Intro: This is Behind the Repairer, episode two of the podcast from Fix Auto UK.
James Luckhurst - Fix Auto: Welcome along, James here, with an episode that starts with a health warning. Prepare to be shocked by what you're about to hear, especially if your information security systems aren't quite as tight as they could be. In a moment, we'll be joined by Jason Hart from Fresh Security, who's offered to demonstrate just how easy it can be for the bad guys to find their way into your sensitive business information. Although cyber attacks are happening all the time across every business sector, the good news is that it's something you can guard against with a few simple but effective precautions. First off though, data security and a journey through to the wrong side of the firewall in the company of Jason Hart. Jason is a visionary in the world of cybersecurity, a member of the highly influential Forbes Tech Council, and CEO of Fresh Security. I caught up with Jason recently, and he first told me what he was hoping to achieve.
Jason Hart - Fresh Security: Yeah, really my objective of today's podcast with yourself is really twofold. One, to try and provide awareness to the listeners, give them some hints and tips, and also during the podcast, James, is to show you how easy and how simple it is for attackers or disgrunted individuals to gain access to sensitive information, which they can use to conduct attacks against the listeners.
James Luckhurst - Fix Auto: Let's just find out a bit, who are these guys who are trying to get in?
Jason Hart - Fresh Security: The misconception is most organizations, individuals think, and small businesses and large businesses believe that they're not susceptible or why would someone attack them or try hack into their organization. There are multiple reasons why individuals, and we can discuss those individuals in a second, would want to access a business. So let's start why, why do they do it? First of all is they do it for self-gratification. They do it because they can. They would happen to come across some usernames and passwords that have been compromised in a previous attack and then use them against the business or the organization, gain access into the business. Another reason would be they could be scanning the internet and come across a business and they see there is a security vulnerability or a problem, and they would just exploit it, because they can, because it's easy. The other reason, motivation, would be because their disgrunted. The disgrunted element could be a disgrunted employee, so that's the internal attack. It could be a disgrunted customer, who maybe they had some work done on a job on their car, and they weren't happy with the outcome, or they weren't happy with the outcome of the insurer, et cetera. So they may have an element of a hobby from a cybersecurity or a hacking point of view and start conducting intelligence and trying to attack that organization. And then you have, people talk about the state sponsored element, where, you know, country on country. Yes it does happen, but the higher probability is disgrunted individual or an individual for self-gratification reasons.
James Luckhurst - Fix Auto: And before we turn to the screen, then, let's just find out a bit more about you, an ethical hacker.
Jason Hart - Fresh Security: Yeah, so started off at a very young age, founded one of the world's first ethical hacking companies. I was an ethical hacker myself. Ethical hacker means someone who has permission to gain access to organizations with their permission. People may hear of black hats, black hats are the bad guys, white hats are the good guys, so I was a white hat. So during my career, ever since the past 20 plus years, I founded and invented security technology to prevent hackers from gaining access. And, up until recently, I was the global CTO and Head of Strategy for one of the largest cybersecurity companies in the world. However, I felt it was time for me to go back and do a startup with the key objective of solving problems for all organizations and all businesses. The problem with the cybersecurity industry today is it seems to becoming more complicated and even more expensive. So my key objective of my new startup, Fresh Security, is to make security accessible to everyone, and take the very technical element and make it extremely easy for anyone to understand, and allow people to consume a service that is affordable and accessible to everyone. So that's my key objective.
James Luckhurst - Fix Auto: Understanding that, then, let's now head online. Talk us through what you're gonna do, because I think we might have a few little bumps and shocks in the next few minutes.
Jason Hart - Fresh Security: Yeah, so what we're gonna do here, James, is we're actually gonna use the Fresh Security service, and the key objective in the initial first phase of our service is for the service to identify key individuals in any organization or any business that are highly susceptible to a cyber attack. So the type of cyber attack could be a phishing attack. It could be password reuse. So what we're gonna do, we're gonna type in the domain of anyone with Fix Auto. What it will do, it'll go out, gather the intelligence, present that information back to us and show us those individuals who are highly susceptible, but not only that, it will also show us individuals of where their username and passwords have been compromised. So that's what we're gonna do right now realtime.
James Luckhurst - Fix Auto: Go for it, then.
