Ivanka: Welcome to The Art of Services video series on cyber security risk management. And today I have with me my friend Jason Hawkins. Jason is a digital marketing whiz-bang person. He’s spent the last 18 years, in his words: “turning napkin ideas into an impressive portfolio of digital projects for his clients.” One of his other businesses, however, and that’s the one we will be talking about today is hack rescue and hack rescue is an evolution of their long-term web development business. So his team of hack repair specialists are dedicated to quickly resolving hacked websites and systems and they have years of experience in doing that.
So Jason, welcome to the Art of services series on cybersecurity. And I am intrigued.
Jason: I’m looking forward to talking about it.
Ivanka: So tell me what has been the most significant reason for you to get more involved in cybersecurity?
Jason: We host several hundred websites for clients. And in more recent times, probably around 3-5 years ago, the rise of fairly common hack attempts on WordPress and open source websites was on the rise. And over the course of that time we were actually fixing a lot of websites and we got really good at it and we got really, really good at resolving quite quickly. So we thought we’d turn it into a business and we had a bit of expertise in that. So, it came out of practicality really, just getting to know not just our clients, but then getting calls from other people as well, knowing that we were able to fix stuff quickly.
Ivanka: Yeah. So in true entrepreneurial spirit, it was the client demand, like you sort of went “hmmm. There’s something to this.”
Jason: Yeah, definitely. It went ballistic there for a while before security plugins were common there. So yeah. Yeah, it was pretty vibrant.
Ivanka: Yeah. And your focus, as you say, with hack rescue is really around websites, mainly WordPress sites. So, it’s really the online side of a business. Not so much the I.T. security for internal infrastructure for networks and systems and databases and all that sort of stuff. But it’s really the entry point for a lot of the cyber-attacks. Is that a fair assumption to make?
Jason: Yeah, so we do get calls from people saying “Hey, their networks been compromised.” But usually, there’s quite a significant, I’d say 98% of cases, there’s a separation between their web presence and the network infrastructure. Occasionally there’s a crossover, but in our experience, you know, they’re hosted by larger players in the hosting market and they’re quite self-contained. Which is a good thing really because the amount of sort of brute force activity going on is just extraordinary. So, that sort of holding them in isolation from a public website perspective, keeping it away from your network is actually quite important.
Ivanka: Yeah. And when you say brute force, what do you mean by that?
Jason: If you install a plugin on WordPress, for example, that logs number of people trying to log into your administration area of your WordPress site, you’d probably be very surprised at brute force attacks. So they’re just trying multiple passwords every couple of seconds or every couple of minutes depending on the visibility of your site. It’s very common. Every word press site will have that to some degree. You probably just don’t know that it’s happening.
Ivanka: Yeah. And you mentioned a time frame of three to five years, so what has happened in that period? You know, where did cyber security become such a big issue?
Jason: I think just with the rise of open source sites and themes like a lot of WordPress sites. You know, there’s millions and millions of WordPress sites, just using WordPress as one example.
Ivanka: Yeah. Because this is not isolated to WordPress sites, it’s any type of website.
Jason: No. It’s Drupal, Joomla, WordPress. WordPress has the biggest market, so it gets the most attacked. I guess there’s so much common code out there that’s accessible by hackers, so it’s quite easy for them to construct methods to interrogate the code or the database or the server. I think it’s just the rise of the availability of that code and the commonness of it.
Has it peaked? I don’t think it’s peaked. It’s certainly changed. It’s gotten much more cloaked in how they do their hacking now, from what it used to be. But, that’s sort of just working around a little bit more of the methods that go on in that environment. So yeah, it’s certainly trying. It’s not as direct as “hi, I’m going to change every file in your use of the structure.” Its little hidden things that then start to grow over time, in most cases. No one hack is really the same, we find.
It’s gotten much more cloaked in how they do their hacking now, from what it used to be.
