Plus tips for avoiding online attacks
Since entering the world of cybersecurity more than a decade ago, Bud Venne (Electronics Engineering Technology ’86) has seen attacks grow in sophistication and scale.
Cyber crime has gone global, led by increasingly complex criminal organizations and bad actors. It’s estimated that the cost of cyber crime worldwide reached $600 billion USD in 2017.
As threats grow and evolve, so too does the need of organizations to protect their networks, apps and online infrastructure. (In fact, NAIT has launched a new post-diploma program on cybersecurity based on this industry demand.)
Venne, manager of Edmonton Police Service’s cyber risk and security section, sheds light on an ever-changing field that requires constant vigilance to stay one step ahead of attackers. He also shares tips for how to protect yourself online.
Techlifetoday: Tell us about your role with EPS
Basically, we’re a lot like a cyber section of a corporate security department. We protect the EPS network and the EPS information from outsiders or unauthorized access inside. It can be a big job. We have a team that is continually reviewing information from the inside and information from the outside to determine if we are at risk.
How has the field changed as technology has become more advanced?
Well, when I started 11 years ago, the attacks were not as sophisticated but also there were fewer vulnerabilities. Things are changing quickly and it seems that there’s an [increase in] new vulnerable items in our network and new people and attack methods coming at us. It’s a continually changing field.
When you mentioned that attacks are getting more sophisticated, what does that mean?
It used to be a joke that you get a phishing email and there would be four normal words misspelled in it and you could spot it pretty easily. Now, more sophisticated attackers spend a lot of time researching the ins and outs, personal details of employees and all sorts of stuff. And it becomes a real operation. If you become targeted, I think you might as well admit that you’re going to get broken into. A determined group of criminals can break into almost anything.
“If you become targeted, I think you might as well admit that you’re going to get broken into.”
When you started in this field, did you ever think that it would change to where we’re at now?
I didn’t really have any idea. The internet was not around yet and having every person walk around with a computer was not a thought. When I went, in the ’80s, NAIT was forward-thinking in trying to give us a breadth of the technical knowledge we needed to know in my field and we also concentrated on some of the more academic stuff.
We were chatting before about some industry terms like “white hat hacker” and “bug bounty.” What is a white hat hacker?
It’s a security researcher who obeys the law and helps people find vulnerabilities, find problems in their network security. They’re often employed by the corporation they’re investigating. A white hat hacker can also be working on their own and, for example, find a vulnerability in a website and just report it to the website owner. They wouldn’t probably get paid for that.
So a white hat hacker, is that someone EPS would work with?
Yes, we hire white hat hackers or security research companies multiple times per year to analyze the external threat surface of our organization.
So what’s a “bug bounty?”
That’s where you go to a particular software or website and, if you can find a problem, a weakness or a vulnerability, you report it to the owner of that business. They will pay you money. And sometimes it’s significant amounts of money. I’m not aware of anyone who does that for an occupation, but I do know several people who are penetration testers. They’re also what you call the white hat hackers hired by a company to come and test the company’s defences. And if they find a way in your system, the company owner would be very glad because we found it before a bad guy could exploit it.
Let’s talk about tips and ways for people to stay safe online. What’s your advice for managing your passwords? People tend to use the same ones.
Use a password manager where you store your passwords encrypted on either your phone or your primary computer. You’ll need to save a hint or that actual password somewhere, like in your wallet or your purse. People are very good at protecting small pieces of paper, like your driver’s license and other stuff.
“Never reuse passwords. That’s a bad, bad idea.”
Never reuse passwords. That’s a bad, bad idea. If you get one that you’re particularly happy with and you use it at your bank and you use it at night at a very conspicuous store, all that has to happen is one of those gets hacked. Now, they’ve got access all over the place.
If you can, use two-factor authentication like what’s offered by Google or PayPal or even banks and other institutions. It makes it really difficult for your identity to be stolen from.
How do you protect yourself from phishing scams? We’ve seen high-profile attacks but they also happen on a really small scale in personal emails.
The number one protection is security awareness. If you’re getting an email out of the blue from someone, it’s going to look suspicious in some way. The best scams are less suspicious, like they’re from a bank you actually deal with, the name looks legit. Just this week we had several people get messages from PayPal and it said your account’s limited, click here to correct it. Go to the PayPal website separately, not through the link in that email. And then you’ll find out if your account is in an incorrect status. If it’s an email from your bank, phone them to verify.
What about cloud storage? Is it safe to use?
The cloud [companies] take security seriously, but they have their limits as to what they can do for you. Consider the content of the information you’re going to store in the cloud and then proceed with caution – proceed with more caution if it’s extremely sensitive information that would be embarrassing or harmful if it were released.
Banner image: gorodenkoff/istockphoto.com