Cyber Security Part One with Grant Colgan

[inaudible]

One on, welcome to the curious Ulsterman podcast. The podcast designed to give you the tools you need to thrive as an adult. So today's topic is cybersecurity, and I know that's a big buzz word that's thrown around, but not very many people know very much about it. And we're probably not as secure as we think we are online. So that's why I brought on today's guest grunt Corgan , a friend of mine who has been doing cyber security for five years and has been in it for 10 years. And we just go over a high to BCF for online high to make sure that you're less likely to get hacked and basic steps you can take to make sure that you stay more secure online. So here is my chat with grant . Hey grant, thanks very much for joining us today and welcome to the podcast. Thanks for having me, you know , I'm really excited about this episode because this is a topic thought is so important, but we never discuss or talk properly. And it seems every day on the news, NY , some big company's been hacked and cybersecurity is this new buzz word that we all vaguely knew about, but did generally don't have any in-depth knowledge. So I'm really excited to have you on today today to discuss this , uh , cause it is badly needed, but before we get into the meat of the subject , um , but the audience who perhaps don't know who you , uh, could you just give a brief introduction as to who you are and what you do with

Cybersecurity? Sure, sure. So , uh, my name's grunt and , um, I've worked in it in general for a byte 10 years give or take. Um, and the past five years I've , uh, started working into cybersecurity. Um, I work as a security engineer for a company that will remain nameless because it's not online as to where I work and I'd like to keep it that way . Um, and uh, I mean a lot of people , uh , think cybersecurity, you know, matrix green screens and stuff like that. It's, it's not, it's , it's nowhere near as exciting or as sexy as it science, but , um, that's , that's what I do . I , I , uh, I work on the defense side of things trying to , um , stop attackers, getting into companies. Um, and they also run a small YouTube channel where I do lots of weird, weird things, but some of them are cybersecurity related.

That's uh , that's really good to hear. And especially at the end, we'll definitely be asking where, where the audience can find you for more , uh , cyber security tips. But someone I just want to touch on there is it almost feels like today that it's a war. It's just a never ending war between the hackers. And I don't know what the defense equivalent of a hacker is like a cyber security protects your protector, a guardian thick your, your, your preferred pick of Niamh,

But I'll take any of them. They sound far more than , yeah.

Yeah. It does seem like this, that this is only going to get become maybe perhaps more common or more intense and more sophisticated. We're not hearing about, you know, state actors now using, you know , cyber as an actual method of , of warfare. Um, and this is where I think we really need to start carrying the subject apart and in layman's terms, understand what we're dealing with here, especially when all of our lives are online. You know, you take all your social media, all your banking details , uh , your internet, everything is it's almost as a majority of our lives are online. And the fact that we're so clueless, I know I am on security. Like I do my best. I try really try, but I think if I'm totally honest and if we're all honest with ourselves, we could definitely do better on the cyber security front. Uh, I mean, like we don't leave our homes unlocked at night. We don't just randomly give a personal details to random people in the street. But the moment we go online, you know, the amount of people who want have antivirus, who just randomly will give all their information on their social media. It's , it's a bit baffling and sometimes a little bit scary as well, but , uh, let's get stuck into this. I'm really understanding what you have to say. So my first question is, and this is a simple one. What is cyber security ? Because it's this buzzword that's thrown a rind , but then beyond the buzz word, we kind of go, Oh , that's for like the really smart people who know what the lines of code and the metrics and the stuff like that. But in layman's terms, what is cybersecurity?

So it depends. I know that's probably not the answer that you wanted.

Well, it's fair to be correct. And you all instant give her a realistic.

Yeah , yeah . Um , it's not a complicated topic. Um , you said that, you know, people who are smart and new lines of code and stuff like that, I really don't know how to program that. Well, so, you know, you don't need to know the lines of code really. Um, and as I said, it depends on what context you mean cyber security for a company and a business cybersecurity is , is a big thing. And, you know, you have, depending on the size of the company, lots of employees who do very specific things, but for like a general person , um, it's, it's sort of like what you said, you know, you , you don't leave your car unlocked and it's the same principle, but just online, you know, cybersecurity for a general person is just, you know, locking the door behind you. You know, don't, don't leave, you know , your , your , um, social media profiles, open to the world and , um, you know, sharing your , uh, every aspect of your life to anyone who will look because, you know, that's, that's , that's what attackers look for. Um, so it's, yeah, it very much depends on, on , on who you are as to what cybersecurity, but honestly, it's just, it's just , um, uh , taking a second, look at an email, you know, it's as simple as just going, you know, does this sign too good to be true? You know, if Domino's are offering you free pizzas on Facebook, if you like and share their thing, it's like, Oh, are they really, or is this someone pretending to be them? It's just that , that's all it is. Um , as you said, it's a buzzword and it gets thrown around a lot, but for a general person, it's really not that complicated. It's just, you know , um, an element of common sense is what a lot of people say. I disagree with that because it's common sense to someone like me who works in that area, but you know, just someone who doesn't, it's , it's a completely foreign concept. So you have to have things like this, where you're talking about it and teach people, you know, how to do these things. Yeah, that's really good because

That, to me has suddenly demystified. It's no longer , no longer this thing that's in the shadows. It's something that, you know, the ordinary person can take charge of and can utilize to better protect themselves and their families. Uh, something I just wanted to ask about , you know , for me personally, I'm a bit of a private individual hypocritical because I'm putting myself out here on a podcast and in the world and on the internet, but I'm, I would be probably quite a private individual and all my social media, I don't share a great deal of personal information. I will, you know, obviously my various lakes and my various, I see the farms up there for those on YouTube. You see that for those who are just listening, there's a big farms up there. So I'm feeling good about myself. And, but I do see people who, for example, and I'm not taking it, they got them, you, your , the, your , you know, your own life there than I do. And you love the life the way you see fit. But for me, I see people who will say like, you know, who they're in a relationship with where they grew up, what street they grew up on, they'll have, you know, photos of their family. And , um, you know, all these quite intimate details that if someone who doesn't have your best interests at heart could utilize an attack and steal that information. I'm kind of like for me personally, I kind of go, well, it's all for me. I not comfortable putting that out there, but for other people who are doing that, is that maybe me being a little bit over the top or is that you should never do that. Even if Facebook are saying, tell us where you grew up or tell us this and tell us that it's like, is it just, should this just be standard? No, there's no reason for people to know, or am I being a bit over the top of this?