Ivanka: It’s a lot more sophisticated these days. And is it seasonal or cyclical? When do you see the most hack’s happening? Because I know from personal experience, you know, five to eight years ago we knew exactly when school holidays in the Ukraine would start because that’s when our site got hacked or something would happen. That doesn’t seem to happen as much or we haven’t had it for a long time. That could be the maturity of our own system, but it could also be that hacking is cyclical in itself. So what is your experience in that?
Jason: Yep – it is .. we do get a lot over Christmas, Christmas breaks and the holidays. So maybe the holidays it’s kids or students testing stuff. I think it’s more because they know that sites won’t be monitored as closely when people are away so they target these downtimes. You know it’s like Sundays, Friday night – Saturday and Sunday are very common days for sites to be compromised.
We normally don’t get a call until 4-5 days after it happened. It’s very rare for people to discover it right away – unless they’re on to it – or if it’s defaced in some way but that’s not that common.
Yeah – definitely the weekends…
Ivanka: Yeah. Does it matter whether you are a small business or a large business? You know, the larger you are, is their assumption that there’s a more sophisticated I.T. system I.T. infrastructure that protects more from hacking and hack attacks or is it a one size fits all?
Jason: It’s a really interesting question … in some cases it really does depend on the hosting infrastructure. So how proactive is the facility in keeping the versions of C-panel or the common hosting management tools up to date. So, that’s definitely one side of it. But, it’s also related to just how proactive organizations are with keeping their sites up to date and including all the elements around the site. So not just the core install, but the theme, every plugin that’s used, there’s all these different elements that need to make sure that they’re kept on their latest versions. That goes a lot towards keeping a clean slate. But having said that, we do see the occasional “hey, everything’s up to date and targeted” and that’s just how they found a sideways angle to get in.
Ivanka: With smaller businesses, whether it’s a single, like a solopreneur or a startup, or you mentioned WordPress because they have a really large market share in the space of content driven websites. What’s your experience or what would your recommendation be for organizations that use hosted services like a Wix or Squarespace? Is that a more secure option for small businesses or is it, again, doesn’t really matter?
Jason: We get no calls for hacks on Wix sites.
Ivanka: Oh, that’s a good thing.
Jason: We don’t get any calls for squarespace sites. In that hosted solution they’re being very proactive in their own way to keep sites in their infrastructure hack-free. So they’d be going to extraordinary lengths also to make sure that they were not compromised. So, to avoid the bit of a headache of website management, squarespace, those sort of hosted solutions can be quite brutal, be it restricted in functionality. It might not bring the flexibility that you need for your web project. But for a startup just getting under way, that can be a really good solution.
Ivanka: On the other side of the spectrum, large corporations, enterprises, what recommendation do you have based on your experiences on being prepared and being vigilant about their website or their web presence?
Jason: Yeah. It is definitely about being very, very proactive about updates and any sort of security monitoring and firewalling. So, there’s plenty of services now online that you can really boost or reduce your risk of being targeted. You’ll always be targeted but, reduce the risk of them getting in by using some of those sort of tools. You have firewalls and just turning off access, you know, common access to admin areas.
There’s several security plugins that are worth their weight in gold. There’s third party monitoring tools that allow you to catch file changes before anyone else knows they’re happening. Yes, your site may be targeted, but you can catch it before it becomes obvious in any way, so they might have just got in and changed one file on the server that you will know about it with good monitoring. So that can be very much worthwhile for the bigger guy, especially ecommerce. If you’re capturing a lot of data from your clients and that sort of thing. So yeah, definitely worthwhile being on the front foot rather than hoping it doesn’t happen.
Ivanka: Fingers crossed.
Jason: Yeah, hoping just doesn’t do it. You’ve got to be quite proactive. At the least quarterly in your approach.
Ivanka: Yeah. Do you feel that people that do this hacking, do you feel that they have a preference for a certain type of site or certain type of business or certain type of information? Or how do you see that based on the trends and the analysis you do from your customers?
