Ransomware is a massive problem. EVERY DAY, businesses in Australia are getting caught and their data is being held hostage for ransom money.
Global security expert Roger Grimes from KnowBe4 in the USA and Australian IT expert Jason Willison shared their tips and recommendations in this Concise Webinar.
The webinar covers:
You can view the webinar recording and the full transcript below.
Richard: Hello and welcome everybody to this Concise Webinar. This one on ransomware and we’ve got some experts to help us work through this topic today. Good morning, my name is Richard Keeves and I’d like to introduce our special guest for today Roger Grimes who is from the US, happens to be in Melbourne. Good day Roger.
Roger: Hello, glad to be here.
Richard: Thank you very much for joining us and Jason Willison who is from Perth and Jason say hello.
Jason: Hi team. How are you going? Good to be here.
Richard: Thanks Jason and Gareth.
Gareth: That’s me. Sorry, you got me in a mouthful of coffee but hello this is Gareth.
Richard: Okay, good stuff so we’re all here and all raring to go. We’ve got a good crowd of people attending today so thank you so much for coming along. For those people who haven’t been to one of our Concise Webinars before. These are concise. They are intended to be a 100% educational without long sales pitches. We do try and recommend things that are of value for you and that’s what today is about. This is a really important topic and it’s one that is affecting so many businesses both here in Australia and overseas. Before we begin, a couple of quick housekeeping things. This webinar is being recorded. You can ask questions as we go along and there will be Q&A at the end. To give you a quick highlight or overview of the agenda for today. We’re looking at what is ransomware, how it gets in, how you can avoid getting caught, the three regimes that are really important to have, what to do if you are caught and something that I came across in the research for this for this webinar the ransomware hostage rescue manual. The ransomware hostage rescue manual is from an organization called KnowBe4 and we’ve actually got one of the senior guys from KnowBe4 here at the webinar at the moment. Now you may or may not have heard of KnowBe4. They’re a massive organization in the United States. They have been around the place for a long time. I’ll tell you a little bit about those and Roger can add to that as well but Roger himself is with us. Roger is an expert in computer security. He’s written 11 books, over a thousand magazine articles. Some of the books that he’s written are on screen at the moment. Roger, thanks again for joining us.
One of the things that I was fascinated about KnowBe4 is that Gartner, the organization that really assesses who’s doing what in the IT world and in different parts of the world. Gartner has got KnowBe4 as the leader in the area in what they call a magic quadrant for security awareness computer-based training. This is the global leader so KnowBe4 really is a special organization. In fact I read that it’s a newly minted unicorn. It’s got a value of over 1 billion dollars so welcome Roger. Thank you. KnowBe4 only started as you can see there in 2010 and it’s rolling along doing great things globally. This is not a sales pitch for KnowBe4 by the way but if they are the world market leader in the space that they’re in which is security education and we’re so thrilled to have them here today. The other person I’d like to introduce is Jason Willison. Jason is the MD of One Technology. One Technology manage service providers in the IT space and Jason’s here to share some of his thoughts about businesses and how to stay out of trouble by having good systems that can help you avoid ransomware and also what to do to if you get caught so I’m going to hand the talking stick over to Roger now. Roger, take it away.
Roger: Thank you so much, I appreciate it. Ransomware, just real quick that’s malware that gets into your system a couple different ways and then encrypt your files. It’s changed over the last year or two and that it used to be it would get on your system, immediately execute, lock up your files, ask for a ransom and some type of cryptocurrency but these days it’s more devious. The bad guys will break into your computer system, the ransomware dials home, lets them know that they’re in and they will actually hang out on your system in your network for sometimes many, many weeks trying to find out what’s the best way to do damage. They will even change your encryption keys on your backup if they can get to it. They’ll try to mess up your backup system so that when you try to go hey, I’m not going to pay the ransom you go to use your, what you think is a tested restore system it doesn’t work. They encrypt the systems that can cause the most amount of pain so they’re very devious. They not just blow up and go anymore. They’re now on track to do $11.5 billion in damage in 2019. That’s a pretty incredible number. Just massive, massive number but one of the key things I to communicate today is that ransomware, you don’t solve ransomware by just attacking ransomware. You have to stop how ransomware gets in and this is one of the most important things of this talk is that there’s only 10 ways that any malware or any hacker gets into any system. Here they are right here I spent 30 years developing this list and the most popular ways are unpatched software and social engineering. If you don’t stop the root causes of the exploit somehow there’s misconfigurations, sometimes it’s human error or a password attack but if you don’t look at the root cause of how the ransomware got in you are never going to stop ransomware from getting in. It’s very important that you look at the reason of how ransomware got in and try to close those root cause exploit items.
