Open Access Government speaks with Javvad Malik from KnowBe4 on cybersecurity awareness programmes and the dark web
Lead security awareness advocate at KnowBe4, Javvad Malik explores security awareness and security issues – primarily with a focus on the human element.
Q) I work as an editor – what would you suggest that I do to make sure that my activity online is safe?
A) If you’re using the web regularly then I’d say make sure your website is up to date and that your device is up to date and fully patched – that’s number one. I’d say using something like a password manager is really good practice because that will help you choose a unique and strong password for every single website that you need an account for.
What we find is that a lot of people use the same password across many different websites. So if I somehow guess one of your passwords or break into it on one website, then the first thing I’m going to do is use that password against every other website I can think of. And if you’re reusing the same password, I can get into lots of your other accounts, including maybe your corporate accounts. So using a password manager to have unique passwords is good.
And the other thing is just turning off any services you don’t need. So sometimes you get a new computer or a phone and you have these apps on it that you maybe don’t need or don’t use or there’d be extensions on your browser. So just turn them off, disable them or uninstall them. If you don’t need it, then don’t have it there because all of these unnecessary apps could potentially be an avenue through which someone could gain access to your system.
Q) Your tagline on your website is ‘Human error. Conquered’? Can we truly conquer or eradicate human error?
A) I think it’s kind of like an aspirational tagline in that regard. What we can do, we can just reduce the risk. And that’s what it’s all about. It’s like you can have all the safety features in the world on anything. It’s like saying, will an aeroplane never have a crash? No, you can’t actually say that, but with all the controls and safety measures we have in place, you’re really confident that when you get on a plane, it’s going to get you to your destination. You think you’ve got to be unlucky to have a crash.
We’re trying to get to a point where we can reduce the risk to a point where browsing the Internet in a normal manner and logging onto websites, becomes relatively safe. We also want to reduce the likelihood of you being hacked or someone stealing your information or getting into your browsing. We want it to become the exception and not the norm.
Cybersecurity isn’t just relevant to organisations and digital firms
I think ultimately the human element plays into everything that we do. Whatever happens, even if it’s a computer-based attack, there’s someone that coded that or implemented that or architected it. So it’s something that will be ongoing, but I think it’s something that we need to focus on beyond just even corporations, it’s something that impacts everyone in our daily lives. All of our lives are digitised nowadays. It’s like everything resides on an electronic device somewhere. We access stuff through an app. So being more aware of what you should post, who you should share stuff with, and what’s relevant or not, I think that it becomes more of a societal issue. Cybersecurity isn’t just relevant to organisations and digital firms.
Q) How can you protect yourself from identity theft?
A) Identity theft is a really hard thing to protect from because it depends on where the criminals get the information from. Say, if they’re able to hack into a government website, say they get into the DVLA, then there’s nothing as individuals we can do, because we have to provide them with our information stored by them, and we trust them. And if they get breached, then that information is there. That can be used for identity theft.
But I think more on an individual level, we should just be really mindful about the amount of information we share with who and for what purposes. So a lot of websites will sometimes ask for information, and if you look at it, it’s not really relevant to that. So I don’t give up information unless you absolutely need to. Don’t be scanning or taking photographs, like your ID, or your passport, uploading that to websites just to get on a new social media platform or something like that. Look at their privacy policy sometimes, especially in Europe, we’re covered on GDPR, and you can see whether they’re committed to it.
And if you feel like an organisation has used your information for other reasons than why you gave them the information, say you signed up for one service, and suddenly you start getting spam from another. You can report them online, like to the ICO, the information commissioner’s office, and other such organisations, and they can investigate that, and where relevant, they can penalise those organisations. The final part is: that you can set up things like credit monitoring services or identity monitoring services just to see if someone’s taking out a loan in your name or someone’s taking a credit card in your name or doing something similar. So whatever you do, you can get tracked, and you can get alerted whenever any such activity happens. So these are all things you can do to try and minimise the risk of identity theft.
Q) What’s the most common sort of data theft and how is it traded?
A) There are a couple of different types of data that are commonly traded. I suppose certain data’s quite easy to get hold of. So credit card information, payment information that’s really quite frequently skimmed and stolen, because you can take payment data if you can compromise, say, like a point of sale terminal or something, you can skim a lot of that information quite quickly. That’s traded normally very quickly because those cards get blocked very quickly. As soon as you see a few dodgy transactions, you can block your card. And so they’ll trade, but there’s a very small window and normally they go for quite cheap.
