Hacking for the Greater Good: An inside look at ethical hacking - Ep. 75
How easily can you be hacked? Sharee tells you in this episode and shares some basic cybersecurity measures you can take to protect yourself from becoming hacked.
Episode Table of Contents
- [01:10] Ethical Hacking Within the Realms of the Rocky Mountains
- [06:19] Why Do Corporate Companies Call for Ethical Hacking
- [11:10] Ethical Hacking Companies Promote Due Diligence
- [14:42] Top of the Things Users Can Do Straight From an Ethical Hacking Expert
- [20:06] The Catastrophic Nature of Cyber War
- About Our Guest
Ethical Hacking Within the Realms of the Rocky Mountains
Arika: This week we are joined by Sharee English, who is the chief security officer of WECybr. Let's first just get to Sharee’s background. Tell us a little bit more about WECybr and the work that you do and just how you got into the cybersecurity world, I should say.
Sharee: WECybr is a woman-owned and operated cybersecurity company in the Rocky mountains. We used to do what we call post-breach forensics. A breach is when a company has been basically infiltrated by a hacker of some sort. After that happened we would do a lot of forensics and tell companies and government agencies what happened.
Sharee: But it was very difficult. It was a difficult role. We saw business after business go under and not be able to sustain the hacks. We saw government entities being forced to pay millions of dollars in order to get back up and running. So we pivoted our company to what we call pre-breach, which means we basically do everything we can to secure companies before the hack. But we also make them resilient in case they do get hacked.
Sharee: So I got into this, I've been a programmer for almost 30 years, and then I worked as typical, you work your way up into management. I had a very dear friend of mine that was involved in a cybercrime about 10 years ago. And my husband said, "You've got to find this person. You've got to, Sharee, you can fix this."
Ethical Hacking Defined
Sharee: I kept saying, "This is a 2020."
Eric: You can use your powers.
Sharee: Yes, right? Like I'm superhuman. And I just told him, I'm like, "This is a 2020 specialty." 2020 has 40 people like me that do this. Like there's no way I can just, plus I thought if I go down this path I'll get obsessive. Which I did. I went down the path and then within about 24 hours I was working with the FBI. That just sort of pivoted my career at that point, I think. So once I got into the forensics, I just thought, "I'm very good at programming. I really should just become an ethical hacker," and that's where I'm at now.
Eric: Sharee, help define ethical hacking for us.
Sharee: Hacking is hacking. It's basically accessing computer systems, websites, any way that you can get into a company. That includes physical access. The primary difference between what we call black hats and white hats, which is me, is that I have permission. That's really the only difference is that I have written legal permission from a company to my company to say, "Yes, we're going to go ahead and allow you to hack us."
Eric: When I think about that, I think pen testing is the phrase that primarily comes to mind. Is it pen testing or is it more than pen testing? Because I think it's more.
Sharee: It is more than pen testing. Because pen testing, one, is very formal. It's a very formal process and it has things like port scanners and sniffing. It's very, very specific. Ethical hacking is more of an umbrella.
IoT Devices Can Be Hacked
Sharee: So pen testing would be one component, and I've done lots of pen testing before. But it also includes things like social engineering and dumpster diving and things that people don't even think about these days. So I would say a lot of my ethical hacking comes from social engineering. And honestly, IoT devices are so easily hacked.
Eric: Yes, I saw your article on LinkedIn, it was, "Attention small business owners, smart light bulbs are not an IoT device and can be hacked." Talk to us about that.
Sharee: The challenge with all companies, government, small business, even your home users, is that they don't realize how accessible they're putting their networks online whenever they connect IoT devices. And anything that connects. So I just got a Shark robot this last year. The first thing my husband did was download the app and the first thing I did was delete it.
Sharee: I don't need a map of my house to be out on the web because that's what a vacuum does. It maps your house and it programs it. So it's so many of these little things. One of the biggest hacks that we did was through a company thermostat.
Sharee: Those IoT devices I think are things that a pen test wouldn't necessarily be doing. And that's more of unethical.
Eric: Yes, and a lot of these small and medium businesses, one I would assume they don't understand, just like consumers don't, the potential risks of putting these devices on their network, video cameras, thermostats, light bulbs, the vacuum cleaner.
Why Do Corporate Companies Call for Ethical Hacking
Eric: The vacuum cleaner. That's a great one. The map of the house. Who would think about that? That you could map out the business? Crazy.
Sharee: Yes, you absolutely could. You could map out the doorways, you can map out all the access. So I think that that's definitely an area that all organizations can lockdown. If you just change the passwords on any device that you get, any new device, just change its password to a strong password.
