In this episode we discuss how you can protect yourself and your business from cyber threats.
✅ How the hacking funnel works
✅ Passwords and how they’re leaked
✅ Tools you can use to protect yourself
✅ Will we have passwords in the future
✅ What are social engineering and phishing attacks
✅ Prioritising what you protect
How hacking takes place may not work as you realised. It’s a very sophisticated industry but there are simple ways you can protect yourself to help keep your data and business secure.
Learn more about Onsecurity here: https://www.onsecurity.io/
View on Zencastr
Transcript
SPEAKERS
Matt Nally, Conor O’Neill
Matt Nally:
In today’s episode, we’re going to take a look at how you can make your business more safe and secure from a cybersecurity perspective, whether you’re an SME or a large firm. Here to tell us all about that is Connor, who’s the co-founder on security. So thanks for coming on today.
Conor O’Neill: Hey, cheers. Thanks for having me on.
Matt Nally: Before we get started, how did you get into the cybersecurity space?
Conor O’Neill 00:54: I did a degree in computer science. And then, after my degree, I kind of didn’t really work in computers. I was just travelling around the world and working in bars and stuff like that. And while I was doing that, I read this book about cryptography. And that got me really interested, and it just so happened when I got home. The Irish government was paying for people to do master’s degrees in cybersecurity because they wanted to increase the number of people getting into that industry. And I signed up for that. And then from there, I kind of worked in various aspects of it and started off with cyber forensics and investigations, and then moved into what we’re kind of doing now, which is the offensive security side of things, sort of hacking into things; I suppose you call it ethical hacking.
Matt Nally 01:40 Trying to get into people’s systems and understand where the weaknesses might be before someone else does.
Conor O’Neill 01:46
Exactly. To try to understand what things look like from the perspective of a hacker. Finding the weaknesses effectively before the hackers do.
Matt Nally 01:54
Let’s get into one of the questions I wanted to ask, which is: I think a lot of people think back to movies where you’ve got the guy or girl in a hoodie sitting at a desk, trying to hack into a system. And I’m fairly certain that this is not the case. Most of the time, certain tech companies are targeted or whatever it might be. But what are the common misconceptions about who gets hacked or how people get hacked?
Conor O’Neill 02:22
Yeah, that’s a that’s a really good question. There’s a common misconception. And so I’ll start off with a small story. It’s like about a year ago, a customer of ours owed a small building engineering firm in Warrington, somewhere quite random in the UK, that was small with like 30 people working there. reasonably small revenues. And they call us to say they’ve been the victim of a ransomware attack and other computers are encrypted. So that really got me thinking, like, how did this random business in the middle of kind of Warrington up in the northwest of the UK get targeted? What was the process? I’m pretty sure. It wasn’t a guy in Russia waking up one morning and deciding to target this random business in Warrington. So we tried to—we created a research project, basically—and we sent two or three of our engineers working on this long-term research project to try and understand better how that happens. Like how business goes from being like a needle in a haystack. So there are like 218 million businesses on Earth; 6 million of them are in the UK alone. So how do you go from being one in 6 million to being ransomware? The results were fascinating. So that’s kind of what we base our products and services on, but the results kind of showed that it’s effectively a very sophisticated industry, the cybercrime industry; it operates very similarly to the SAS sales industry, in terms of there being different organizations at different layers, and at the top of the layer, which we call the top of the funnel; we call this the compromised funnel; you’re probably familiar with sales funnels. There’s like a whole range of organizations that are dedicated to lead generation effectively; they find potentially vulnerable businesses. And what they’re doing is effectively mass scanning the internet the entire time, looking for weaknesses that they know are reliable ways of breaking into businesses. And they don’t target specific businesses. What happens is that the business pops up at that point at the top of the funnel, and then those weak, potentially weak businesses will get sold on further down the funnel to two other organizations. So, the people who did that mass scanning don’t want to break into businesses; they don’t want to execute ransomware; they want to kind of stay away from that. They will just sell those leads down exactly the way you would sell a sales lead down to an account executive or whatever for them to actually make the sale. Those guys at the top would sell these leads down the funnel for a ransomware group, book, or whatever, or reveal or revel in our hope and answer to actually compromising and extracting revenue from that target. And that’s kind of how it happened to those businesses in Warrington; they made a small mistake with one of their servers, and that popped up on the radar of these attackers immediately. And then that packet got passed down further and further until they eventually ransomed them, and they extorted payment requests of a quarter million quid from them. What happens in this very sophisticated industry, there are interview processes, their CVs go around, and they advertise for jobs both on the internet and on the dark web. They sell stuff on forums, like collections of compromised businesses and stuff like that. So it’s sort of sophisticated industry. And that’s effectively how you go from being one to one in 6 million to getting uncompromised. You’re basically in this funnel. And as soon as you make a mistake, or someone else makes a mistake that affects you.