For most companies the two biggest ways that ransomware gets then is social engineering and unpatched software. Social engineering accounts for about 70 to 90% of all malicious data breaches and it’s probably a little bit higher for ransomware alone. Unpatched software accounts for somewhere between 20 to 40% and then sometimes password issues can be in there for about another five to seven percent for ransomware but everything else is really small less than 1% of the problem so the key of what this means is that you really to focus on preventing the social engineering ways that you know malware gets in. You need to patch your software and you need to make sure that you have good password hygiene that’s to prevent ransomware from getting. A lot of what we’re going to talk to talk about today is what to do once it got in but if you’re trying to prevent it, if you’re trying to prevent breach these are the two or three things you should really concentrate on. Most companies don’t concentrate on them as well and then to prevent them trying to prevent social engineering and unpatched software and those sort of things it’s always a combination of technical controls like firewalls and antivirus and things like that and also training. You need to do a little bit of both.
Richard: Thanks Roger. Now on to the three regimes and as you can see there you need to have what the guys have said. A good protection and detection regime, a good backup regime and a good education regime. To talk us through that going to hand over to Jason.
Jason: It’s really important I guess is the three things that we’re going to talk about but basically the first one is a good protection and data and detection regime. As Roger did point out it’s really important to continue to update your system, the windows patches but some patches that actually don’t get applied, office application packages or application packages so it’s really important that not only do you update your Windows machines or Macintosh machines with their system updates for your applications as well because some applications have known vulnerabilities. The other thing that you need to have deployed in your organization is a web filtering product. What this does, it actually looks at a database of known websites that are actually malicious and blocks those websites from accessibility. It’s important to have this system in place we deploy this to all of our all of our customers and their organizations so to block any known malicious websites. Now a lot of social engineering attacks and also attacks that come in, come in via email so it’s very important as well that you have an anti-spam solution in place. What that will do is that will block emails from coming into your system that are known to be malicious or a bit shady so it’s really important that you actually have that anti-spam solution in place as well. Of course the last one of the last lines of defense is to insure they have up-to-date antivirus software across all of your machines. It’s extremely important. You need to make sure that your actual antivirus is paid and up-to-date and you need to make sure those updates are actually done on a daily basis at least.
Now the other really important thing is a good backup regime. Now what is a backup? Basically a backup is an additional copy of your data that can be used to restore and recover if you need to. You can actually simply copy the data or mirror the data using actually a backup system and it’s really important to have one in place. If we have a look of the causes of data loss. As you can see here human error is 32%, computer virus is 7% and hardware malfunction is 44% so it’s really important that we actually have a good backup regime in place that actually stores your data off-site. It’s extremely important. Your backup regime must be there to avoid permanent data loss. You need to insure the integrity of your stored data or you stored backups and you must be able to get back to a previous version if there is an issue that you found. One thing you needs to look at when you’re looking at the back up regime is to assess where your data is located. In most organizations everyone says look, all my data is stored on the server. That may not be the case. There may be actually some data on client machines or client desktop computers or laptops that aren’t being backed up and these are especially susceptible to actually data loss if you do get attacked by some ransomware. You need to also understand how frequent your data changes and what risks are involved with backup gaps. What we mean by that is how often is your data being changed and if it’s being changed constantly how often should you be backing up? Should you be backing up every hour, backing up every day, once a week?