Th there's, there's an argument for both , um, both cases. Um , you know, there are some companies that will need to know your location. Like, you know, somewhere he's going to post you something for like Amazon, for example, but the likes of Facebook, you know, do they really need to know where I live and, you know, do I need to, if , and if they do need that information, do I need to make it public? Because a lot of social media platforms have the ability to, okay, you have that information on there, but you , you, you know , you hide it and know general public can see it and things like that. Um, and that, that information definitely should be hidden. If you think of, you know, whenever you try and do a password recovery, you know, and then you get the security questions to confirm us , like, okay, where did you grow up? What was your color of your first car? All of this is information that attackers look for so that they can do a password reset and get round your password and get in. So the less information you put out there, the better, as you said, it's up to everyone, what information they put out, but it's just, it's just something to consider is, you know , do I really need this information right there?

Yeah. A little bit of just common dog then. Yeah. Um, so I think that , uh, at least I hope I'm up to date on this . There was a little like , um, viral thing that went around. I think this was about three, four months ago. And it was like, Oh , uh, for a bit of fun, share this and, you know, see how much your friends know about you, or, you know, tell us all about you . It's like, what was the name of your first dog? Where did you grow up? What was it? And it was this list of about 30 questions and on the face of it, you know, I'll be happy to admit I went home . I was kind of funny and now that's the way I've thought about it. And I'm like, hold on a second, actually . Um , that's I know, I know everything about you. And if I was, if I was a little bit, you know, of an awful person, I could just suddenly go, right. Well, I'll try , I know your email address. I can say, I forgot the password. And you know, all them questions to me were eerily similar to our password recovery thing. So I was like, crap. I'm like, I'm glad I had this . I didn't do that. Neither would I, but I did know quite a lot of people who did. And I was like, crap, I'm expecting to see a lot of I've been hacked. So don't answer any messages from me, things on social media , um, as is that, is that like, cause you hear of like, there's a lot of sophisticated attacks and you hear the , like something, that's something so simple, especially if it's shared by someone, a friend you trust or something, you know? Um, is there apart from a little bit of critical thinking, is there anything, you know, that can be done to lessen your chances of falling prey to that sort of thing.

I mean, lessening your chances of falling prey to not so much, you have to, you have to have a bit of sense to go. Do you know what, you know , what, what could be done with this information or not even not just, you know, why are they asking for this? Yeah . But there are things that you can do to protect against someone actually getting access to your account. So even if they had that information , um, they then just couldn't go and reset your password. Um, it's , it's almost social media platforms is called them MFA, multifactor authentication. A lot of people might've used it. Um , um, it's just , uh , if you've got a Google account, usually whenever you sign into a new device on Google, you know, your phone will buzz and say, Hey, what is this? You know , uh , that's, that's all it is. It's , um , a form of that. And most social media platforms have the ability to turn that on and they'll just, you know , send you a text, you know, was this you tried to log in and it makes it more difficult for them to then get round a password because nine times out of 10, it won't ask you for a security question. It'll well, may ask you for the security question as well, but then it will ping your phone and say, Hey, are you trying to change a password? Then you can go, no, that isn't me. And it'll stop them from getting in. Um , so, you know, there's things like that as well that you can do to not, not quite, you know, stuff's got to stop you putting the information out there, but at least make it a bit more difficult for them if they have that information. Yeah.

Uh , thanks for us. It's uh , uh , something and I've seen that message pop up before, certainly when I've signed it and I've never fought, it's always been a nuisance to me, but now I kind of go, all right . Okay. Actually, this is rather important. So I'm not , I'll know I'll not get annoyed, but not those that every time I log into a new device , um, yeah, thanks very much for that. So that brings in nicely. I think we may have slightly covered it already, but I want to dive in a little bit more depth with it is my next question. And why is cybersecurity important? Why can, why do we have to take personal charge and responsibility of our own cybersecurity ? Why can we not just leave it up to the big tech companies to look after it?

Well, I mean, arguably, they don't care about you. That's a bit cynical off of me . Um , probably , um , I mean, there's only, there's only so much that they could do, even if, even if they wanted to secure your accounts to the nth degree, there's only so much they can do because they have to make sure that the icons are accessible to you. Yeah. Is a big part of , um, cyber security , um, to , to give you a peek behind the curtain. There's a , there's a triangle in cyber security . It's considered the three things that you need and it's confidentiality, integrity and availability. Um , we'll cover what they are in this. Maybe we'll do that at another time. But the availability part is, is something that people forget about. You know, it , you have to be able to use the accounts and these tech companies want you to be able to, you know , get access to those accounts . Again, if you lose it, you know, if you forget your password, they want you to be able to get it back relatively easily, but to , to , to make it easy for you, it also then makes it easier for an attacker. Um, and if you think about everything that you have online, just, just getting back to the why it's important in general. Um, if you think about it , everything you have online, your online banking, Facebook has your , um, or well , other social media platforms are available. Um, you , your social media has your address on it. Um, you know, so much personal information that, you know, cybersecurity can not just help your, you know, your, your online presence. You know, it can also help physical security because let's say you're on your own Instagram, Facebook, somewhere like that. And you post count where to go, where my holiday in three weeks, someone who's an attacker who's malicious, maybe not a cybersecurity attack or a cyber attacker, but just someone who's , you know , not a Bob or not a good person would see that and go, their house is probably going to be lying empty for two weeks. Yeah. And then you'd go in and Rob the host , which happened a lot in the early days of the internet, I believe it still happens to a degree, but , um, people have gotten a bit more , um , savvy with , uh, social media , um , visibility so that, you know, maybe it's only your friends and family that can see that post or things like that. It still happens, but it's, it's a bit less, but that's , um, as something as well to consider, you know, what, what could actually be done with this information. And as I said, cybersecurity , it's not a complicated thing. It's just taken a second to, to consider what's put in post online or what you're about to click on. And it can, you know, it can stop someone from emptying your account and it, you know , uh, if you think , um, even have like a PlayStation account or an Xbox account , uh, my , uh, my sister, her other half , um, he got his account hacked and they bought themselves a load of , uh , gift tokens or , um, uh , gift cards on the PlayStation store, which they then transferred somewhere else, which is how they sort of launder that money as it were to get it actually into money into their account, you know , 20 quids . It's not that much to them though that did get it back by going through the play store. But, you know, the attackers might be doing that to 50, 60 people. That be more yeah . And it's , you know, they're getting quite a lot of money out of this. So it's , it's little things that you can do. And it's usually a coach that you wouldn't think of that can get, can get compromised. Yeah.

