simulated phishing attacks to tell customers how vulnerable their people are to phishing attacks. All it takes is one. 

BYRON: So, you're saying training probably isn't the answer to solve a problem like this? 

MATT: It actually is. Routine, regular training.

BYRON: But if all it takes is one, routine regular training could slip through. What's the other safeguard?

MATT: There are different types of software you can use to protect email so they can take the links out of your email messages, for example, and kind of pass you through a filter. Office 365 actually has that capability. A lot of people don't know that. It's a little bit extra, but that's pretty popular.

 

What Does the Ideal Backup Look Like?

The Derby Police Department story has a happy ending because they had a backup system where they could retrieve their data. That led Pat to ask what the ideal data backup system for a business or organization would be. Would it be cloud-based or use hardware?

MATT: So, it's a combination. The ideal backup scenario is you still have an appliance on site. It's just faster to restore from it. You're not pulling gigs of data from the cloud. You have some point in time restore locally on site. That device is securely transmitting backups to a cloud provider. Then from the cloud provider, you could restore data or if your building burned down you could spin up your whole environment in the cloud actually, too. We like something on-prem still and in the cloud.

If people are still using tapes, they need to stop. 

BYRON: Tape backups? 

MATT: Believe it or not, tape backup is still a thing. It's not secure to have a tape in your hot car. Good luck recovering data from it. Just saying. 

PAT: Like actual eight-track–

BYRON: Where would you get that? Amazon?

MATT: You could still get them everywhere, yeah.

 

What Kind of Phishing Attack Does Kelser Get?

Toward the end of the show (as we waited for our pizza—which never came!), I offered an example of an email fraud attack we see at Kelser from time to time. Hackers don’t just come after login information—sometimes they try to trick you into shipping valuable equipment to places where they can steal it!

MATT: We've actually seen this where we'll get a bid, and it kind of checks out. They're like, “Just ship the equipment to this address, and here's the PO number,” and all that. You've got to do some investigative work on that because that place might not exist and now you're shipping product.

 

Your business is undoubtedly getting cyber attacks that are tailored to your industry and possibly to you personally. Kelser helps you and your team learn to recognize red flags and use the best technology available to keep your business humming.

Cybersecurity Quiz

About Matt Kozloski

Matt is the VP, Professional Services at Kelser as well as former leader of the CT VMUG. VCDX # 194, CISSP # 526947.

  • Connect with Matt Kozloski