Matt Nally 05:51
Do they still have a priority or preference as to who they go after? So, would they still, once they get those leads, focus on a large firm? Because it’s potentially a bigger reward? Or is it anyone’s fair game?
Conor O’Neill 06:01
Yeah, like any sales thing? No, they will have criteria. So, for most of our customers, the SMEs, we’re not talking about Amazon or a cold call here. Who are going to be targets anyway? For most of those, there’s a target selection criteria. So it’d be like, the ransomware groups will advertise: “We want companies that have a revenue of more than x million, usually around five or six, which has to be greater than what a lot of them will say, “We don’t want health care industries, and we don’t want charities. It’s kind of fair game. And so what they do, then the people we have to worry about are what’s called affiliates. So they’re effectively what we would like—they’re the gig economy, like they’re the Uber drivers of the cybercrime industry. They’re the ones that are scanning and compromising these companies. And then they will say, “Right there, match what they have compromised up against the target criteria that have been set out by the ransomware companies, and then they will sell those compromised machines in those companies to the ransomware groups, and they’ll take a percentage then of the eventual ransomware. And interestingly, the affiliates get more of the ransomware payout. Typically, it’s about a 70/30 split. So yeah, it is that you might get compromised, your company might get fully compromised, but you’ll never get selected because you don’t meet those criteria. So, that’s why a lot of times, we will see that somebody did something in your network, compromised a machine, but never go any further. And it’s usually because you haven’t hit the criteria. But there are so many different groups that most people will eventually fall into a criterion somewhere. But yeah, it’s exactly right. Like you might, you might not meet the specs, basically, for the ransomware group.
Matt Nally 07:52
Because if you’re an SME, whether an individual within a company is a one-man band type of thing or a small company, there might be 5, 6, 7, or 8 of you. What are the types of risks that a small company would face? They’re less likely to be targeted for those types of things.
Conor O’Neill 08:13
If you’re a small company, you’re more likely to be targeted in what we call script type of attack, where it’s more vandalism. They’re just doing it for fun. Because those ransomware groups are spending a lot of money to compromise a company and then sit there for up to a year. They’ve seen and fully understood how the company works and how to extract the most revenue before actually executing the attack. So there’s a lot of investment, and it’s not going to be if the payoff isn’t there; if the company’s too small, then it’s going to be a different type of attack that targets those much smaller companies. So it’d be more like what we call cyber vandalism, where they’re just doing it effectively for fun and just breaking stuff. And then what they can do then is a few, even if you’re small, you might have a lot of good data. You might have thousands of customer records in your database. They can then sell it; they can steal and sell it. So that might be an angle, but it really depends on what your assets are as a business. That is what you need to consider when it comes to security: What are my assets? And how should I protect them? Because if you don’t have any really important assets that are going to be useful for a cybercriminal to sell on, there’s not much point in that cybercriminal targeting you as a business. If you don’t have good assets, it’ll be almost as if you’re worried about cyber vandalism. What are these assets worth on the open market, and how should I protect them?