Sharee: Hackers, one of the things that we don't want to do is spend a lot of time. So wherever I hit a brick wall, I'm just going to pivot, and I just keep pivoting until I don't hit a wall. So as long as you give me enough walls, I'm going to just ditch out of that, whatever I'm doing. But as soon as I find a vulnerability, then I'm going to bury in.
Eric: So why do these corporate companies, these small, medium businesses bring you in? Like what's the reason to call you as opposed to just continue the standard?
Sharee: One of the big challenges with small businesses is that there are all these industry standards for certification. There's now a government standard for cyber certification.
Sharee: There's the NIST standard obviously, which small businesses don't understand. There's HIPAA if you're in health care, there's FINRA if you're in financial. So these certain industries have requirements for you doing business securely.
Sharee: But small businesses like our local florist or like the local gym, they're keeping credit card information. They're keeping payroll information, they're keeping things that hackers want to gain access to. And they just don't realize.
How the Attacks Changed and Evolved With COVID-19
Sharee: A lot of small businesses think they just don't have any valuable information. But even your website, we had one person who's a one-man band, she does about $100,000 a year in business. She's been in business 20 years, and her website was ransomed.
Sharee: It doesn't matter how small you are, you can be one person or a million people. You're just as vulnerable. So it's important to just recognize. These small businesses right now, what we feel we're really gaining because of the COVID-19, is that we have a little bit of time.
Sharee: There's been a little bit of pressure valve release on some things for some of our businesses because they're customer-facing businesses that don't have customers right now. And so they're taking the time to say, "Hey, how can we get secure?"
Eric: Yes, we're seeing with COVID-19 the attacks change and evolve. The adversary's very, very smart. So they're changing. How's that impacting your business? People are working from home now.
Sharee: One of the things you have to think about is how we can all adapt in this change. For our company, we're 100% remote anyway. One of the things that we've seen is a lot of our clients call us saying, "How do we do remote securely?" Because once someone is on their home WiFi, they're now exposing your company. Once someone is sitting up at a hotspot somewhere, they're exposing your company.
Sharee: That's one of the ways that we've really been able to help our customers is to allow them, even the local workout place here, they do almost like a ballet. It's called a Barre Workout.
Rename Your Alexa
Sharee: My girlfriend just bought this business three months ago and she was freaking out and I said, "Let's just put it online. Let's just put little Amazon kits together where people can buy kits, we'll ship them to their house and we'll put your workout online and do that securely."
Sharee: It's really a matter of helping organizations understand how we can transition to this new work at home temporarily, but do it securely.
Arika: One of the things I know that even came up last week in terms of this new normal where you have a lot of businesses that have traditionally been in office space, especially those that are dealing with private information, for existence healthcare call centers are that they're telling people to turn their Alexa or other devices off because they could potentially hear private information.
Arika: I would imagine there's other sort of hacking that could potentially happen through that as well. It's interesting these different types of just security measures we're having to take now at our home that we had not previously considered.
Sharee: It's amazing how many listening devices we have in our house, even our smart fridges are listening devices these days. So we have a corporate policy when we're doing business at home. We have a lot of corporate policies, but one of which is that there is no Alexa in earshot. All of our Alexas are unplugged unless we're using them, and they're not called Alexa. Rename your Alexa.
Eric: But you do use them?
Sharee: I don't, no. God no.
Ethical Hacking Companies Promote Due Diligence
Sharee: I think the challenge is you have to decide at some point, convenience over privacy, and my life is all about privacy. I forego some conveniences for that and I'm okay with that.
Eric: But a lot of people these days or any days will choose convenience. In fact, we see the data, it says convenience all day long. This is one area where I think with federal workers, with large corporations, small, medium, it really doesn't matter.
Eric: When you're working from home, access to the company's intellectual property is at risk and a lot of people are choosing convenience over security. What do you do? What do you recommend?
Sharee: That's accurate and so it's unfortunate. I think there are some simple things and let's talk about that as we wrap up. I think there are some simple things that everyone can do in general and companies can follow suit. Simple and inexpensive.
Sharee: Companies have to do their due diligence. Just sort of putting our heads in the sand and pretending we're too small or we don't have the budget or whatever it is that we're pretending, that just needs to go away.
Sharee: Whenever we have a vulnerability like COVID-19, the hackers just thrive. They absolutely thrive whenever there's some compromise to our system.
Eric: So what are the recommendations?
Sharee: Number one you need to run updates. One of the number one things you can do to secure yourself is to keep your systems updated.
An Althleisure Wear for Cyber Security
Sharee: I wish we had an Althleisure wear for cybersecurity because then everyone would be in cyber mode now. I don't know.
Sharee: We need some sort of convenience and I think that's unfortunate. So updates you can set to run automatically. In our family, all of our devices go somewhere at night and the updates automatically run and everyone's got updated computers the next day.