Jason Hart - Fresh Security: So we're gonna log right in now. We've typed in the initial parameters, which takes literally seconds to do, and right away, what we've identified is 197 lost accounts. This just shows you the extent of the invisible threat to an organization. This can be used against any organization, but we can see the latest breach where credentials for an individual with Fix Auto was compromised, but obviously they would have been informed since then, the 16th of October, 2019. If we start clicking around on the portal here, we can actually identify who the riskiest users are across Fix Auto, and obviously because Fix Auto are using the service, they're making the appropriate changes on the back end. The service itself will do a weekly report, identifying any new changes, any new individuals that have been compromised across the organization.
James Luckhurst - Fix Auto: And would you say this is typical of any organization, seeing something like this?
Jason Hart - Fresh Security: Yeah, so the beauty of what we're doing, and again, with the Fresh Security service, was this type of technology is not accessible to most organizations, maybe the top five or top 10% of organizations in the world. So we've created a service to make it accessible to anyone. To answer your question, is this common, 100% common. The problem is if a bad guy's compromised a username and password, most people don't even know that the bad guy's actually have that. So how did they get the username and password? They could have conducted it by a phishing attack. They could've, the employee within the organization, could have registered to an online service using a username that they would use in their business, and also using the same password they use in a business life or personal life. Because of the service they've registered to online has been compromised, unbeknown to them, that detail is trailing on the dark web. So what we're doing, we're bringing all that to the surface and presenting it in a way that any organization has visibility of it and then can take corrective action.
James Luckhurst - Fix Auto: What we're looking at there are email addresses. There are lots of systems at work in your everyday modern repair shop, such as a Fix Auto center. What other things, I'm just thinking like Bluetooth or devices that are connected that aren't just straightforward on the email system. How at risk could they be?
Jason Hart - Fresh Security: If we just look at what we use an email address for, the email address is used as a username. We need a username today to log in to everything. So if you look in, you know, in a body shop, they're logging in and out of different applications, different systems. Those applications and systems require a username and password. That username and password is the email address, plus the password that's been compromised. So for example, the password that the individual's using for their username, the likelihood is they're using the same password in other systems as well. So the point is, by the bad guy having the email address and the password, they can essentially gain access to systems which they shouldn't be allowed to.
James Luckhurst - Fix Auto: That was Jason Hart, and we'll rejoin Jason a little later in the program.
James Luckhurst - Fix Auto: And we'll be exploring issues relating to apprenticeships in the next edition. Time to rejoin Jason Hart, as we continue to examine the world of cybersecurity, to consider how best to understand the threats a business may face, and to be proactive in preventing any sort of attack.
Jason Hart - Fresh Security: When we look at cybersecurity, people just think about vulnerability or an attack. But the best way for any business or organization to look at risk or cyber risk is to break it down into the following elements: Confidentiality, so in the event something was to happen, what is the impact of the confidentiality? For example, if an attacker was to get access to a diagnostic system, is there an issue around confidentiality or client data or a list of different customers that could have an implication around the confidentiality of the data? The next one is what we call an integrity. Now integrity is one of those risks which are kind of creeping up on us. And in the first instance of a breach, you may not even know an integrity attack has happened. But just imagine this. If a hacker for disgrunted reasons gained access to a diagnostic machine or a machine for tuning or making adjustments to a car, what if he was to alter the configuration settings or the thresholds within the diagnostic system, unbeknown to you? So now customers would come in, you're using the diagnostics tool or any additional tools to make configuration settings to the car. And now just imagine that the tolerances around brake adjustment in the main control unit in the car was adjusted, just imagine the implications, what that could have downstream. So that would be an integrity attack. The third element is what we call an availability attack. So again, the attacker could come in, log on to the network, because on the network you're gonna have diagnostic machines and other machinery or technology to use for the cars, what if he decided to disconnect it in a way that you couldn't power the machine back on, corrupt the diagnostic machines? What would the impact be to the business for one day, one week, one month, one year? And then finally, we have what we call accountability and an auditability. So in the event any of those types of attacks, a confidentiality attack, an integrity attack, or an availability attack was to occur, could you prove how that happened? Is there accountability, is there an appropriate audit trail? So when you look at risks or cyber risks and the types of attacks, we break it down into confidentiality, integrity, availability, accountability, and auditability.