Matt Nally 09:59
One thing I have seen hundreds of times on LinkedIn is people posting about how their email accounts have been compromised. Someone’s managed to break in and send stuff out, posing as them. What’s the type of scenario in which those credentials get leaked? And someone gets hacked? And how do you protect yourself from that?
Conor O’Neill 10:24
There are two primary ways that would happen. The first is malware, something on your computer or a virus that effectively reads your keystrokes as you log in, grabs stuff off your computer, or whatever it takes to get to your details from your browser. And so that’s kind of a classic way. You can prevent that with the basics: have an antivirus installed, or even Windows Defender, and don’t use dodgy websites, as it’s kind of one of the things that people tend not to put too fine a point on. And the second way is that you get affected by another breach. So if you use the same password to log into multiple sites, which I don’t recommend, that’s really bad practise. But if you use the same password to log into your Google account as you do to LinkedIn, and then LinkedIn gets breached, a very common attack is for hackers to just grab all those passwords and try them against loads of servers and services. So they’ll grab your email account that’s been leaked in LinkedIn breach and try that all over the place on various services. And they get a lot of luck with that. That would be the two main ways that happens.
Matt Nally 11:49
And does it matter if it’s a similar password, so it’s not exactly the same on different sites, but rather than an exclamation mark, or if you have changed the letter at the start to be in capitals rather than lowercase? Is that effectively the same password?
Conor O’Neill 12:04
It’s not great, but it’s not the exact same, like most passwords will involve slight modifications to the password. But in terms of passwords, hopefully, we’re getting near the end of passwords being a thing at all. I’m starting to see that in the second half of 2022, which is great, some sites have had passwordless logins or you just clicked yes or no on your phone. Hopefully, that will become more prevalent over the next few years. But one of my main tips for security for everyone is using a password manager. And I think that’s basically step number one for being a lot more secure than the average person is to use a password manager. And then it just takes all that hassle of trying to create different passwords out of your hands. And if one gets compromised, you’re not too worried because you’ve used a simple, random password on these different things. So, if you take one thing away from this as an individual rather than a business, in terms of business strategy, an individual should use a password manager, and even though LastPass got hacked, this one’s security is so difficult. I use the built-in one in Google Chrome, which is perfectly good. Like it works across mobile and desktop and stuff like that. So, Password Manager is the way to prevent a lot of that stuff. And then to check if your password has been compromised, there are a lot of websites out there, but the famous one is” Have I been Pwned” which is like, hackers speak for compromised. And I don’t know why. So, take away from that a password manager and check if your accounts have been compromised, which they have been, like 100% everyone’s email will be featured on there haven’t been pwned. And you can run your business emails and your company emails through there as well.
Matt Nally 13:59
You say that about the password managers; we use them here, but we put some of our stuff and started looking at them from a personal perspective. When they started putting in all their own passwords, they realized how many sites they actually used because you forget how many things you’ve signed up for at different e-commerce sites. But then how similar the passwords were, and of course, you say 1 password gets leaked, and then suddenly they’ve got access to everything.
Conor O’Neill 14:26
Hackers, like cybercriminals, are mostly not geniuses. They’re looking for the easiest route in, and one of the easiest is that people use the same passwords everywhere. So, it’s one of the things we look at. And so for clients, we check if they have this, if their staff have been reusing the same password across multiple sites, because it’s just a really easy way compared to trying to write a sophisticated kind of zero-day vulnerability. And to get access that way, it’s just, they want to get it in the easiest path possible. And it’s usually passwords or that easy path.
Matt Nally 15:09
I suppose things like, not securely sharing passwords, if you’ve only got one log into an account, and you send it over a text or email or something that was not encrypted property, and the email gets leaked.
Conor O’Neill 15:21
When we do tests and networks and stuff like that, one of the things we’d like to get on is his teams on Slack, because people are forever sharing passwords. I guarantee, if I went into your own personal stuff, your soccer teams, and your messages to yourself, there’d be passwords in there for sure. So, it’s one of the things we do. We should know that our account sharing shouldn’t really be a thing. But maybe that’s not the reality. No, fortunately,
Matt Nally 15:55
There are a lot of benefits to having an account. Just be on the lookout for security; see who’s actually changed things so you can get lost. What else can people do to protect themselves? One is using Password Manager. But if the passwords are lost somewhere else and someone gets ahold of them, then they can get access. I think that’s what multi-factor authentication, Is that something that you should always have if you can? And what is it?