Jason: It’s pretty random. I don’t think there’s any particular type of target. I’d say 80% of clients are SEO spam related type of hacks. So people penetrating inside, implanting links to other sites and so that will promote their SEO rank. It’s automated, injected from China, from Russia, very common sort of hacks. Probably about 10% of the hacks will be more related to phishing. So, serious attempts to get credit card information or form related information from random clients. Again, very, very random, but servers hate that and understandably so. That’s pretty much a site down – pretty much block access – pretty much straight away because that can get very nasty very quickly.
And then the other 10% is just random. Turkish hackers, some of the ISIS sort of stuff, defacement can be kids just experimenting with some Hacking Code. But, normally it’s, “Hey, we’re the XYZ hackers and we’ve proved how we can take down your site.” There’s no target. In the hundreds and hundreds of sites that we’ve resolved, I haven’t seen a targeted attack. The specific, “hey, this person hates this person. So I’m going to take your site down.”
Ivanka: Yeah, that’s good news out there for people that have divorces and exes.
Jason: Yeah, we do get asked that all the time. Like, “Hey, is this someone that we should be worried about?” But usually you’re looking at I.P. addresses of a source. I looked up one this morning and it was a Russian I.P address doing a brute force attack on a site in Adelaide. Really pretty random.
Ivanka: So what are the biggest myths out there around cybersecurity, risk management, website security, etc.?
Jason: I think one of the biggest myths, I would say that people going “Oh, I won’t use WordPress because it’s got security issues.” or “I won’t use Magento because it’s got security issues.” Quite commonly the core of the software is actually very secure.
It’s usually the tools that are added to make it flexible, to add a feature on a website. That is usually the item that becomes a security risk. So the system itself isn’t necessarily as it’s opensource it’s gone through versions and versions of versions of security updates, which is fantastic. But it’s usually the peripheral thing. So you know, if you keep the use of those plugins down to a minimum, then you’re reducing your risk. So yeah that’s the biggest myth. And maybe the myth that “I’m being targeted”, you know.
Ivanka: It’s a personal thing.
Jason: Yeah, it’s a personal thing. Yeah, as I said, it’s rarely ever a personal thing.
Ivanka: And so how can business owners prepare themselves? Like what is the biggest risk we face as business owners? Because 98% of businesses have a website or more websites, be it a content based website or an ecommerce website. So what is the biggest risk we run at the moment?
Jason: I think still the biggest one, and it surprises me still to this day that it is a problem, is passwords. And people’s choice of passwords is so average.
Ivanka: Oh, you mean password123 is not enough anymore?!
Jason: Admin123. Admin2018. Those sorts of things for passwords is very, very common. And, obviously, if you’ve got brute force systems being brute forced, they can work through thousands and thousands of passwords within a few minutes. So choosing a nice complex password or leaving the password selection up to the system. So generating a nice long chunky password that’s full of complex characters and just saving that in your browser encrypted password controller, or in your last pass or using one of those password tools too. So you don’t actually really need to know the password, but it’s a process to go through. So, yeah, that’s absolutely critical. Choose really good passwords.
Choose really good passwords.
Ivanka: So what is the minimum requirement for passwords? What’s your recommendation?
Jason: 16 characters minimum with mixed. Yeah. I don’t actually choose a password myself anymore. I go to… actually I can bring it up. It’s a site called a passwordsgenerator.net, and it allows you just to press on a button and it generates password for you and you cut and paste it into where you want to save it and use your other tools for keeping that password recorded. So yeah, it’s great. I would do that on email accounts as well as passwords for your servers and anywhere, logins.
Ivanka: Lately, a lot of apps and sites and everything where you log in, they asked for the two to level verification. Is that something you recommend everybody do?
Jason: Yeah. It can be frustrating if you’ve got, it depends on your use. If you’ve got multiple people accessing the other, two factor authentication can be painful because it sends the password or code to the other device. But, if you know that you’re the only person accessing this particular bit of software, then anything additional like that, anything that’s mission critical, I would encourage it. Your banking for example, most definitely. Maybe not day to day stuff that you know, that has multi-access. But, yeah. Or just choose a really complex password. It’s easy.