One of the things we’re going to talk about as well is 3-2-1 backup steps. This is really important. Basically 3-2-1 backup steps you need to insure that you have your data in a primary location and two backups. You know those two backups are actually stored on site and also off-site as well. We’ve got to be sure that data is outside of your network in the event of a ransomware attack. As Roger did mention they are getting quite sneaky these days and they’re getting quite good at looking into your system and understanding what backup systems you do use. You need to make sure that your backup system is stored off-site. It’s extremely important. One of the things you need to do is monitor that backup process on the daily basis. That’s really important and the next thing you need to do is test a restore process. It’s all well and good looking at the backups and seeing that have been successful but you need to regularly test a restore to insure that they are actually in fact working correctly.
Richard: So now going to hand over to Roger.
Roger: Well thanks so much. I’ll certainly backup what Jason said which is you need to have a good backup regime. I think a lot of what ransomware has done has kind of revealed that most companies, a lot of companies don’t have the rock solid backup regime that they thought they had. Every time someone’s got to pay the ransom it’s kind of showing that what they thought they had they really didn’t have so you definitely want to make sure that you’re doing backup 3-2-1 and storing a copy off-site. That’s fantastic advice but we also again think that anytime you’re going to try to defeat ransomware or any malware or hacker is a combination of technical controls and also training and we’re the number one security awareness training vendor in the world. We now figured out what works. What I’m going to tell you it works whether you’re using our product or anybody’s product. These are the steps you should take to educate people so they don’t get socially engineered or tricked into running a ransomware. This is the steps. We don’t have to guess anymore. This is what works. You first start doing a baseline testing so you do a simulated fake phishing test against your users and you do a fake phishing that you think that nobody should click on like it’s got typos in it. It has nothing to do with your company. It really is this baseline test where you are thinking to yourself nobody would click on this. What you’re going to find out is somewhere between 27 to 33% of your company will click on that phishing test. We call this the phish prone rate so you get your baseline testing.
then after that you send simulated phishing tests at least once a month and you do training, small bits of training one and two and three minutes once a month. For a long time we didn’t know how frequently you had to do it but we knew that once a year or once a quarter was not enough. We would tell people it needs to be more than once a quarter. Now we’ve collected data for seven years across now 22,000 customers and what we found works the best is if you at least do the simulated phishing testing and you use it and you make it kind of part of the educational process where you’re teaching people to look out for the types of common phishing spamming type email that they’re going to get. You send it at least once a month. You can do it more than that but really the best awesome bang for the buck is about at least at least once a month. You can do it once a week and you’ll get better results but once a month really is a sweet spot. You phish and test your end users. You kind of made like a game to where they’re reporting the simulated phishing test a lot of times they’re going hey, they’re thinking I caught your simulated phishing test and it really wasn’t a test but what we know is that if you then follow these this type of technique where again that you’re phishing them, simulated phish testing them and training them once a month that you will be able to get that average of that 30% initial baseline phish percentage down to 2%. I mean that’s the average company. That’s most companies.
Even in this particular graph here we’ve done it across 18,000 organizations who now I think done it across 25,000 organizations. There were 20 million phishing tests and what I just told you no matter whose product do you use that is the key to success that you kind of treat, when you’re trying to fight phishing like you’re a marketer. Think about who’s the best people that know how to sell other people? It’s professional marketers and what they do is they market to you redundantly. They do it frequent and redundant usually making it entertaining but they do it so frequently. Think about all the times you’re looking at those commercials and you’re just sick because you like I’ve seen this commercial a hundred times. Well, they’re not doing it because it doesn’t work. They’re doing it because they know that if they frequently advertise and they do it redundantly the same commercial that eventually you’re most likely to buy. It sounds crazy but they wouldn’t do it if it didn’t work. You need to do the same thing with your anti-phishing training is that you need it to be frequent. By frequent mean at least once a month and again it doesn’t have to be long, a minute or two or three or something like that. Redundant that you’re covering and making sure people, you’re trying to generate this healthy level of skepticism where people don’t just click on everything. You make it entertaining if you can so that they don’t absolutely hate the training. You want to give them a longer, broader training when they’re first hired maybe like 15 to 30 minutes. You do this every year annually. They have to retake a longer training maybe up to 30 minutes and then ongoing along with your monthly simulated phishing test you do smaller educational opportunities. Maybe a minute to three minutes or maybe five minutes at most. Maybe if they fail one of the simulated phishing tests maybe they have to take a five minute but then again every year they’re taking the longer program, longer type of testing.