Conor O’Neill 16:20
So this is another one of those brilliant steps that are really easy, but they make you just so much more secure than the next individual or the next company that doesn’t do their multi-factor authentication, which is effectively using a password and then something else. So that can be something you have, something you know; something you have is like a token or your phone or a dongle; a second kind of password; URLs; or biometrics, like your fingerprint. So, the one thing to know is that, if you’re using an SMS, that’s probably the least good, but still a lot better. So, I use the authenticator apps on my phone, where you get the six digits, and as an organization, you should enforce that on your accounts. So, all your CRMs support two FA (factor authentication). They seem like Twilio and stuff. I’ve seen some companies in the last few years offer discounts on subscriptions if you enforce two-factor authentication. And that’s because security really doesn’t make a massive difference. So, the Google ones are great. I don’t know if you use that where it just pops up and says yes or no. Are you logging into anything? It just pops up on your lockscreen. You just tap yes. It couldn’t be easier. And so yeah, with MFA and those two things, there are like three or four steps you can take to make yourself a lot more secure. And the first two are Password Manager and multifactor authentication. And then prevent a lot of easy attacks that way.
Matt Nally 17:57
We use that ourselves. I think one of the very good things is that a company admin as well as things like Google and other sites, can enforce policies that prohibit the use of minimum password lengths and complexities. And, as you say, use of MFA and stuff so that your team can’t get away with using a three-digit 123 password.
Conor O’Neill 18:19
The whole concept of passwords is a bit bad; they’re a terrible idea because humans are really bad at them. So we’ve had that partner for 30 years and have tried to just come up with ever more complex passwords. So hopefully, in the next few years, a lot of stuff will switch to passwordless logins and stuff like that, because it’s a very weak chain in the system, or a weak link in the chain, as I should say a single point of failure for the kind of security of your entire organization. But password managers and MFA can mitigate against a lot of that.
Matt Nally 18:56
What are the other types of things that people can protect themselves against? or be aware of. I’ve heard of things like social engineering campaigns, for example, or phishing. What are they, and what happened to people to get themselves more protected?
Conor O’Neill 19:12
The general public would be kind of aware of what phishing is at this stage, and phishing will be like a subset of social engineering. Social engineering is effectively an attacker trying to get you to do something that benefits them. So, the classic example is: I’ll send you an email that tries to get you to click a link in the email. And clicking that link will do something like bring you to a site that installs some malware on your machine or get you a fake login to one of your sites or one of your admin sites, so that you put in your password or username and password and then they have your credentials. And so, to protect your staff from them, it’s all about awareness and knowing that they can take place. So, one thing that we do that’s quite effective when we run training courses is we get staff members to create, obviously, fake phishing emails that target their older staff members or colleagues, because they know them best. So, it gets them to think in the mind of an attacker. There’s a lot of products out there like not before and curricula, and ourselves, we do like simulated phishing attacks. But there’s quite a lot of research, to say maybe that’s not the most effective way to do. But we find that method in terms of getting your staff to write phishing emails to each other. And think about what would entice this person to click a phishing email based on their interests, or what they know about them. And so some of the output from that exercise is quite funny. And it’s a really good exercise to run, but it gets them thinking in the mind of an attacker then. And then one state when they get an email, and they really think twice before clicking it. And we’ve had metrics from our customers that we’ve done that for, to show how much it’s improved their resilience to phishing attacks. So it’s just about getting that mindset and being aware that these attacks could get them at any point. cybercrime criminals love running those attacks on Thursday and Friday lunchtimes, for instance. Because they know that people are in a good mood and receptive to stuff at that point, and not really thinking more about the weekend, and not really in proper work mode. So they launched those attacks, like at that time, because it’s the best time statistically, they’ll get a better return on investment from those times. So it’s really just creating that sense of awareness. And you can do sign up the services that do simulated phishing campaigns and stuff like that. But I like that exercise model, it’s something you can do yourself for free. And then it’s really effective.