Um , you caught me off guard there. Actually, I didn't, I, when I think of hacking, I think of all the most valuable stuff they want to get out, they want to get at your banking details. They want to get, you know, where all the good stuff is for the hackers. The fact that people are hacking X-Box accounts and P and G or gaming or coins, and you really need to look , take one, look at Twitch or , um, you know, other streaming services to see that , you know, this is a major part of people's lives. Now people game online for a living. So like if that account got hacked , you know, or even, you know, these minor accounts that I personally have never heard of an X-Box account getting hacked personally, or a pit . But the fact that you say that does happen is not making me think crap high, secure is mine. I'm confident it is. But like, I would never, that's never a place I fall a hacker would , would go to. So like, if there's anything I've learned something today on this podcast.

No , I do. It's the accounts that you don't think of, that the attackers go after and it's because you don't think of them, you know, you keep your bank account secure because you know, that's where my money is, but, you know, you're , you know , um, floppy birds are kind on your iPhone. You don't think about that, but you know , it's a potential way in and a potential way of them getting money. Wow.

Okay. Well, I'm looking for , uh , I've just for the audience who will be glad to know that grant will be coming on as a repeat guests , at least once a quarter to discuss regular cybersecurity stuff. So if you are enjoying this so far, you can look forward seeing him on the show for the regular , um, which is grit . And this ties in nicely with my next question. And that is Heidi. You as an individual, figure out what your current level of protection is. So an example for me is I have my own antivirus on my computer, but not a good thing with my Antifa antiviruses . It also offers antivirus and protection on my phone. So I've got , um, I can split the, the , uh , kind over two or three devices, which to me gives me that warm, fuzzy feeling. At least I hope it works that, you know, I'm protected on my laptops, my phones and other things like that. Um, but how does the ordinary person work? I, where they stand on cyber security ?

Well, I mean, antivirus is definitely a good thing. You'd be surprised how many people don't have on the virus , um , on their computers. Um , thankfully a lot of windows computers come with , um, it's called windows defender. It's okay. But it's better than nothing. Definitely. So yeah, they definitely have an antivirus or not on your phone is, is important. Cause you know, most people don't have laptops or computers a lot anymore, you know, they have tablets or they just use their phone for most of it. And they don't think of putting on the virus on that, but yet, you know, the would maybe have antivirus on a computer. So, you know, definitely put antivirus on your phone. It will help. But as far as trying to gauge high security are , it's, it's difficult to know. But , um, I mean, if you have the likes of MFA, multifactor authentication, sorry. Um , if , if I say any, any acronyms and I haven't already explained them, please, please call me. Okay , no worries. I do do that occasionally, but yes, MFA multi-factor authentication, which is the , the text to the phone or , or an app on your phone that you hit a button to say that it's you , um , that can definitely help a big one. Um , if I am a regular guest on this, if , you know, if , if he's , don't shut me down and say, no one ever wants to see that guy again, is there going to be sick to the back, tastes of me talking about passwords and I can only apologize for that, but , um, you know, your password is your first line of defense on most accounts and you need to have different ones for each account. It's a pain to manage. I know, but it's the easiest way to think about anything that you do for security is that if it's marginally more difficult for you, it is infinitely more difficult for an attacker. So the more steps you have to go through to log onto your account, you know , they have to jump through a lot more hoops to try and break into it. So , um , having a different password for each account is , is really, really Vale . And if you can use , um, random, long passwords, you know, that's just numbers and random letters , um , and you can get them using a thing called a password manager. And last pass is a good one, but I'll, I'll give , um, Jonathan some , uh , links and stuff that he can put the show notes for years for an Ang for them. Um, but there is also , um , a website called have I been poned and what I know, I know there is one thing in cybersecurity , they are inventive with names. Um , what you do is you, you, you type in your email address into, and it will look through , um, database dumps, which are basically what attackers get from companies. If they managed to break into a company or hack a company, they'll get a database dump, which has usernames, potentially passwords, sometimes credit card information, things like that. And they will either sell these database dumps to other attackers or in some cases they just release them publicly , um, because that's what they do for whatever reason. But what this website does, is it trolls through any known database dumps and it looks for any matches on your email address and it tells you, you know, okay, we find your email address in these , um , leaks . And this is the information that was tied to it. So it'll tell you if you know, your, your username and password was leaked or whatever else. Um , and it can be a good way to, if nothing else scare the bejesus Odie of yourself, of how many leaks you may have. And from constant , you may have forgotten about it. I know who my, my main email account, I think has about 40 odd , um , or has been fined in about 40 odd database dumps. Um, and as terrifying, the only account that I have that has not been in a database dump is the one that I use for the YouTube channel. And the only reason for that is it is just an email address. I don't use it for any accounts. It's just for that one thing. And it's definitely a kind of a house that hasn't been in a database attack back . So, you know, you can check that too to scare yourself, but it can give you, it can give you an idea , um, of, you know, why having a different password on every different account is important because if they've got your password from , um, say , uh, you know, Facebook, you know, a Facebook leak and use the same password on your Instagram effectively, your Instagram account is compromised as well because it's the same password. So from one leak , they've got two accounts and they, they just run a program that checks these. So they aren't even manually doing it. They run it and then go down to the pub. So , um, things

