Guillaume: Hello everyone. Guillaume Le Tual here, host of the Ecommerce Wizards Podcast where I feature leaders in e-commerce and business. Today’s guest is René-Sylvain Bédard, CEO of Indominus Consulting. He’s a cybersecurity expert. Today we’ll be talking about cybersecurity prevention, how to protect your company at a high level. Before we get started, we have our sponsorship message:
This episode is brought to you by MageMontreal, if a business wants a powerful e-commerce online store that will increase their sales or to move piled up inventory to free up cash reserves or to automate business processes to reduce human processing errors, our company MageMontreal can do that. We’ve been helping e-commerce stores for over a decade. Here’s the catch; we’re specialized and only work on the Adobe Magento e-commerce platform, also known as Adobe Commerce. We’re among only a handful of certified companies in Canada, we do everything Magento-related. If you know someone who needs design, support, training, maintenance, or a new e-commerce website, email our team at [email protected], or go to magemontreal.com.
All right. René-Sylvain, thank you for being here today.
René-Sylvain: It’s a pleasure.
Guillaume: All right, can you give us a very brief overview about you just before we dive into the topic?
René-Sylvain: Yes, of course. Basically, I was an IT consultant for 25 years, 11 of which were at CGI where I became a director for consulting services with 22 direct reports. I did architecture for some very small and very high end customers ranging from small industries in Laval Engineering firm all the way up to Bombardier Aerospace with 30,000 seats, Bank of Canada with very security demanding environments. So I have been around.
Guillaume: Alright, so let’s dive in right away then, how do I protect my company at a higher level? Obviously, here we work with e-commerce merchants and some manufacturers, import/export companies, also called distributors or retailers. This may not be exactly their core focus but they know it’s important or they may want to establish how important that is. How do they protect their companies?
René-Sylvain: All companies today require a computer to function. If you don’t have a computer, you can’t bill your customer, you can’t know your inventory, you can’t know what’s actually happening within your company, you can’t build staff, you’re not able to function. When you look at the ransomware attack patterns, their goal is to paralyze your company. Once they’ve paralyzed you, all they do is basically send you a bill and tell you look, it’s going to cost you 500,000, a million, or $2 million if you want your data back. In order to avoid that it’s not the day of the attack, or the day the payload is actually rendered that you need to act, you need to act ahead of time. 80% of those attacks come through email. So basically, educating your staff, making sure that they don’t click on everything, and making sure that they can actually recognize a phishing attack or a spam and be able to mark it as such. Those are the basic steps and that will already get rid of 80% of the attacks.
Then you need a good software protection solution in place like an EDR, endpoint detection and response. That’s basically the evolution of the antivirus, that will catch attacks that are what we call zero-day. It’s an attack that when you click on it, it’s a live attack and it’s a brand new attack every time. That will allow you to stop any attack that would have come in, so you’re now at 85 or 87%. Then you need to make sure that your desktop’s security is well configured. There’s concepts such as MFA, multi-factor authentication where they send you a number to your phone to make sure that you are who you say you are. If you’re authenticating that way it means that if someone grabs your username and password they can’t use it against you. Because you’ll be warned and you’ll go, why am I receiving this text and I’m not the one authenticating? You’ll know someone’s authenticating on your behalf. So those are the basic steps that allow you to basically slim down the possibility of being ransomed.
Guillaume: Okay, and you’re talking about the evolution of the anti-virus, I don’t think this is very well known. Can you please elaborate on this?
René-Sylvain: Sure. So the way an anti-virus works is basically, I have a database of known attacks and if I recognize the pattern of such an attack I’ll stop it. Nowadays, you have threats that are known as zero-day. So basically, before it even becomes known to the anti-virus it’s already available to attack your workstation. So that means that you need software that’s basically doing pattern recognition and recognizing a pattern as being an evolution of an attack or as being malware, and those are known as EDR. You have Defender for Endpoint from Microsoft that does that, you have SentinelOne that does that as well. There are a few very niche manufacturers that do.
Guillaume: Alright. Let’s come back to the first topic, you said 80% of attacks come through emails. So you can teach your staff to not click on everything, to maybe do a little more and maybe even learn how to view the source in an email with right-click View Source in Outlook. It will give you additional data and you’ll see in more detail who it’s from. It may say it’s from Apple but they could just be spoofing pretending to be Apple. Very often with the View Source you can see that they don’t have the credentials, it doesn’t check the other security patterns there. So in addition to training your staff to try to recognize patterns they might still miss it. If someone is a really good fraudster he might send you a fake email that looks convincing enough such that he might catch some of your staff, are there additional measures that you can put in place to sort of protect yourself there?