Matt Nally 21:50
So, I really hadn’t thought about the fact they do have specific points; I considered that maybe more likely for it when you’re busy because that’s something you’d be just trying to race through and tick things off and get emails cleared. But it’s interesting when people are a bit more relaxed and jovial.
Conor O’Neill 22:07
There was quite a famous one involving Reiner; I don’t know if you heard about that; it was a phone baseball, and what they did is that they obviously knew Mike Ordinaries, quite like everyone, and kind of knew what his personality was. And they kind of leveraged that to kind of scare the target into changing bank details for a bank transfer and remaining so, because they knew that he would have such a position of authority in there that the email wouldn’t be questioned, or the phone colleagues wouldn’t be questioned. So that was another interesting one as well. That kind of leverages the personality of the person in charge. To get administrators in there to do what they want.
Matt Nally 22:54
There’s a high-visibility and lanyard situation. Look official?
Conor O’Neill 22:58
They’re rarer in that sort of situation; that’s what we call physical social engineering. And we do those exercises. There is a lot of fun. The hive gets you anywhere on a mobile phone, which you can kind of hide behind. That’ll get you into a lot of places.
Matt Nally 23:13
I’ve heard stories where people have gone through security tests, even for physical controls like getting into a building. And the guy who was testing managed to get to the person’s desk, and they’re not escorting you through, is like, No, I can’t do the back door.
Conor O’Neill 23:28
We did one a few years ago. The consultant we sent in ended up getting invited to the staff Christmas party. There’s like such a receptiveness to it because people are generally nice, friendly, and helpful. And that’s effectively what social engineering is all about. Attackers are preying on those characteristics.
Matt Nally 23:55
That was very interesting. I had another question because, obviously, you do loads of pentesting and stuff like formability scans. But when you go through and you speak to companies, perhaps particularly with training and other stuff, what are the common mistakes that you see people make? I guess, from any angle of protecting themselves? Yeah. Well, it’s,
Conor O’Neill 24:17
It’s really interesting because, no matter how many years pass, this industry goes on for cybersecurity. It’s the same mistakes over and over. And it’s just the basics. And we’ve already talked about two of them. If you had asked me in 2010, will people still be sharing passwords and reusing the same passwords across sites in 2022 or 2023, I would have said, I really hope not. But here we are. It’s really basic stuff. It’s not patching your machines. It’s having stuff exposed to the internet. It’s using weak passwords on stuff that’s exposed to the internet; like, a lot of it is security 101, and people just aren’t doing it. It’s because everyone’s busy. I’m not criticizing; I run a business as well. I get it; it’s really hard to do; it’s not what you’re there to do, and you’re there to run a business and keep your stuff up to date. And having sensible things in places isn’t priority number one, but that’s how people are getting broken into and getting compromised, and a lot of it really is basic stuff that can be prevented. But then the other side of the coin is what’s really tough: a lot of compromises are because of a supply chain or a partner. So again, let’s use that LinkedIn example: LinkedIn gets compromised, and then you do too. That’s why cybersecurity is so hard. It’s just that a lot of it is actually out of your control. You can become the victim of somebody else’s mistake. And then your company gets compromised, or ransomware is introduced, or whatever. But in terms of stuff that’s under your control, let’s just do the basics, right: keep stuff up to date by running some sort of antivirus, block malicious websites, and teach your staff to be aware of social engineering, particularly phishing. Phishing is kind of the number one ruin for ransomware gangs,
Matt Nally 26:16
It’s very easy to make exceptions. And then you forget. You’ve shared a password, and here comes this thing.