Ivanka: Sixteen characters or more. So, from a preparedness point of view and from not being that vulnerable to attacks to cybercrime, what do we as business owners, entrepreneurs, business managers, what do we need to tell our staff? What do we need to teach our people? What type of training is required?
Jason: Yeah, that’s a really good question. It really becomes a cultural thing for us. I know business, it’s a “Hey, if we’re going to choose passwords, this is how we choose passwords. This is the methodology we use.” I would reach out to the professionals that actually know what they’re doing and if that requires training right across your organization, then that’s definitely worth doing if you know that you’ve got a baseline to hit for your security approach.
Especially I think in web world, a lot of people that access a website actually aren’t very technical, so they’re marketers. In most instances you might want to have a copy. A person that posts your blogs and access to your content. They might be offshore, that might be onshore, and they might be placed not in your office that in some cases offshore.
Have separate accounts for those people. Don’t let them log in as the administrator password. Take the time, set up the individual accounts and give them the rights.
I think, having a baseline approach of you don’t automatically earn administrative rights to a system. You’re given the rights to what… and sometimes it can be extremely painful from an employee perspective, saying “I can’t do that’. But having seen the other side of it and having seen so many compromised sites based on passwords or access or hacking, it’s should be really security first. Just so you know, it’s not getting any better. It’s just something we need to be conscious of and approach out in a routine of account setups with security in mind.
Ivanka: Yeah. I’m just thinking about the impact of being flippant about passwords and having your site hacked or have something happen to your online store; what do you, what do you see out there with your clients? Because obviously they call you in a panic because something’s happened. What is usually the impact to their business and how long does it take? I know it’s a bit how long is a piece of string, but how long does it take for the site to be back up again? But my biggest question is like, what’s the impact? And then I guess the question behind the question is, what’s the impact that we don’t think about?
Jason: It’s a really good question. The impact is pretty much connected to how long it’s gone on for and possibly the type of hack it is. So, say for instance, you are the target of a phishing attack and there’s a phishing website. So they’re trying to collect passwords and logins through your site. Google will recognize that your site is being targeted. So they’ll put up just a blank, “hey, this site, you can’t access this site, we’re blocking this site. It has malicious material on it, it’s just being targeted phishing.” So that can be a couple of days to remove. And then if your site ends up on black list phishing sites, then there’s another week or two or three or four of cleaning your domain with those black lists and proving to them that your site is clean. It can be pretty quick to actually resolve the hack. We can usually do it within a couple of hours to 24 hours, once you do some cross checking and scanning.
But the flow-on effect can be quite traumatic for some businesses because not only does it affect the website that the email domain becomes blacklisted. All of the sudden, your clients aren’t receiving your email or…yeah. Or they’re saying you email them and it’s bouncing back. So, there’s a bunch of those sort of things. It also depends on the productivity of the hosting facility to want to get you back online, because like some who may not have a lot of support capability will not be very proactive with you. This guy, “Hey, we’re just turning you off. You’re off.”
Ivanka: Good luck!
Jason: Yeah, good luck. Yeah. Yeah. So we get occasionally those sort of calls. Albeit, most hosting facilities, it’s in their best interest to keep the clients happy and respond. But I think some business owners just think that it’s not their responsibility. The hosting company, “My site’s been hacked. They can fix it or they should fix it. It’s their responsibility.” Well, it’s actually not. Firmly, these days, I think it’s firmly in the hands of the owner of the business because if they’re not keeping their software up to date, then they’re leaving their site exposed and they’re leaving the domain exposed. If they’ve got loose passwords in their email and their email gets compromised, it starts sending out a lot of spam, then it’s certainly…you’re responsible as a business owner to deal with that.