James Luckhurst - Fix Auto: What other emerging threats would you identify for the next six months or for the whole of 2020? Where are you focusing your attention specifically?
Jason Hart - Fresh Security: Yeah, if you read the press, there's this continual hype and fad fear uncertainty and doubts about the latest security attacks and advances. But for me, I've traveled the world, worked with some of the largest organizations in the world pre-attack and post-attack. 90% of all attacks that occur are because of basic security controls are not in place. So yes, there are advances, but those advances are very sophisticated attacks. If every organization around the world or in the UK was to focus on implementing the fundamental basic security controls, and do that in a continual way, the world would be a safer place.
James Luckhurst - Fix Auto: Jason, let's think then, what are the top actions that a business can do right now?
Jason Hart - Fresh Security: Let's start with the fundamental basics. First of all, in your organization, you need to create multiple pots, and you can do this on a piece of A4 paper on a whiteboard. Create a list of every person that accesses your business, so that's employees, contractors, third parties, even remote people coming in to the diagnostics machines. So create a bucket of people, just put their names down, or a list of the different types of profiles, contractors, third-party suppliers, et cetera. The second one is create a list or a bucket of all the different types of data in your organization, financial customer data, employee data, financial data, some organizations may have intellectual property. So create that bucket of data. And then finally, I need you to create a bucket of what I call processes. What connects the people to the data? What portals do you log into? Do you have WiFi, do you have desktop computers, do you have laptops, do you have cloud services? Just create a list of all the different systems that people log in and out of and where the data's associated. Now, what I need you to start doing is create a little map. Connect the people to the system, the system to the data. We've just done a risk assessment. So what we've done is identified the various flows of people, data, and processes. Really, really simple. Now what we need to do is start looking and ensuring the basics are in place. Anyone accessing portals or applications or systems on the web, what type of password are they using? Are they using a password that, what I call a static password? Does it change every 30, 60, 90 days? Are they using multi-factor authentication? Is the username accessing their systems actually in the Fresh Security service? In addition to that, identify who are the key individuals who are more susceptible to the phishing attacks. And then, more importantly, where you have static passwords, start replacing them with one-time passwords. By just doing some of those fundamental basics, identifying the people, the data, and the process will start giving you more of an insight to where the potential risks are. And then finally, what vulnerabilities do you have in the organization? Do you know what vulnerabilities you have? Do you know when patches were made, what those vulnerabilities are? If you want a help and a hand on identifying those vulnerabilities, I can help you with some tools to identify those weaknesses, other vulnerabilities in your business.
James Luckhurst - Fix Auto: Jason, I think we're nearly there. We've got to the point where we can see what the problems, what the risks, the compromises might be. But we haven't solved them yet, maybe that's where you come in. Tell us a little bit more about your role with the Fix Auto network.
Jason Hart - Fresh Security: Now, there's a misconception that every risk, every vulnerability needs to be mitigated in an organization, and that's not true. A risk to your business is only a real risk if you understand the likelihood and the probability of it actually happening. And that's really what we have to do, is distinguishes what is real, what isn't real, what's fictional, what is a high probability or a low probability of that attack happening. And that's really one of the key things that my business, Fresh Security, is helping, is actually providing visibility of what a real risk is and the likelihood or the key individuals across the Fix Auto franchises, highlighting the key individuals and franchisees that are more susceptible to risk and that have a high probability of being compromised.
James Luckhurst - Fix Auto: That was Jason Hart from Fresh Security. If you want to start a conversation with Jason, then you can contact him via his website or talk to a member of the Fix Auto UK compliance team. Well, that's it for this episode. Next time we'll be sitting down with Mo Givian from Fix Auto Luton, where we consider a fundamental paradox. Every business and its people, its clients, its culture is unique. Yet there are really only two plot lines, success or failure. So what makes Mo unique? What makes him successful? Is he measuring the right things? Is he thinking big enough? Find out next time. And we'll also explore the whole area of apprenticeships, too. So do join us for episode three, coming to a device near you in May. But for now, from me, James Luckhurst, it's goodbye, and thanks for tuning in. You've been listening to episode two of Behind the Repairer, the podcast from Fix Auto UK.