You want to make it relevant for the role. You need to do training to prevent people from doing wiring money to only the people in your company that have the ability to wire money or you want to do the fake gift card scam testing where someone can be tricked into buying gift cards for like somebody only if they have the ability to buy gift cards for the CEO or around tax time you want to start testing them you know with fake type of tax testing phishing emails where people are asking for their tax information. You want the change it and update it based upon different times and seasons of the year. You want to mix in general topics. It might be the most popular phishing email that people fell in the United States is a free Dunkin Donuts. I don’t know if you have Dunkin Donuts here. It’s free Dunkin Donuts. Apparently everybody loves Dunkin Donuts because it’s the most popularly clicked on phish. I used to train people and tell people there is no free Dunkin Donuts coupon. It’s fake but about a year ago Dunkin Donuts started sending out coupons for free Dunkin Donuts and what we found is they did it because people were bringing these fake coupons from the phishers and the Dunkin Donuts stores were actually accepting them. They decide to turn it into a marketing campaign but it makes education trying to avoid them a little bit harder.
I like to overall tell people that we’ve got this great little poster PDF, if you’re interested in this that talks about the 20 things. This is a great educational training thing. If you email me at [email protected] I’ll send you this for free this PDF that you can print up or hang or send to anybody but it’s really kind of like here are the things you look at to make sure that you can try to tell whether or not this is a fake phishing email or not. Again if you like this idea send me an email at [email protected]. I’ll be glad to send you a copy of it and also we have a bunch of really cool security tools. If you go to KnowBe4.com/resources we have a ton of security tools like things that will find out if your password is out on the internet or if somebody can hack your email server or if somebody is spoofing your domain. If you’re worried about ransomware we have this ransomware simulator that simulates like 10 or 15 different types of ransomware and it will see if these ransomware can go off and bypass your existing antivirus. It simulates the ransomware without actually being ransomware and this gives you the warning but you can see how well your current antivirus defenses detect and prevent it. You can check this other tools for checking for weak passwords. There’s a lot of white papers out there. I wrote one called the 12 Ways to Hack Two Factor Authentication. A lot of people think if they use two factor authentication they can’t be hacked. You can and it’s a 40 page eBook now that you can take a look but we also have that Ransomware Hostage Rescue Manual if you’re really worried about ransomware. We got an e-book for that too. Now I’m going to turn it back over.
Richard: you can keep going. What to do if you’re caught?
Roger: If you get caught these are the tips and I would again recommend people go get the full Ransomware Hostage Manual. It’s a nice little eBook to take a look there but you want to disconnect from your networks and the reason why you want to do this a lot of times the hackers are monitoring you and monitoring what you do. By disconnecting from your network you can prevent them from seeing if you’re trying to recover or do things. You need to find out how many computers are infected. You want to disconnect from the network and really all systems because you’re trying to prevent the ransomware from going off and hitting more systems. A lot of times they’ll go from one system to sometimes tens of thousands of systems in a couple hours so by disconnecting computers from the network you’re trying to minimize that damage. You definitely want to find out who did get hit, who didn’t get hit and maybe that will help you give you a clue as to how it got in. You’ll determine the strain of malware that you’ve got, the type of ransomware because sometimes there’s decrypter keys out on the internet, sometimes not. Sometimes just from hey, do we pay the ransom? There’s some ransomware strains that even if you pay the ransom they’re not, even if they give you the decryption keys it really doesn’t help you restore your data. By knowing what strain you’re being hit with and sometimes what version if you get that information a lot of people can provide you information to give you further stuff. Don’t believe any version number you see on the screen. Sometimes they put different version numbers there to try to trick you because they’ll make you think that oh, there’s a decryption key out there when there really isn’t a decryption key. That sort of stuff and then you definitely just try to restore stuff. You want to try restoring from your most recent, safe, trusted backup. That is always number one.