So yeah you want to be – I wouldn’t say on first name terms with your hosting provider – but certainly, test them out with some support questions and ask them what their approach is to targeted attacks and hacking. Some will charge a small fee to do the repair or just not participate at all.
Ivanka: Okay. So if… not if but, when a business owner is watching this, listening to this and they go, “Oh, I really need to do something to be better prepared. I feel vulnerable.” What is something they can do immediately or what is the first step? What’s the first baby step towards that goal of being better protected?
So first thing would be to call a web guy, a web dev guy or girl, and ask them to check in on their updates of their install of their software.
Second would be passwords updates. It’d be great if one day there was a national day of change your password or your check your password, sort of thing.
Ivanka: Like with toothbrushes. Every three months just change it.
Jason: Yeah like red nose day or something like that, you change your password day. Then yeah, that would be just doing that would, especially the upgrade, would prevent a lot of issues. Yeah, huge amount of issues.
Ivanka: Hm. So, then the other thing that’s front of mind for a lot of people currently, especially in Australia, is the mandatory data breach regulation in Australia and then of course in May this year, the GDPR in Europe; what are you seeing and what are you recommending that people do in relation to their web presence to be compliant with either or both of the regulations?
Because GDPR is basically every entity that does something with a person, within the union. Whereas the data breach regulation in Australia is only for companies that do $3,000,000 or more in revenue. So, you know, there’s different weighting in the regulations. So what can people do to help them be compliant?
Jason: I guess… I’m not a lawyer so….
Ivanka: Yeah. Caveat, caveat – without prejudice.
I think if you’re targeting clients in that space then you definitely need to review your privacy and collection policies related to that. I know for a fact WordPress now in their latest version have a privacy tool which allows you to notify your clients automatically, they sort of built it into this version to the GDPR compliance. So you’ll see a lot more of that.
As far as small business, I think it’s gone a little bit under the radar in Australia at the moment because we think we’re out of that sort of impact zone, if you like, unless you’re directly targeting Europe. Certainly there are other businesses, it hasn’t been a massive “we’ve got to change this, this and this and this”. So data breaches, it’s really interesting work.
Most commonly in small business websites, there’s not a lot of customer data in that space. You know there’s content, there’s maybe some purchasing, you know, ecommerce is different to that again. But, in Ecommerce there’s very rarely ever / never credit card details stored on the server where the transactions taken, you know, that gets passed onto PCI compliant gateways.
So, in a lot of instances, for smaller business, it’s not such an impact, but for some of our larger clients that are very proactive in maintaining their systems to be compliant in that space. It’s talked about a lot, monitoring is in place, it’s just switching from being reactive to proactive, more than taking the front foot in the process rather than just waiting for something or head in the sand, not being proactive, “This will never happen to me” sort of thing. So I guess it’s a productivity thing, but we haven’t seen a huge number of people knocking on our door as far as from our web development side of things to really tackle the GDPR thing. I think it’ll filter through over the next 12 months, most definitely as examples of how the enforcement will happen because the fines are just ginormous. We do have to certainly… if you’re purchasing email lists, I’d be very nervous. I wouldn’t be purchasing email lists.
Ivanka: I was going to say that’s a bit of a no-no anyway!
Jason: Totally, but I certainly wouldn’t be approaching business in that way.
Ivanka: Yeah. So the other thing that I noticed on that, because the data breach regulation, the mandatory data breach regulation under the privacy act in Australia, has only been in place since February this year. And I was looking at a report on the number of breaches that have been notified and it was actually quite a lot because if you think about you have 30 days to do remedial actions and if after 30 days you still think that the breach can’t be stopped, can’t be resolved and has potential to harm or you know what, let’s use the word harm, the people involved. That’s, you, know, in IT land thirty days is a long time, if you can’t fix it in 30 days and something really impactful has happened and there were like 63 or 68 reported between the 22nd of February and the 31st of March. And I was like, whoa, that’s actually Australia is not a big country with. So I’ve. And it’s only companies over $3,000,000 in revenue. So that’s a smaller batch again, so I was actually quite surprised. But I was more surprised is that 50% of those breaches was human error.