It's incredible, I didn't even know such a resource like that existed. So guess what I'm doing after the podcast it'll scare you, but it's good to know as terrifying as it is. It's I I'm a land people off . I'd rather know ignorance is not blessed for me. I, I would rather look it in the face and go, this is awful. I feel genuinely awful at this information, but now I can do something about it. I, I can at least, you know, affect the outcome somewhat rather than just burying my head and hoping that I haven't hacked. You know, we all, it's easy. It's easy just to go. It probably hasn't been me, but if a five minute search is going to tell you that you're potentially compromised and it's going to save you a massive headache further down the line, then yeah. I'm willing to do , to do that. Um, so a quick question, I would like to ask you actually on the subject of passwords is that I certainly setting up this podcast. I've had to create a lot of brand new accounts and something I've done for the first time ever. And this is a trial run. And it's funny, you said that it's a pain in the because I find that first hand , every time it's come up to a brand new kind , okay, sign up, signed up using my email address. You suggested password. And it is like this random 25 character ne of like random letters and numbers and symbols. And I'm like, I'm praying. I never have to remember this. So I used suggested password, but in a way maybe I, this is, this is me being totally ignorant of the cyber security world. If , if, if it's suggesting that as a random number password, is there any way that hackers can just, like you said, put on a machine, let it run for a month and ill , eventually it will eventually like, come up with that , that password, if you, you know what I mean? You know , if they're not having to manually do it, why don't , it's just like, go right. Go through every possible number and every possible combination and to go down to the pub on a weekly, or they've got your password, is that a thing? Or am I,

Yeah , no , it's funny. You should say that because that is called brute forcing, right? So it is, and it takes a long time to do that. And there's defenses against that. And that's part of new way. We're talking about the company that doesn't care about you. Yeah. That's one of the things that they can do that actually they do care about you. A good example is if anyone has an iPhone, whenever you type in the password, drone too many times, it locks shape for a few minutes. That's , that's a form of brute force protection on a lot of websites have that , you know, if you type in the password too many times, you usually get the, we , um , near the lead capture thing, you know, I am not a robot. Yeah . That's what that's to defend against right. To stop them doing that. But even with that , um, let me see. So if , as long as you have a long, that that's what happened a long password defends against, because it's all your tasks and my cryptography knowledge here, you to the par.

Sure .

Uh , I can't remember it . It's , uh, or, sorry. It's not too to the part it's however long your password is to the par of the number of keys on the keyboard. Yeah . Um , you know , if you have a 16 character password, that's, that's a big number of potential combinations that they have to go through even more, if you take into kind of upper and lower case characters. Yeah. So it takes a very, very long time to brick if you have a decent life password.

Yeah. So in that case, we'll just go, I can't be bothered with us. I'll just pick an easy instead.

Yes. And funny, you should mention that because one of the big things in cybersecurity and it's a bit, for want of a better word. Apologies. No , no, no,

No.

Um, it's, it's sort of like being chased by a wild animal. There's a group of you and you're being chased by a wild animal. You don't have to be the fastest. You just have to be not the slower Ever security is, is, is the CMD attackers. Um, in, in the mean , in the mean most attackers are looking for the easy targets and you're in any way difficult. They'll just, they'll try someone else. Yeah.

Yeah . I know. I see what you mean. That's not a nice thing to say, but it's a good analogy. I'm going to read every time I don't go into my computer and I , and I've been thinking I might be like an animal behind me here.

Yeah. That's exactly it.

What popped into my head going off on a tangent here that , um, that movie with Liam Neeson, Anna and I cannot, for the life of me, remember what it's called, the one where he crushes in the plan and like the Arctic and they just spend like a week getting chased by wolves. And it isn't a phenomenally good movie. That's just ended something will call them . I instantly popped into my head sire , a bunch of hacker wolves. Cheers enough . That's that's basically

It. Yeah. Very

Good. Um, so , uh, that again falls nicely into the final question and , uh, that now that we have, at least I hope I find directional knowledge or at least a decent , um, we're , we're a little bit further on from, from where we were half an hour ago, 45 minutes ago on our cybersecurity. Now that we know this what's some basic tests we can do right here right now today to improve our cyber security

Multifactor authentication, MFA is a big one. You would not believe how many attacks that can stop. Um , it , it is a pain , as I've said. Um, I actually had a trouble a while ago because I lost my phone, which all my MFA is linked to. And so I had to then go through and try and recover all of those coach with open my phone, which required a lot of speaking to people and all up. But as I said, the more difficult it is for you. It's a lot more difficult for an attacker and secure and unique passwords for each of your different accounts. Um, monitoring that with a password manager, like last pass it's, it's free, and you can share passwords with , um, you know, family members and stuff like that. If you've got joint accounts, there's an app on the phone, on it auto-populates and fills a rank . So it lasts past is quite good. Um, there are others, keeper is one that I use, but you have to pay for it. But yeah , I pay for it because I've worked in the field and I, it looks nice. That's the only reason I use keeper over last pass is I prefer

Each to their own. Isn't it? Well, that's it .

Um, so yeah, passwords , um, MFA and the big one is to think about , but, you know, whenever you get an email that says, you know, lovely ladies in your arrow area want to meet up, I mean, we'll can tell that that's a scam believes me. I've I've checked. They never show up. Sorry. I love that joke. It's a good joke. Um, you know, just, just think about it whenever, whenever you get an email is a big one. So a lot of, a lot of scams comes through email or Facebook messenger and stuff like that. And if you get something that says from a one that went around a while ago, it was like from the DBLA . Um, I got it .

One that was very, very convincing, very good. I store a fault. The only reason that I, I want to say I didn't click on a buy store . I went, hold on a second. I think it was telling me my mot is up. And I was like, I know for a fact, my mot is not up and I'm not going to click on that. If the DVLO have a problem, they can call me. So I just deleted it. And, but like, but it looked so convincing. Yeah .