Sharee: I think the second thing that you could do honestly is better password and people are going to say that password hygiene, you guys are so easy to hack. I just don't know how much more I can say that.
Eric: And we're not talking monkey one, two, three, four.
Sharee: It's so easy. I can't even tell you.
Arika: You're asking us to make it harder for people like you that are having to do the ethical hacking.
Sharee: Please! You need to make it harder because you guys are just giving it away. Honestly, there are times where I will spin up a WiFi at a company website, I mean at a company location, and people jump on the hotspot and I'm already keylogging everything that they're typing and capturing.
Eric: Free internet, why not?
Sharee: So number three, actually I'll move that to number one. Never, ever, ever, ever use free WiFi, ever.
Arika: Even at the airport.
Eric: What about VPN? I mean if you're in a Starbucks and you're running over VPN, are you happy or not happy?
Sharee: Even if you're running over VPN.
Social Distancing, Network Style
Eric: Or the VPN quits on you and you keep working. I got you.
Sharee: Never ever use public WiFi, and don't let friends use public WiFi.
Eric: Got that Arika? Social distancing, network style.
Arika: Friends don't let friends use public WiFi. Yes, I got it.
Eric: What's next?
Sharee: Outside of password management, everyone should have a password management software, VPN. VPN just encrypts your data. A lot of small businesses don't even realize all the things that a VPN can do outside of just creating a secure communication channel.
Sharee: But it also can mask your IP address, it can mask your location, it can mask your IP service provider. All these different things that really are easy for us to track you physically.
Eric: It's interesting with COVID-19's release, we've seen the number of firewall orders in our business go way up because we have a built-in VPN. I'm really happy to see that. Because it means people are thinking about how do I secure somebody's home for them or the communications between the office and home when they're not going to.
Sharee: Agreed. And a firewall client is also a really great way to go. I mean, it's an inexpensive option. If it does have additional features such as VPN, that's even better. But these are things that even in our own homes when we work from home, we have these things implemented. We all have to have VPN set up, we all have to have firewalls set up. So that's just our corporate environment to make sure that we do our due diligence.
Top of the Things Users Can Do Straight From an Ethical Hacking Expert
Sharee: Those are really kind of the top things that users can do. Run their updates, get a password manager, never use public WiFi, and run a VPN software. Outside of that there's really, you know, from the work at home remote issue, your IoT devices are freaking me out.
Sharee: So I really am scared about all of your devices connecting to the internet and exposing your password, your WiFi password. So now I can get on your WiFi and do other things.
Eric: What about running all of your IoT devices on a separate network? That's what I was wondering.
Sharee: I think that's pretty complicated for end-users. I think as a corporate office, that's a really great way to go. But I don't, honestly, I'm not a huge fan of IoT devices and if you are going to use them you have to isolate them. It's just like anything else. It really is a very easy way to hack into an organization.
Eric: Arika, how many IoT devices do you think you have in your house?
Arika: I don't want to admit it.
Eric: I mean I'm over 35.
Eric: Separate network, but I'm over 35. I mean I have everything. It's convenient. Separate network.
Arika: I don't think I'm that high and I definitely don't have them on a separate network. I'm not that sophisticated. But you've given us, given myself a lot to think about, just in terms of what we can do for those of us that may not be as tech-savvy in terms of making sure we can stay secure. So I will not use public WiFi.
Ethical Hacking Experts Recommend Passphrases Over Passwords
Sharee: That's a big part of it. Change those passwords and then that'll help, 16 characters or more. I'm going to kind of hack a little bit and then I'm going to go away, I'm going to find the eight, 10, 12.
Eric: Because it's too hard.
Arika: What I do, I will not say my password, but I actually make my password a question of something that I want to make sure that I'm doing every day. So, you know, did I drink 75 ounces of water? I will make that my password with a question mark. Something like that.
Sharee: That's good.
Eric: With a password manager?
Arika: I do.
Sharee: I think that if we can also help users transition from passwords to passphrases, I would love to get rid of the word password altogether and replace it with a passphrase.
Arika: That's why I do phrases or questions, but something that will trigger something with me.
Sharee: As a question, you can easily get to 50 characters without even really that big of a deal. So I think that's amazing.
Eric: I'll tell you what's so nice. I'm a Mac guy. On my Macs, I just use my fingerprint to log in.
Arika: Well that's a question. So I do that too, but what are your thoughts on that?
Eric: And it can be a massive password.
Sharee: Everything's hackable. So biometrics is going to be one of those things. I think facial recognition is actually going to be a lot more hackable because you're going to have your face out there way more than your thumbprint, to be honest with you.
Critical Infrastructure Can Be Easily Hacked
Sharee: So facial recognition software will be one of those things that I think really takes a hit at some point. But all in all, I love biometrics because of its convenience, but I also have a seven-year-old who's pretty savvy. So she's a few times tried to thumbprint my phone while I was sleeping. I'm not lying.