René-Sylvain: For the 80% of attacks that come there, you can actually do what we call attack simulations. So basically we send what we call spear phishing attacks, a very targeted attack to your environment with a crafted message that looks like malware. It will basically tell you who in your company has clicked on it and from there you can actually target training. You can also target improving their skills and from month to month you can actually view progression. A former client of mine actually talked to me about a week ago, and you should have seen their eyes. I mean, their eyes were shining. They actually told me look, we had an attack, we saw it coming and we stopped it. I mean, to me that’s worth the world. Because you’re no longer into, ‘We got an attack, we got spammed, what do we do?’ It is, ‘We got an attack, we saw it coming and we were able to stop it’. So that basically makes my day.
In the same line of thinking the View Source is an interesting aspect but sometimes it’s actually easier than that. Sometimes just double-clicking on the email where you see a label that says Apple, for example, you can actually see that in the back it’s mosquito.org, or somebody else. They’ve got their network hacked and they’re basically using their email to send spam and to send attacks to other victims. You have to consider the following, there are two main types of attack; you have what we call the drive-by attack where everybody’s a victim, where everybody’s a potential target. Because they’re not targeting your company, you just happen to be one of the 7000 emails they send it to and you clicked.
On the other hand when it gets to targeted emails, then you get into somebody that actually took the time to study your SEO, found out how you’re writing, found out your actual corporate signature, who registered a domain that looks like yours and then crafted a message and sent an inside job specifically for your company. Those are rare. They are made for very large companies, and are very targeted attacks against specific systems. Most of them are just, how many people can we get to click on this thing? And it’s, we’re sending it to 80,000 people, how many will click?
Guillaume: Yeah, so they’re just phishing.
René-Sylvain: They’re phishing with dynamite.
Guillaume: Exactly, with spam. In our company we received that kind of semi-intelligent that perhaps was just a script or perhaps some beginning of AI that was using real names from our company, real contacts, but they had the details wrong. But you could see that that script had taken a moment to gather information about every single company that it spammed. So the AI word gets thrown around like a buzzword and most people don’t really know what it means. What do you see as the role of AI here in terms of security measures that we have to put in place and protect against?
René-Sylvain: We don’t see AI so much into ransomware attacks. What we see nowadays is ransomware as a service. So the person sending out the original attack will want it to succeed, so they will do more research than just the drive-by that I spoke about earlier. But he would then take, let’s say, 100 companies and do the research, try to do as much as possible to make the message as crafted as possible and send it to those 100 companies, because he will get a cut if the company gets ransomed. So at that point you have people that can be in a cafe and actually be sending the attack. So it’s no longer the, ‘We are Russia and we have this huge nation-backed cyber criminal activity’. You’re at the point where anybody can be a target.
Guillaume: And when you’re talking about this, you’re talking about those grooming networks that have affiliate criminals that are trying to find victims of hacking, they’re the baits and they get hooked. Then they pass it over to the real organization, the real makers of the hacking system.
René-Sylvain: We’ve seen it. I mean, the last customer we had and we actually did an incident response on, at first, we saw incoming from one country and then when we closed the door, we had people from seven countries trying to come in. So it’s not local, it’s not geographic, it is now a global network. And as you said, there are affiliates, people are getting paid to do part A while others specialize in part B. There are even groups now such as Lapsus, which basically, will not create any ransomware. They’ll just use whatever’s out there and then turn around and use it to gather data about your company. Once they have the valuable data from your company, it’s called extortion economics, all they’ll do is turn around and put that data for sale and blackmail you for it, basically.
Guillaume: Also when you’re talking about ransom economics you’re also suggesting that once there’s an infection, do they act right away or they sort of leave it there, or they collect data and then they know how much money you make and how much you can afford to pay to get your stuff back.
René-Sylvain: Here’s the horrifying statistic, you have an hour 12 to react. When you double-click on that infected email, you have an hour 12 to react. Within an hour 12 they would have spread out throughout your network. And why I say it’s horrifying is because when you look at the average time to discover that there’s been a breach in the network is 208 days. So I’d say it’s 300,000 to one.
Guillaume: Yeah. Okay, that doesn’t work.
René-Sylvain: The ratio doesn’t work but I understand why it’s that way. There are currently 3.5 million open jobs in cybersecurity around the world. So if you’re a small business or even a medium business, we will need to put up a security team together so that they only look at our security, you just can’t.
Guillaume: But there’s a shortage of expertise, a shortage of labor, and so on.
René-Sylvain: Also the fact that you now have the very big, so we can look at Desjardins Bank, and we can look at National Bank. I look back at both governments, Canada, Quebec, they had such requirements, hiring as much as they can because they need to protect all of our data. Whether it’s a bank, whether it’s a government, whether it’s an utility, they need to be protected. That requires a lot of people and that’s even less for the SMBs. .