Well that, that that's exactly the way that I look at it . A lot of stuff like that, like , um , DBLA , um, uh, London property tax, you pay your rates from, they they've sent ones out . And generally whenever I get emails from that I look at and go, they'll send me a letter. Yeah. So that's , that's my first check for. And then government related, if the email comes in and it was like, they'll send me a letter. If they're really looking at me, they'll, you know, they'll put it , they'll put something through the door, but for other things like, you know , um , there was a DHL email that was going to Ryan send , you knew your power parcels being delayed, click here for one thing. Okay. I'm actually expecting tonight . And you'd be surprised how many people click on links and was like, Oh yeah, it doesn't think I was actually expecting any parcels, but I wanted to check and see that that's that's your first flag is okay. If I'm not expecting, and I can , you know, what they need to do with this. But the big thing that you can do with emails like that is go directly to the website, ignore the email more or less, and go to the company's website and search for whatever it is you're looking for in you log onto your kind and see if you have any messages pending . Or if you're really concerned, email the company, don't reply to the email or messages that you got, but go to the company directly through, you know , their website, look up their email address and send them a message. Cause in some cases they'll want to know that you're getting emails, pretend to be them because they have the resources to actually try and track it down and stop it from happening. Um, so, you know, little things like that, just, you know, don't click on links really in messages and stuff like that. And if it seems off or , um, you know, out of character, you know, you get a message on Facebook from someone and it doesn't seem right. You know , don't, don't touch it and go and speak to the person, you know, send them a message through WhatsApp or something else and be like, here you are you giving away free puppies ? You just sent me a message on Facebook. What's going on. Um, you know , we, we, things like that just to, just to, you know, put a, put a bit of skepticism on everything.

Yeah. That's healthy bit skepticism with. Everything's always good. Um, I know I said that was the last question, but what you just said triggered in my mind, a couple of more questions if you don't mind. Sure . Yeah . So with emails, when you receive an email and it's like, again, DHL or the DBLA , if someone's emailing you, is that a surefire sign that your coin has been compromised and a data dump like that the fact that they have your email address, does that mean that that email address is guaranteed compromised? The fact that they can reach you in the first place?

Yes and no. I mean, most if you've had it , if you've had anemia like kind for any length of time, odds are it's being leaked somewhere, right . They happen all the time and there's not much you can do about it when they are leaked . Um, now companies do have to make you aware of it. If banking information or other personally identifiable information is leaked and by law, they have to let you know about it. All of them do, but it , yeah , if you've had any kind of frantic time is probably going to be compromised, but that isn't the only way that attackers get information and they can also get it , um , almost legitimately. So a lot of companies in their T's and C's, whenever you sign up for a kind , they'll say we're allowed to share this with our partners or, you know, do, do whatever , um, with the email or the, the information that you put in , um, there's a lot of Facebook , um, like memes or other, such things, and that whenever you sign up to, so it could be even just something like, Oh, Hey, I'm having a competition. Um, you know, sign up here and you might win , uh , uh , uh, uh, Alexa or something like that. And you sign in, it could be that, that , that competition is just fabricated. It's not actually real. And all they're doing is just gathering a list of email addresses off people. Um , so there's things like that. Um , especially with a lot of free services, they will , um, just sell your email accounts, a whole list of them to whoever's buying. Um , so that's in our head to think of is whenever you're signing up for an account for whatever service, if the service is free, you might have to think to yourself, okay, why is it free hire they making the money? And in some cases can just be, it's got odds on the website, which is far, you know, they're making revenue that way. But a lot of cases, they're just, they're selling email kinds and other information.

Yeah. A quote I came across recently, which , uh, hit me quite hard actually was a, if a service is free, you're the product. Exactly. Like crap I am . So yeah, that made me do a big think . And my final question on email is, and stupid question alert potentially here, but if you use , yeah , yeah, that's true. Uh , so let's say for example, that you aren't , you click on an email and you immediately like our crop, this potentially this is , uh , you know, a hacker or something is just clicking on the email, allowing them access, or do you have to click on the link they've provided?

I love the nuance. It's the detail, I'm a stickler for. So usually most movies attacks . Um , you have to click on the link and usually an efficient attack that , um, you know, the likes of a general person will get there. They're usually harvesting the passwords. So, you know, whenever you click on a link, they'll take you to some webpage and it'll either tends to try and install some software on your computer, to, you know , a virus to collect information more. It'll just take you to a login page. You know, it looked like a Microsoft login page, you type in your email and password, then they capture, you know, it's just , it's mocked up to look that way. There are attacks that they can do where, you know, you opening the email can run some things and it's usually based off macros and don't worry about it , technical jargon. It can, but it's not very likely for two blogs because they're , um, most email servers will, or most email , um , sort like G meal I'd look , um , things like that. They'll, they'll have inbuilt protections against stuff like that, getting through , um, and to get to , to make something that's able to get through those filters. It takes a long time and a lot of effort. So those types of attacks are usually more, you know, for a company, you know, someone's trying to get access to a company and they're determined to get that company , um, attacks like that that are more sophisticated could happen. So most accounts or sorry, most emails , spam that you'll get through, as long as you don't actually, you know , click on and hang in the email, open any attachments or anything like that, you're usually fine to new . You can look at the email okay. And read it. Um, but just don't click on anything .

Right. Okay. That's good to know, because I know, I think it was a couple of years ago. I do remember I clicked on something , uh, not really paying much attention to it when , Oh my gosh, this is quite clearly, you know, onto ward . And I'm like, I ran a full virus scan and there was nothing there, but I always, you know, at the back of my mind, I was like the , I just have to click on the email for it to get free or so-and-so yeah. That's a , that's good to know. Um, so that's the end of my questions, but we did have a lot of interest in this particular episode when I , and I said it was happening and I know you puts field with some questions as well, and we do have some questions from the audience. Um, so our first question is how can you tell if a website is genuine and secure, especially if you're buying goods from them.