Eric: My 12 year old, same thing. He'll use my face and hold the iPad up to it. So as we're coming to the end here, you have a pretty deep background in critical infrastructure. What are your thoughts there?
Sharee: One of the things that started really getting to me when I was doing post-breach work was just seeing how easily some of our critical infrastructures were being hacked. Our company started a timeline about three years ago and just started documenting every critical infrastructure. This includes schools, it includes the post office, anything that's really under the umbrella of our government infrastructure.
Sharee: I swear to you guys, if somebody could put a map like the coronavirus for this hacking timeline that we have, I think it would really show you how we are in a cyberwar. I think that every three days, our critical infrastructure is being attacked across this country and that's just horrifying to me. So I really, once an actual power grid goes down and we have a downage for three days, then we're going to feel it.
Sharee: Until then, I think until there's pain, it's really tough for people to get rid of the convenience. Then it will become legally mandated. All IoT devices have to have 26 character passwords or something.
The Catastrophic Nature of Cyber War
Sharee: But the reality is that those things that make it easy for us to get into the infrastructure are things that you just don't think about.
Sharee: A new smart coffee pot was just installed. I don't know why your coffee pot needs to be on the internet, but it got on the internet and now it's a device in which can take down your whole company. So it's really important that we look at this infrastructure as a cyberwar.
Eric: Arika, imagine in these COVID-19 days, we're at home. We have electric, we have running water, we have sewage, we have everything we need. Life is inconvenient and I don't want to minimize what's happening at all.
Eric: But imagine if we had something like this without power and no water and sewage and we couldn't restore power because a nation-state attacked the power grid for two or three months.
Eric: Imagine the catastrophic nature of something like that. This is almost a lead in to make you think about it if you will. The good news is, we still have most of the comforts. Granted, we're shut in, people are getting sick. It's horrible. We're running out of hospital beds.
Eric: But imagine if those hospitals had no power, and we couldn't go to the emergency generators, and we couldn't communicate to one another and move doctors around or whatever we needed to do. That would be a major problem. And that's what keeps me up at night.
Sharee: The thing is, there are very specific state hackers that are trying desperately when right now we're fighting a biological warfare. We're also fighting a cyber warfare simultaneously, and they're going to use every vulnerability that we have.
COVID-19 Being the Vulnerability of the Moment
Sharee: Every single one and COVID-19 is the vulnerability of the moment. So fake toilet paper websites, I'm telling you, everything that they can do, they're going to do. That's the way hackers think.
Eric: Yes, and we have a lot of work to do.
Arika: Well that's what I was getting ready to say. I think situations like this are just more evidence of how unprepared we are for the unknown and uncertainty. Certainly in the cyber world, we've seen it happen in different cities which have been attacked at the municipal level. If we think about it at a larger scale, it shows that there's a lot of work to do in a lot of areas and we can't ignore any of them. So thank you so much.
Sharee: Agreed. But some of them are super easy, like running updates. You guys, that's not a complicated thing. Single click of a button, update, and I know it's inconvenient, but that tiny bit of inconvenience can make you 60% more secure today.
Eric: My personal opinion is just like with the virus right now, the federal, state, and local governments need to step up and protect the American people from what's potentially going to happen in the future. We've got to be better prepared as a nation, as nations across the globe, because this is a great intro. Sharee, thank you though. Great, great time with you today. Thank you.
About Our Guest
Sharee English is Chief Security Officer & Managing Partner with WECybr, a woman-owned cybersecurity firm based in Boise, Idaho. WECybr’s mission is to help small and mid-sized businesses navigate sophisticated technology and embrace simpler, more effective responses to their cybersecurity challenges. Sharee brings almost 30 years of deep technology experience, having spent most of her career in major cities as the top technology or IT security executive. She was the CIO at fortune 1000 company and has built technology and training solutions her entire career.
Sharee brings her deep expertise and passion for learning to a highly underserved space - small and mid-size businesses. She deeply empathizes with small business owners, having owned, operated, and sold many of her own businesses (both technology and lifestyle). Sharee has educated and mentored hundreds of people to build their knowledge about information security.
She loves the immediate impact small business owners can experience with simple and inexpensive ways to protect their assets. She brings both humor and a down-to-earth approach to her workshops and training so that learning is fun and engaging.
With a Masters degree in Cybersecurity, Ms. English has worked in computer programming and security for most of her career building intranets, creating secure employee portals, and conducting on-site IT training. She is now a top 5% ranked Microsoft Certified Trainer (MCT) as well as a certified Computer Hacking Forensics Investigator (CHFI) and Certified Ethical Hacker (CEH). Her career has taken her to some fascinating spaces, like working with the FBI and being a crime scene investigator.