Guillaume: Okay. Let’s keep talking about SMBs and even the medium companies like the few millions to 100 million ones, let’s say you have your files in places like Google Drive or OneDrive or Dropbox or whatever, how dangerous is it to get your stuff with ransomware? How much protection will Google or any of those other Google Drive or OneDrive from Microsoft will give you for your stuff to not get ransomed?
René-Sylvain: First and foremost, I’ll make a distinction between the Enterprise product and the free product. If we’re talking about OneDrive, Google Drive, and Dropbox for personal use, you have zero guarantee. It’s not made for that. It’s made as a free service. They get paid because they get data about, you know, we agree. So there’s no guarantee there. If you have OneDrive for Business, if you have Google Workspace, then there are, let’s call them, secure parameters that you can put in to protect yourself and protect your data. I’ll speak for OneDrive for Business because that’s my core business, I’m a Microsoft guy. So OneDrive, for example, if everything gets encrypted on your workstation it will automatically shut off the replication process. So your cloud data stays safe.
René-Sylvain: It’s the same thing as when you have Defender for Endpoint activated within your Microsoft 365 environment. Any abnormal behavior will be shut down right away so that it doesn’t get to your SharePoint, it doesn’t get to your OneDrive. So I’m sure that Google has equivalent services. A box for business? I don’t know. The thing that scares me is when you look at it, because I did the exercise for a customer, I went through the master service agreement for Dropbox and it basically says that they can share about it with about a half the world. So I wouldn’t put my data there. You have to read the master service agreement, especially if you’re going to give them all your data.
Guillaume: Okay, fair enough for that part. Most people just scroll through and click ‘okay’, they just trust them. So a company that was a victim of let’s say, a ransomware attack are you suggesting that all they had to do to avoid that was sort of put their data on OneDrive, the enterprise version of Microsoft?
René-Sylvain: I won’t say that because there is one thing that is not widely known, but it is important, is that Microsoft Cloud is a shared responsibility model. So they will make sure that all the backend, all the operations, everything is secured but you have to do your part. So just putting it there is not enough, you need to have it configured properly, you need to make sure that all the security policies are there and you need to make sure that it’s configured and you’re using it in a way that is secure. If you just leave it by default, you’re as exposed as if you were on premise.
Guillaume: Okay. Because those kinds of security measures, let’s say if it starts encrypting your data there’s no replication to the cloud, I’m guessing, hoping they’ve put it by default in there.
René-Sylvain: But that’s by default but it doesn’t mean that, for example, the phishing wouldn’t come in, it doesn’t mean that the higher protection for your emails would be there. It doesn’t mean that you’d be defended. If you don’t put in Defender for 365, it doesn’t mean that, for example, it would detect that there’s a file that’s misbehaving and you know.
Guillaume: Okay. What about password protection, password sharing in a business in a worst case scenario where you’ve put all of that in Google drive and you’re sharing the file around? In better scenarios, you have all kinds of things like LastPass, Dashlane, and so on, what do you think about that? What do you think are the best practices for sharing around passwords in a company?
René-Sylvain: Ideally I’d say dumb. Don’t share passwords, that’s the first thing. There are a lot of services nowadays that offer what we call SSL, single sign on, which can be linked back into, for example, again, your Azure AD, which means that you can use your same username and password everywhere. Now, I know as a CEO I have to do this. I have an assistant, I have a director of operations and so on and so forth, and we have a shared password. A password vault is a good way to actually secure things. Again, ITU, you can’t put the same password everywhere. I mean, even if you have a password vault, if your password that you used to log in is the same password as 50 of your services, it’s useless. Or if your password to log in is ‘vacation’, well, guess what? It will be broken within roughly two or three hours, and then they’ll have access to all your passwords and you’ll be in even deeper trouble. Or if you have a note on your desktop that says, my vault password is… So it’s a hygiene problem, you have to make sure that; a) you don’t have replication of password, b) your passwords are strong enough, and c) your password to access your vault, if you have a vault, is a monster password. Now, we saw a few stories about that. In 2005, we did note a chemical distribution company. And basically, my security team back then was able to grab all of the admin password off posts that they had pinned on the wall in front of their desk from the parking with a digital camera.
Guillaume: Wow, from the parking!
René-Sylvain: So that’s one story. The other story is walking to a new job, I needed a budget for cybersecurity and I’m being told no. I grab it basically, off the mill via the password decryptor or Windows NT back then. I walked to the server, I grabbed the file and brought it home. Then I went to the VP the following Monday and said, who is Amanda? And guess what? That was his password. So we sat down and we actually discussed budgeting for cybersecurity. Because that’s literally how easy it was to grab the password. I mean, back in those days, we’re talking about the 90s, it took me four hours to decrypt the entire database of passwords. And we did not have the firepower we have today.