Even if you get a decryption key from a ransomware vendor a lot of times they do give you a decryption key that works but it just doesn’t still work because it turns out that ransomware encrypting your stuff doesn’t do it. They don’t test for bugs. You can try getting decryption keys from third-party decryption vendors. A lot of times people say well I’m not paying the ransom and they don’t have a good backup and they just have to start restoring everything from scratch. A lot of people, more and more people are actually paying the ransom these days. It used to be around 40% of victims paid the ransom. These days I think it’s around 80%. As a matter of fact in my personal experience in the last eight months I only know one victim that didn’t pay the ransom and the reason why they’re paying the ransom, let me say once they pay the ransom and get the decryption key they’re still having to do recovery but the reason why all of them are paying it is that they don’t have the trusted backup that they thought they had. Everybody’s like oh yes, I got a trust to backup. I tried to restore. What they mean is they restored one file or they restored one server. That’s not really a complete test of your backup and restoration system. They don’t have the trusted backup offline. All their backups are online and they attack the research that found that and destroy those backups are encrypted them with another encryption key and so not viable. It’s very important that you have a very good backup regime and that at least one copy is offline and that you have done a major test restoration of a whole mission-critical system not just one file or one server but all the components to make sure you can do reviews from that. Then then most companies don’t do that and because of that most companies are now paying the ransom and they still have recovery even after they pay the ransom.
Richard: You can do these Rog.
Roger: Thank you very much. Key takeaways is that you want to focus on mitigating social engineering and patching your critical software. Preventing social engineering and patching your favorite software programs are patching the most likely to be exploited software programs they account for 90 to 99% of risk against ransomware and other malware in most environments. Certainly you don’t have a good antivirus software program but don’t rely upon it and most of the people being hit by ransomware have good antivirus but it’s just that the ransomware guys are updating, encrypting and ostracating their ransomware every day, many times a day and again you want to make sure you have that good backup. Good working, reliable, tested backup. I think 80% of companies again are paying the ransom of these days because they do not have those things and they have not tested it. They have not made it offline. Certainly implementing an effective security awareness training program where you’re simulating these, a big phishing attack. That is a healthy part of any or it used to be a couple years ago companies weren’t sure if they should do these fake phishing attacks. I’m here today to tell you almost no one’s questioning the value of that any more. Everybody’s doing it and it’s a valuable part of your testing regime, your education regime. Your employees start to see it almost like a game of oh, I know I’m going to be tested. I’m going to be able to spot the fake phish and in doing that you’re helping them spot the real phishes.
Richard: Good stuff. Thanks very much Roger and Jason. That’s great, good stuff. We’re now into the live Q&A so if anyone’s got any questions then please put them into the chat. I’ve got a few questions that I’d like to ask and to start with. One of them Roger, you mentioned that, actually let me background this. One of the things that stimulated me about this ransomware was a couple of months ago I was at a big resort in Queensland. I was there and the person behind the desk which started slinging off to me because I mentioned that I was in IT and web and stuff. She said you’re not my favorite guys at the moment. I said, why is that? She said, we’re in the middle of a ransomware negotiation. I said, oh shit. Tell me more. They had a ransomware attack. It started off at $3,000 and then when the resort realized they didn’t have backups. The price went up to $12,000 and they said, what we want to do is negotiate it back down to $3000 if we can and pay. This is US Dollars. It went from $3000 to $12,000. My question is though Roger is how do you protect the backups if the bad guys have been in the in the network for long enough to destroy or to change the backups because in the case of this resort what they thought they had backups going off to a remote disc but what had happened was the backups are being done but to the C Drive. Maybe the bad guys changed the backups, maybe they hadn’t but how do you actually protect those backups if they’ve been in there for a while. How do you know?