Yeah. That one, that one's a fun one because there's, there's whole areas of research into that. Um, something I do want to sort of debunk is that there is a myth. If you look in the top left hand corner, there's a little green padlock, and they're saying that, you know , um, if , if that padlocks there , the websites , okay. It's not the case. No, that padlock yeah . Is a good indicator because if it's asking you, especially for like banking details and stuff like that, make sure the padlock's there, because all that's saying is that the people who own the website have bought what's called a certificate. Um, it's not like a sort of, yes, we are certified good people. It's a computer certificate that , that , uh , allows them to encrypt their information. So that secure going from your computer to their servers, you know, so if anyone was sort of sitting in the middle in , what's called the man in the middle attack originally , um, they, they can't, they can't get that information. It's just called bully to them. So if the website doesn't have that padlock definitely don't enter in any , um, banking details or anything important like that. Because if someone is sitting in the middle, they could lift up, but it doesn't necessarily mean that the website is secure. If it has the potluck, because , um, anyone can buy a certificate. They aren't expensive, you know, a couple of pound F even you can, you can get a certificate for your website. So, you know, an attacker, if they're really wanting to get people's data, they'll buy a certificate. And so their website will look the part, but not actually be legitimate as far as actually seeing whether the website is genuine or not. It depends on what you're go onto the website for, if you're going to a very specific website. So say , um , paper, let's say you wanted to go to PayPal. You wanted to check your balance, check the actual URL. So in the, in the top , um, I don't know what you are actually stands for. And now that I think about it, so I can't tell you what that acronym acronym means, but it's the bit that goes, www.whatever.com in that bit. Just take a look at it and make sure that it looks okay. So if you're going to paypal.com, make sure that that wee bit says paypal.com and doesn't say, pay underscore exclamation, Mark Paul underscores , smiley face dot whatever, because each URL is unique to a website. So, you know , it will look , um , um, you know, it will say PayPal, whatever, whenever you're buying things online, if you're trying to go to a , um, um, you know, so say I think Etsy is the most obscure , um, purchase place I can think of that's legitimate. I'm sure some people are going to complain about me saying that they sell their artismal B or S or something on it. I dunno . So first one that popped into my head. So I apologize running. We make some money off that say , but let's say you were going to Etsy and you, this was the first time you'd heard of it. And you, you weren't sure whether you should trust it or not. One thing you can do is Google the company. So , um , look for reviews on it, because if the company itself is dodgy, you know, it's , they're going to scan someone and odds are that person's going to have complained about it somewhere on the web, on their own website. Don't trust the reviews because they could be FIC . They could just be keeping good reviews. They could be typing them themselves, or just removing anyone who complains. So, you know , go back to Google, look okay at say , you know , is it okay? You know, Google is something as simple as that and have a look and see whether anyone's actually complained about the website to say, yeah, I bought XYZ . I had never arrived. They took them online . Yeah. Um, and the last thing you can do is make sure that you, if you are buying something online from a website, you're not sure about, honestly, if you're not sure about the website, I wouldn't buy from them . If your guts telling you this isn't right. I wouldn't. But if you want to have that extra level of security and make sure you use something like PayPal, because PayPal will guarantee that you'll get your money back. If they, if you are scammed, if you have multifactor enabled, Sierra kept keep coming back to a multifactor. If you have that enabled, if , um, some, some websites will like put a front up. So if you say, okay, I want to pay through PayPal. They'll sort of put up a fake PayPal stream to get your password. Yeah . That can happen. Right . If you've multifactor enabled, it doesn't matter if they've got your password. It does, but they can't get access to your, exactly. They can't get access to your account right away. And you'll start getting pinged on your phone to say, Hey, are you logging in? And then you can go in and change your password. And, you know, you haven't been compromised that way. So generally trust your gut. If you think the website is a bit iffy, I wouldn't touch it. I would go somewhere else. Um, and you know, use Amazon or Etsy or marketplaces are available.

Yeah. Yeah. Fair enough. Thanks very much for that. I certainly learned a lot in that one . The green padlock thing blew my mind that to me, I look at that and I go, ah , you're signed. Okay. No more. So

It's not the case . Oh . And also on the, on the flip side of that, just because a website doesn't have a potluck doesn't mean it's inherently dodgy. Um, a lot of blogs and stuff. It depends how much people who are into it will be on blogs, but you know, some websites, you know, if they're just having like texts on them, you know, they don't really have a, it's just information , a little , whatever else, you know, that they don't really need to be encrypted. So why would they pay the money for the, for the certificate, you know?

Yeah. Yeah. That's really good to know. Uh , thanks very much for that. So next question from our audience is , uh, con data BCF with cloud services.

Can you guess what I'm going to say here? It depends.

I mean, it, it, yeah, it depends. So one of the concepts and security is, is assign a value to the information or the data, because there's no point spending, you know, a million kinds to secure data. That's only really worth like a hundred, you know? Um , and I know in a personal environment, in a business, it's very easy usually to make those equations there's teams that, that sort that I have for you and work out how much data is worth. Yeah . As a person it's difficult to assign value to it. But generally Clyde , um, cloud providers, you know, they're , they are usually very secure. Most compromises that come from a cloud provider are done to , you know, your password being insecure or being leaked somewhere else. And they get access that way. Yeah . So, you know, usually the actual systems that the cloud providers have are, are secure enough that, you know, you're not, you're not going to get compromised. However, there is the argument and , and I , I say this a lot, all the time, the only way to keep something safe on the internet is to not put on the internet. Right. Basically, you know, if you're putting anything online, you have to come to terms with the fact that, you know , it could be compromised. Um, you know, these big companies, yes. They have really good security and all that, but people up, you know, there could be a mistake. Something could happen on someone could get in and get away with the data. Yeah. The plus side with big cloud providers like that though, as you have a bit of , um , what's called security and obscurity, basically your data in comparison to all the data they hold is tiny. You know, you're, you're in a far corner of a server room somewhere there's far to see or targets in there. So if an attacker did get in odds are, they're probably after different information, you know? So it it's a toss up it's , um , entirely your own choice. I use cloud providers and I feel perfectly comfortable using them. Um, but it's, it's entirely up to yourself.

Yeah. That's really good to know. Yeah. Um, if there's anything I've learned from today, it's the, the topic of cybersecurity is not black and white. It's a very nuanced topic, but as nuanced as it is, what it keeps coming back to is, is your personal responsibility to be CFO in line . But the tech companies can do their bit or fulfill their end of the bargain. But ultimately if you don't want to have your details leaked or, you know, have somebody steal your money or your, you know, maybe your personal photos or something, I don't know, wherever you would put on a cloud service, it's up to you to take charge of that and to make sure that you're safe and secure. And yeah, that's, that's a very good one. Um, so our next question from the audience , um, is all these new wifi devices on the market. So doorbells, light bulbs, et cetera, are there any security risks associated with them? Can I assume what you're going to say next Chile , you would be wrong.