We see lots of people losing massive amounts of entire life savings
More personal information starts to go for a lot more and that’s where the bigger trades happen. So if it’s personal information, name, address, phone number, that’s one level. But then if you can add in things like national insurance numbers, social security numbers, or medical records and things like that, the value goes up and they start being packaged into individual identities as a service. And then those can be used for either multiple things like creating new passports or buying properties or taking out loans or just using them to set up fake identities further on down the line as well.
So those things become more useful because they are really hard to change. If your name and address get leaked, it’s really hard to change them. Whereas a credit card, that’s got breached, let’s just reject that and order a new one.
Q) How common is this sort of theft?
A) It is very common. It’s not common as everyone will know someone that suffered from it, but people will often be within two degrees away from someone that suffered from either wholesale identity theft or some form of fraud or online sort of scam. So it does happen quite frequently. A lot of times it will be like a small transactional thing. We see a lot of pensioners being targeted. A criminal will ring up with only a few bits of information about that person, their name, and their address, but that’s sometimes all they need to establish credibility. The scammer will lie that they are from the individual’s bank and say something along the lines of ‘We need to move your pension pot, go online and can you do this?’ And so we see lots of people losing massive amounts of entire life savings in some cases to some of these scams.
Q) How would you know if your personal data was on the dark web? Is it possible to know?
A) There’s no way to guarantee it isn’t. But there are some monitoring services available and even some of these credit monitoring or personal identity monitoring services, they have tie-ins to some of these companies. And there are dedicated threat intel companies who will spend a lot of time on the dark web, where they have analysts who set up their fake profiles to gain access to these forums on the dark web.
Oftentimes, especially in these criminal forums, you need someone to vouch for you to say that this person is not an undercover police officer
So to access the dark web, it’s not as straightforward as the normal web. Oftentimes, especially in these criminal forums, you need someone to vouch for you to say that this person is not an undercover police officer. They will vouch for you. You’ll have to spend some time gaining their trust and observing and then they’ll give you access to that forum on the dark web and then you can start scouring some of the information that’s there and not there. So there are many organisations that do that, but it is quite an intensive process and you might not catch all the information that’s available there. You probably get broad strokes. So you can get a rough idea, but you can’t say for certain that device details are in there or not.
Q) Would I be right in saying that it is dangerous to try and infiltrate?
A) Yeah, it can be quite dangerous, especially if you’re not careful as an analyst. Some of those people can track you back to who you are and that’s one thing you don’t want to happen. So that’s why it’s not advised that average people try this. So within these organisations, they normally have a safe network set up and they have their safe machines and they don’t log in with their real names or anything like that. So it gives them that additional level of protection. It’s also an expensive and labour-intensive process. It takes time.
Q) So what drives the cost or value of the information sold on the dark web?
A) So it’s really like what you can do with it and the longevity of the information. So if you have someone’s date of birth and national insurance number, that’s not going to change forever. So that will go for more than just credit card information which will be changed in two weeks. Sometimes it also depends on the volume of data. So if there’s a big dump from a large organisation that’s been hacked, and they’ve got two million records, then an individual record might not cost much, but the bidding on that volume of information can go up. It’s very similar to eBay – some items they’ll list on there, and bidding will begin because so many criminals want that particular piece of information. It’s not always clear what drives that demand, but certain things are needed at that time, because we saw when code first hit, and lots of governments were offering these COVID relief packages. So at that time, there was a lot of demand in the underground forums for these packages.
Q) Do you see anything other than criminal activity on the dark web?
A) The dark web was set up with good intentions. The Tor Project believed that too many governments were spying on and oppressing people across the world. So it was a way of allowing people to freely express their views or share information. There’s that level of anonymity and privacy afforded, you’ll see criminals set up shop there as well. So while Tor is used to access the dark web, it isn’t the entire dark web. The dark web itself is very much like the normal web from an operational perspective. The data is held on servers around the world. So it’s just because it’s not directly accessible from the main internet, as we browse it, you have to go through the Tor browser. It gives you that anonymity. So it’s not been completely taken over. But I think nowadays, whenever anyone thinks of the dark web or using the onion ring, then they think of something dodgy.