Roger: If you can get to it remotely, locally in the computer remotely then so can the attacker. Definitely what’s changed is that the attackers are spending more time making sure they’re trying to disable your backups but if you can get a known good backup to an offline state. An offline state means that you cannot immediately touch it remotely. You have to call somebody that puts the tape online or the data recovery system that’s when you know you have a trusted backup. Some people think they have a trusted offline backup and most backups are encrypted. The bad guys will even change the encryption keys so you’re doing your regular backup and you’re seeing everything go fine but unbeknownst to you the attackers had change the encryption keys and then right before they announce their attack where they lock up everything they change the keys back to the ones you know and you just don’t know why you can’t restore. It is key that a recent backup that you just make part of your regime the 3-2-1 that part of it is being offline.
Another thing I want to say it’s almost become like a package industry for negotiating with the ransomware people. These days especially if you have an insurance company involved the insurance company is outsourcing to another vendor that deals with 1500 or a thousand ransomware events a year and they’re actually interfacing with ransomware brokers. It is almost like a cottage industry in that these days. It is very common that you do not pay full price and that there is a tug of war and eventually these third parties that are involved they kind of know the ransomware people well enough that this is literally they trust each other and they negotiate the payment. It’s quite startling how bad things have gotten and that we now have these trusted third parties working with the criminals and they’re negotiating rates on our behalf to get the decryption keys to unlock the systems. It’s pretty wild to think of how bad it’s gotten these days. It’s almost it’s like this really weird movement of capital that I would have never predicted.
Richard: Jason, do you want to add anything more about that on the backups.
Jason: The data that you can’t access without physically actually touching that data as Roger said is really key. If the is accessible across the network you’re going to run into problems so it’s really important to have that off-site storage facility.
Richard: okay great, thank you. Gareth, maybe you’ve got a question you’d like to ask the guys. Gareth is probably there. He is turning his mic on. Roger, can you talk a little bit more about social engineering and what you actually mean by the term social engineering. I don’t quite understand all of that.
Roger: Social engineering is a con. It’s somebody acting like somebody you trust or should trust but they’re falsifying their identity to get you to do either reveal information like your login information or to execute a Trojan horse program but it’s actually expanding it. It used to be when we say social engineering we meant email. It’s now through social media. It’s through cell phones and SMS, short messaging service you know messages. It’s increasingly coming across phones. We’re hearing a very strong increase in social engineering over phones where an attacker will call a person and go hey, I’m from your bank. Did you buy tickets between Melbourne and Kenya? Oh you didn’t. We didn’t think you did and just to let you know we’ve blocked that transaction but we need to verify your account information along with your login name and pin to verify your account information to unlock it or something like that. Then you give them the information. They go right to your account. They log in. They take control of it and then they start stealing money. That is literally one of the fastest-growing types of social engineering today.
Richard: This is obviously not a sales pitch but can you talk a little bit about KnowBe4 and the pricing because it seems like that’s a service that would be useful to not just big companies but to small businesses as well. How does the pricing for KnowBe4 actually work?
Roger: It’s a subscription basis and I actually do not know who the pricing which for me I always call that good. I hear that we’re very competitive in the industry. Part of the reason why we’ve grown to become number one is that we have really good pricing on it but we do have different, it’s kind of like software as a service so it’s all in the clouds. There’s different subscription levels we have over a thousand types of content and we have games and posters and all sorts of stuff. I know it’s a per-person pricing unit with all kinds of discounts and that sort of stuff but this model different levels Platinum and Gold and that sort of stuff. I apologize for not knowing the pricing but I can only tell you that I know that from seven more customers than anybody else we’re apparently very competitive.
Richard: Another thing that occurred to me when I was looking at the Hostage Rescue Manual which I highly recommend by the way and I commend you guys on putting it together. It’s got a lot of details so everybody who’s listening to this go grab the Hostage Rescue Manual but do you think it would be a good idea to print that out as a hard copy rather than sort of saving it as a PDF and thinking it’s in your computer because when you need it your computer might not be accessible.
Roger: That’s a great point.
Richard: Gareth, have you got a question? We’ve got another question. How often should a user change their passwords or are we past that sort of security?
Jason: This one’s quite interesting. You should regularly change your passwords for most systems. I recommend probably every three months at the minimum. The issue that we’ve got though is a lot of people use the same password for a lot of systems and that’s a big no-no because once one system gets compromised another system is going to get compromised as well. It’s really important that you actually use passphrases, different passphrases or different passwords that do not tie to any name or number combination that you would use. Something that’s completely random and have different passwords with different systems. That’s probably more important than actually having your password expire every three months. Roger, what are your thoughts?