Yeah . The , the short answer is yes, there are security risks, but whether those security risks are important,

You guess what I'm going to say? Depends.

Right. So, as I said, you know, the security of things, usually isn't what you think, you know, what you think is going to be the biggest problem of your system. Usually isn't what the , the attackers are going to actually attack or going to use it for all these cloud devices. Like, you know, your ring, doorbells , um, Alexis, your whom hubs, all that stuff. They can potentially add effectively a tunnel into your network for an attacker to get in, but you would have to ask yourself, okay, well, why would they want the into my network knew what, what what's actually appealing about getting in and, you know, getting onto my laptop when really, there's probably easier ways to get a general person's details. You know , if they're after your banking details, they would probably just send out a series of phishing scams and stuff like that to try and, you know , get access to your passwords. That way going in through an IOT device is, I mean, depending on the IOT device and depending on whether you keep it up to date , uh, you know, it can range from easy ish to quite difficult. And, you know, in most cases, an attacker is not going to bother spending the time they'll try and find an easier target or they'll try a phishing scam. Um , so there are, I mean, there are security risks with it because the more IOT devices you add, if you think about it, that that device is then going out to the internet, going out to its home server to, you know, whether, if it's using Alexa, it's checking with the AI. Um, if it's say a security camera, usually it's going out to the cloud so that you can access it wherever, you know, you can check it from your phone. You don't need to be on your home network to see the security camera that's because it's going back to its home server and it's, it's, it's being stored there. Um, so all of those things are tunnels, odor and into your home networks. You know, they, they do add a bit of a risk, but as a game for a general user, there are easier ways to attack you. And if someone isn't actively targeting you, which is very rare for a general person, usually active targeting happens because, you know, you work for a company and they want to attack that company, not you specifically, or, you know, if you're , um , a social media influencer or something like that, or, you know, you're, you're online and, you know , stalkers and stuff like that, then you might get more targeted. But in the mean for a general user, an IOT device, isn't really going to cause a massive increase in , in security issues. Um, there are things you can do to secure it. Um, I'll not cover them. No , because I think that would be a whole topic in of itself. But there are, there are things that you can do to help , um, help minimize the risk if you are concerned about it .

Yeah. That's definitely an episode we'll have you on , on the future and how to secure your Alexa devices and your all these tunnels that you speak of and to your network. Um, although I do have a quick question, I recently invested in a mesh wifi. Um, so for the audience, you do want to know that you've got your router , um, and grant can correct me if I'm wrong, but obviously if you have it at one corner of the house at the other end of the highest , it's the signal's not going to be as strong if you just , if you were standing right beside it. Whereas the mesh wifi spreads the signal, I over the heist . And I , I did a bit of research with mine or mine comes with built-in antivirus , um, night to me, correct me if I'm wrong. What I'm getting from this talk today in cybersecurity is it's a bit like an onion. The more layers you have, the more difficult it gets , it needs to get to the core information. The less likely you are to be attacked. So for me, like the first line of defense into my home is my internet, but it's got, you know, the built-in antivirus , uh , uh , Nan , I've got my computer with its own again on my phone with its own dedicated on the virus. Um, and then I've got my, you know , you suggested passwords if it's 25 long characters and upper and lower case and stuff. So I would, I would imagine at least I'd hope that I would be a harder target to hit and try to attempt to steal from and potentially some other people. Um , would that be a correct? Um, would that be a correct assumption?

Yeah. Yeah, definitely. I mean , um , actually you're , you're talking about layers there and it's, it's a valid point. If some of the current situation that's going on in the world at the minute, you may have seen the image of the Swiss cheese model and the of it . Yeah . That was stolen from cybersecurity. That's I have seen that model years ago. I'm sure it's probably used for other things as well, but it applies for cybersecurity . You know, the whole that you've got in the , in your first layer of defense might be caught by the second or third or fourth or whatever. And the idea is that by the time you get to the end, you know, there's not nothing to very little, it gets through. Um, as you said, your mashed wifi has , um, it , it says under virus, I would hazard. It's probably more of what's called a firewall and a lot of people , uh , a lot of devices turn to the freeze on the virus. Um, because it's, it's easier for people in general, people who aren't an it to, to understand, you know, it protects your system. Um , whereas in it, we use the term firewalls, but people think of firewalls as big technical boxes and stuff, and they're not. Um, but yeah, effectively that's, they're , they're just , um , that actual layer of protection. So yeah, I mean the more you've got the better.

Perfect. Okay. Well , it gives me a warm, fuzzy feeling inside. Um, uh, our next question from the audience is can you ever be totally secure online? No, that a straight up answer. I liked it, but then I suppose that ties in with the previous answer as well. All of make it as difficult as possible. You can't be secure when you go in to this big, bad world or the internet. In fact , that's not fair. The internet is a combi, a good and a bad place. It's a tool, but you've got to utilize it correctly and protect yourself correctly. Would that be correct? Exactly,

Exactly. It's um, uh, funny my wife and I she's in cyber security as well. Um, and , uh , we were talking about the internet and the regulations I'm sort of compared it to the wild West at the minute, you know, the laws and regulations and policing and stuff just hasn't caught up with it yet. It's getting there, but it hasn't caught up with it yet. So people are just, you know, like the wild West sort of home law, you know, doing , um, you know, what , whatever, whatever they can get away with, basically it is getting better. But yeah, it , it , it's one of those things you have to, you have to , um, take responsibility for your own security and , you know, do those steps to try and make sure that you're not an easy target.

Yeah. We'll see. I wonder what the equivalent is of the classic cowboy scene with the tie and empties and there's the two shooters in the street and the tumble week goes by, well, bossa , what's the cyber equivalent of the tunnel .

We'll wait. Yeah, that's a , that's ,

That's a question for another podcast.

Yeah .