Ivanka: What is your response on that?
Jason: Absolutely, that’s the case. You know, you’re talking about leaving filing cabinets full of detailed information of Australian government clients and there’s a whole bunch of banking examples of that recently.
Humans are always going to make mistakes and it goes back to that very common example of the password choice. We used to have a guy work for us who was just an insanely clever hacker and you know, we’d ask him with years and years of pretty clever work (he doesn’t work for us anymore). However, you know, we’d ask him “What’s the easiest way to get in?” and he’d say just walk into the building and talk, just infiltrate viable people rather than tech. And you just need that one little bit of connection to a user or password or something like that. But, you know, you can break through. Obviously there’s much more sophisticated ways to attack sites, but certainly the human, human intervention plays a big role. Maybe that will reduce with AI in the coming decades. But certainly, you’ll see a lot more examples of it and I think it’s a good thing that it’s being reported now, that there are mechanism in place for notifying customers because you do see some pretty amazing examples of these hacks. And, yeah. Hopefully it will make people a little bit more proactive to take action steps.
Ivanka: So let’s change gears a little bit. Let’s have a think about, you know, put our crystal ball out. Go like, okay, where’s this going? What is the trend? What are you seeing out there? What’s in store for business owners that have websites?
Jason: I’m seeing a lot more, certainly the last two months, I’d say we’ve seen a lot more hacks that are quite hard to resolve, a lot more hidden. So they’ve been on the site for six months, four to six months, and the client will have no idea that it’s been sitting there for four to six months and something will trigger. So like a data load limiter or disc space volume or something that’s triggered the alert, rather than a client ringing up just saying, “Hey! I’ve just seen Turkish displayed all over your site. What’s going on?” So there’s a lot more submersed, underlying, hidden-the hackers are getting cleverer, pretty much.
More sophisticated ways of cloaking what they’re actually doing. Only displaying in certain mobile devices rather than a desktop device. You could use it all day and not know it’s targeted but looking at our mobile device. Or just targeting your google search results. Yeah. Some really more sophisticated ways of using your domain to assist them in whatever they’re trying to achieve. So, probably the thing around that is file monitoring or you know, as a business owner, think about doing some monitoring, and you probably need to talk to your hosting provider about how to get that off. Or there are third party tools that do that as well. But, having that in place would certainly help. You’d see instantly files that have been added to you, to the server.
Ivanka: Yup. Okay. So, final word. What is the thing that you, going through these last, what is it, 40, 45 minutes and you got like, “I don’t understand why she’s not asking me this”?
Jason: I think you’ve covered a lot.
Hack rescue, that’s all we do is deal with compromised websites. The volume and the change of those has changed over the years. I would hope, I would like to think that business owners are thinking more proactively, but quite often it’s not the case. In an actual fact it’s never the case. Out of sight, out of mind. They got better things to do. You need to sell stuff to run a business and make a successful business. The last thing you’re thinking about is…until it happens. Yeah. The safety of your website and your files. So there has to be some sort of annual calendar date in the business owners diary just check in on their web security and then password security I think would go a long way.
Ivanka: Yeah. It will be just as important as Valentine’s Day.
Jason: It’s my wife’s birthday. How could I forget? Buy flowers, buy cake.
Ivanka: Exactly. Password, flowers, cake. Thank you so much for your time, Jason, that was really, really good. I really enjoyed our talk. If somebody wants to reach out to you, where can they find you? Obviously I’ll put your LinkedIn profile in the description. But is there a social media platform that you frequently visit and that people can reach out to you or…?
Ivanka: Excellent. Well thank you again for your time and hopefully you’ll be really quiet these days. Everybody’s changing the passwords and is vigilant about…
Jason: I look forward to it!
Ivanka: … their security patches. That would be lovely. Thank you again. Have a lovely day.
Jason: Excellent. Thanks, Ivanka.