Roger: In America, our government did a 20 year study and it culminated in what’s called the National Institutes of Standards and Technology, NIST Digital Identity Guide. It’s known as the NIST Special Publication 800-53 Digital Identity Guidelines and what they found out is that if you have a long complex password that is routinely changed like every 90 days you’re actually more likely to be hacked because of that password than if your password was short and non complexed and never changed unless you thought you were hacked. I got to tell you, released that information on recommendation three years ago and it has taken the world by storm but what I try to tell people is that the reality is that how long or short or frequently changed your password is actually has less than a 1% impact on whether you’ll be hacked. It’s shocking to people but if you remember the majority of the way you’re going to get hacked is because of social engineering and unpatched software and they don’t care how big or long or complex or frequently changed your password is but what you said Jason which was just fantastic but really what is the biggest risk is when you reuse that password regardless of what that password is across multiple sites.
NIST said that when people had to use longer, more complex passwords they are far more likely to reuse that same password because it was so long and hard to remember across multiple sites and that’s exactly why they started to recommend people use shorter non-complex passwords because they were less likely to use it across multiple sites. That’s really the biggest risk and of course sadly or strangely NIST recommended this three years ago and it has not changed a single compliance guideline so even whether you agree or disagree with the NIST recommendation you are still required to do long, complex, frequently changing passwords every 90 days because that’s what every compliance guideline says you have to do even though 20 years of data has shown it actually increases the company’s risk. That’s a very contentious area in the computer world right now. What I try to tell people again is the reality is whether it’s long, short, complex or not change it’s a 1% issue. It’s good to focus on it but make sure you take care of the social engineering and unpatched software and the backup work that you focus more time on that than worrying about password.
Richard: We’ve got one last question and then we’re going to wrap up. Roger and Jason what are your thoughts on password managers like One Password and Last Pass and those sorts of systems?
Jason: To be honest, I really like them because they actually help you generate complex passwords and it enables you to not actually remember them as well. They can actually manage passing your credentials to the website or to the system. I quite like them. I quite like the idea behind it and especially if you are using those passwords that are a bit more complex and a bit harder to remember at least you can actually store in the system system for easy recovery.
Richard: What are your thoughts Rog?
Roger: The same thing I think they’re a good idea and the reason remember that the bigger risk is that you’re going to reuse the same passwords among multiple websites. When you have a password manager they generate the passwords for you and you’re much less likely to share the same password across websites so it’s a really huge benefit. I’ve been using a password manager for a couple years. I don’t even know my password so I can’t be phished out of something I don’t even know and there are different passwords on all my 150 websites. It’s pretty much a win-win with the one risk that if a hacker breaks in your machine and can get into your password manager they get all your passwords at once but heck they’re already in your machine they can just do a key login Trojan. I am very pro password manager.
Richard: Thank you very much and thank you very much Roger and Jason for contributing your time and your wisdom for the session today. We’ve got more concise webinars coming up next year 2020. These are going to be in the booking pages over the next few weeks and there’s lots of interesting topics that we’ve got coming up so stay tuned and we’ll stay in touch. Thank you everybody. Thanks for attending today. Thank You Roger and Jason and Gareth. If you want any more help on any of this then please get in touch. Get in touch with the KnowBe4 guys, have a look at their website, download the Hostage Rescue Manual. One Technology, thank you very much Jason. We are very happy, by the way to recommend your system and someone very close to me, specifically my wife reckons you’re a heck of a good guy for coming out their computer network that someone destroyed on the grand final day. You got out of your chair to come and repair the network. Thank you mate and we recommend your service, very happy to. Roger, thank you again for sharing your time and your thoughts with us.
Roger: Thank you. Thank you all. Thanks for everybody for showing up.
Richard: Good stuff guys. Thanks again and have a great day. Have a great Christmas. See you. Bye.
END OF TRANSCRIPT