Um, and , um, so this is , uh , an interesting question I'm about to ask, because this is going to touch on another episode that you're going to come on and do a career in cybersecurity. So if you have a ever fall by a career in cybersecurity, or even this episode has piqued your interest in the, the fight against hackers and grunt will be coming on , uh , again, in the future to discuss a career in cybersecurity, what that looks like, what it involves and what you can look forward to in that career, but we'll touch on it very briefly. So another question from the audience , um, what do you think is the best way to have qualifications to get into cybersecurity and what is involved or what different branches of it are there , uh, that you can work in a lot and loss . So it's not a very, very singular black and white career path . There is , it's quite varied in it's it

Definitely, definitely, definitely. Um, so on , on this side of cybersecurity, actually, you had mentioned at the start, what you call a cybersecurity person. Um, actually there is an answer to that they're , they're called white hat hackers, right? Okay . A black hat hacker is , um, you know, th the attackers they're the bad guys and then the white hat hackers are, the good guys is what's been adopted. There is also a term called gray hat hacking, which is where you hack things and break them and do all that, not for malicious purposes, but just because you want to yeah, yeah. Basically still very much illegal. Any audience do not do that. No , no . There is, there's a lot of videos actually online of , um , you know, those cold calls, scammers, and it's people hacking their systems and they do it on YouTube and I'm looking at it going that's all well, and good. And I can understand that they're doing it for a good purpose, but they are, that's still illegal. And there's video evidence of them doing this. I'm very surprised they haven't had a knock on the door. Yeah. And from the pillars, but I'm sorry, getting back to the actual , um, topic at home , um, cybersecurity , um, in the rule can sort of be broken down into two chunks, the red hat or sorry, team blue team. Um , there's a bit of rivalry between the two teaming is what most people consider , um, cybersecurity and hacking. Um, usually they consist of pen testers. So people who actually try and break systems legally with permission, of course. Um , and then blue teamers are on the defense side and which is what I do . And that's , um, trying to protect the systems and make sure that they're secure in the first place. And so there is a bit of rivalry, tumors , and blue teamers have they come in to break the system and we try and keep them out. And then they give us a report saying, this is how we broke your system because they will , you know, you can never , uh, with the best will in the world that you can never have a 100% secure system. So then they'll come and give you a report and say, Hey, this is how we got in. And then it's our job to you to then go and fix it and also try and prevent those things from being there in the first place. But , um, yeah, there's , there's so many different brunches , um , under blue team and unread team that, that you can go into from application security and network monitoring. Um, yeah, I'm starting to go into, yeah. I could break down what network monitor it is or applications put that. We'll , we'll leave that for maybe for the litter and litter episode. Um, but yeah, there's so many different branches to it, and it's probably hard to know from the outside of cybersecurity, which one you might actually enjoy. So , um, if you're in uni, you're, you're, you're laughing if you're in uni and you're considering a job in cybersecurity, get a placement somewhere, or , um, you know, most places have paid internships and stuff, go do that and just get experienced in the different fields. And you might find which one you actually enjoy if you work in it, but not specifically security. I would argue that you do work in security. You're a blue teamer because anyone on the inside of the fence should be doing security things. Um, if you don't work in it at all and you're trying to get into it , it's, it's tough. Um , I'm not going to lie. You're going to have a hard time getting in, not impossible by any means. Um, no , I don't mean that to dissuade anyone, but your best bet is probably to , um, try and look at certifications. So try and get a good starting one is the comp tier security plus it'll give you a really good bedrock. And if you go into any company , um , looking for a junior position or their votes in a cybersecurity field, if you've got the comp tier plus you'll be well suited , um, to , um, to get into, or we can go into those dollars a whole lot more to that, that we can talk about it in the, in the,

Yeah, I personally am very interested because I, the fact that this is blew my mind that there's red team and blue team generally sounds like a little bit of fun. Like there's this rivalry and stuff is quite good. Um, yeah . Thank you very much to the audience for those questions really appreciate it. And you can look forward to more Q and A's , uh, when grant comes on , he's going to come on at least once a quarter , uh, at very least. And , uh, obviously depending how this goes on and people go actually, no, we really want to get stuck into cyber security. Cause this is a big part of our lives. I'm sure me and grandkids or something. I , um, but , uh, yeah, that's covered everything today. This is for you, hopefully has been a good introduction to cybersecurity . And I know I certainly have gotten a lot from it, so massive. Thank you, grant for coming on and having a chat about this topic, which again, prior to this episode, cybersecurity was just a buzz word for me, NY , I'm feeling, you know, a little bit confident , um, you know, I'm hopefully secure, but I know there's areas I certainly could improve, but yeah, this has been very valuable for me and I'm sure very valuable for the audience as well. Um , so if the audience wants to find out more about cybersecurity or more of the content that you provide, where can they find you? I mean, cybersecurity, nobody, I don't know. Talk to someone who knows cybersecurity better than me. Um, there's also , um, no, so I, I have a YouTube channel which does , um, some cybersecurity I've started brushed into it before that it's, it's , um , really use and things like that. I think it's interesting. You can judge for yourself. Um, it's called [inaudible] all one word. It's going to be green logo. Um, and uh , if you want to contact me, I'm on Twitter , uh , brain's nine three, three. I believe I'll , I'll send the details to them , um , so that they can be in the, in the show notes. Um, so you can message me on Twitter, if you have any questions or on the , um, uh, curious Ulsterman Facebook page, if fees are all nuts, if you aren't, you should be , um , if you're all not , I Potter by on there. So if you ask a question on there, I'm sure I'll see it. Yeah. Um, so yeah, yeah. Thanks very much for that. Yeah. Um, there's quite a lot. It's going to be squeezed into these show notes between the , uh , password website suggestions. The, there was a Walnut by trolling. You give your , uh, email to their website. [inaudible] great name and yeah, we'll provide all those details in the show notes. But , uh, once again, folks, thank you very much for , uh, joining us on today's episode and we can look forward to see you having grown on here again. So thanks very much grant . Thank you. Thanks for having me. There you go, folks. I hope you enjoyed that chat and got value out of it. If you did, please do leave a rating and review that goes a long way in helping this podcast grow. And , uh , if you want to be informed of more content coming your way, then please do subscribe to all the various social media platforms , uh, out the curious Ulsterman. And once again, folks, thank you very much for tuning in. I appreciate it all the best. Bye

[inaudible] .