Guillaume: Right. For brute force if there’s no limitation after like three failed attempts you’re going to be locked out for like an hour and then it totally blocks the account after a few tries.
René-Sylvain: Now it does, back then it didn’t. But my point is that there are a lot of people that believe that, ‘my password is five-character’, it’s nothing. Mine is 16 and I still feel like I’m not safe.
Guillaume: Yeah. It has to be longer, it’s exponential. So if you’re under nine characters or something like that, you are just like 10 seconds away from password cracking if there’s no limitation on brute force access or even less than that in some cases. Especially if it’s a word from the dictionary, it’s going to be like a three-second crack or something.
René-Sylvain: And the dictionary just keeps on going longer and longer. It’s insane. The more and more property we have nowadays, the easier it is.
Guillaume: Okay, you’re the expert in this field, a shotgun question here; what else do I need to know?
René-Sylvain: Make sure that you have MFA everywhere you can.
Guillaume: Multi-factor or 2FA, a two-factor authentification to send a code on your cell phone or email. I prefer the cell phone, because if you get your email hacked I’d rather have a text message on my phone.
René-Sylvain: Or even better get the multi-authentication application either from Microsoft or from Google or from LastPass, which basically is an app that generates a number on demand.
René-Sylvain: MFA, 2FA is one thing. You know, be smart about it. You need to take this seriously. Passwords are a thing that you’ll have to live with every day of your life for the foreseeable future. So you need to be smart about it and you need to have different ones. Ideally, put them in a vault, let the vault decipher it if you have to. If it says 8-20 characters, go 16 or 17. Let the vault define the password for you and save it in the vault. You don’t even need to remember it at this point. All you need is to master passwords. And for those that have, let’s say a little bit more budget, I would go with something that goes towards zero password, which is basically a token which allows you to just plug it in and it basically authenticates. It can have biometrics on it. So there are ways to remove the passwords from your life, basically.
Guillaume: Okay. Tell me more about that token stuff. Of course there’s always the concern, let’s say you have a magic token here that can authenticate you, can it get cloned? Can it get downloaded? Like, is it just a magnetic field with a few basic validations? I’m guessing not. It must be advanced. Like, I don’t know about this, tell me more about this token?
René-Sylvain: It’s not a new field, it’s like a USB, you have to plug it in for it to work. And then there are some either one time password and/or sometimes biometrics lasered directly on the token. You can put your thumb on it and it basically authenticates your thumb. Enterprisewise, it can actually be managed centrally. So if you have 1000 of those you can actually manage them centrally. If someone says, oh, I lost it, you can disable it on the fly and reissue a new one. So it’s very well done, it’s a very nice technology. There are a few vendors out there that I won’t name, you can do your own research. It also becomes a preference whether you are on Google or on Microsoft, or on AWS. There are different flavors, wonderful for each.
Guillaume: Okay. That’s interesting. So there’s a token that identifies you and you can even have your fingerprints on it to identify that it’s not a stolen token, it’s your token and you’re the one holding it?
René-Sylvain: 2FA built in with your thumb.
Guillaume: Pretty neat. Is that expensive stuff to put in place?
René-Sylvain: I think it requires volume. So starting at 500 users, you get some fairly discounted pricing, it becomes interesting. And the more you go into volume the lower the cost, basically.
Guillaume: Okay, so that’s not for small companies?
René-Sylvain: No, unless you have a very nice security budget, which most small companies don’t have.
Guillaume: All right. Cool, so you’ve already answered the shotgun question but I’m going to throw it again, anyway. Anything else we should know about high level security for a company?
René-Sylvain: I would go and say, take the time to have an audit. If you’re unsure about how secure or unsecure your company is, take a few days of consulting out an audit. People will come in, they’ll scan what you have for hardware, they’ll just kind of what you have for servers, they’ll scan your cloud environment if you’re in the cloud and they’ll tell you where your weak points are. I mean, it’s not a very demanding mandate, we’re not talking about $25,000 or $30,000. It’s below $10,000 usually. And basically, that will give you exactly where you are. On that I can add, I’ll send you the link later, but basically we have an on demand scorecard that we’ve done of 66 questions that will basically tell your customers, ‘here’s where you are on each’. Here is where you are regarding insurance, here is where you are regarding password management, here is where you are with data management. And we’ve basically made categories like that for you.
Guillaume: Okay. All right, René-Sylvain. Thank you for sharing your wisdom with us today. If people want to get in touch with you, what’s the best way?
René-Sylvain: [email protected].
Guillaume: All right. Thank you.