Conor O’Neill 26:29
You turn on something, just to get a file once or whatever, and just turn on some FTP thing out on the internet and forget about it. Stuff like that is very common. And if it were me, and I had a business to protect, what would I do? Have you heard of threat modelling? Do you know what that is?
No, I don’t actually know.
So, threat modelling is basically something large organizations do. But it’s effectively like they’ve got a limited budget and limited resources for security. So, they say: What are our crown jewels? Let’s sit down and think: What’s the most important thing? What would I hate to get capitalized the most, and for the likes of ourselves, it’s probably our customer database, our software, and stuff like that. And you start with that, and you say, I don’t care about anything else. And then you think: What are the sensible security controls we should put in place for that? Because when you sit down and start thinking, I need to try and protect his whole business, it is very difficult. If you just think about it in terms of your assets, rank them in order of how critical they are and how much you would hate to lose that asset or for it to be compromised. And think about the controls from that, and then go out and make ever-increasing circles. There’s no point in spending a fortune protecting stuff that you don’t really care if it’s lost or not. That’s the kind of approach we try to take with our clients, just like saying, “Here are your crown jewels”; you have to do everything you can to protect them. And then the next area is stuff that’s not that important, and so on and so forth.
Matt Nally 27:55
So is it a case that it’s actually best to stick with pen and paper and see something in the cupboard and not go online? Because you’re just at some point likely to get hacks or more.
Conor O’Neill 28:10
I don’t find that phrase, the only secure computers are when they are switched off, or something like that, just kind of nonsense, because it is not really about computers anyway. But that’s kind of an answer to your question; that’s not a business setting. So that’s what security is: a trade-off between the two. We need to do the security, but we also need to operate as a business.
Matt Nally 28:35
I agree with it. It’s about protecting all the critical stuff and making sure it’s backed up elsewhere and not able to be deleted or modified. And it’s in terms of your backups?
Conor O’Neill 28:45
The good news is that if you’re a company and you have fewer than 60, 80, or 100 people and it’s a reasonably straightforward operation that you’re running, It’s not really that hard to be. I’m not going to say to be secure, but it’s really not that hard to be a lot more secure than your average or another company like that. And it’s just taking those basic steps. We’ve already talked about it, but I would start with a paper-based exercise of this threat modelling stuff and figure out what’s going on, and then do the really easy stuff like making sure things keep patched. I assume you use something like AWS.
Matt Nally 29:23
Yeah, we’ve got our host on AWS, and we’ve got scanners like yours. Checking the system constantly for potential weaknesses that can be fixed. And we’ve got one of those that suppresses; you mentioned it in places like your password managers.
Conor O’Neill 29:39
AWS, and as your great writing shows, it’s a whole thing that you don’t need to worry about anymore. Keeping that stuff patched up. It’s kind of their problem. And yeah, you can take that extra step to add that extra level of assurance by using vulnerability scanners and stuff.
Matt Nally 29:53
A business is looking for a software solution. I’m not trying to be pack savvy at all here, but just as a general point, unless you’ve got a really niche requirement for software, are you better off using an off-the-shelf solution in terms of security perspective? Because there’ll be a focus on those types of things. And therefore, do you open yourself up to vulnerabilities because you forget to patch your software? Or you don’t necessarily know enough about certain security angles of the software? Is it better to look down those routes first?
Conor O’Neill 30:29
I’m not available for tonnes of reasons. I would agree with that. But from a security perspective, for sure. Because if you use a piece of software from a company that’s reasonably reputable, they will have gone through the pain of pen testing, code reviews, and stuff like that anyway. And you can ask for their pen test reports and their ISO 27,001 thing, their compliance stuff that they do to ensure they adhere to certain policies, and they have certain security standards in house 100%. But it’s a really good point where possible, but make sure you see evidence of it because, like, about 70% of our business is testing web apps. And we find dozens of critical security issues each week in web apps. But that’s a positive thing because they can fix those before hackers are found. So yeah, I go back to your point 100%. It’s a really good idea for lots of reasons.
Matt Nally 31:32
I think one of the difficult things, if you are building anything, is: do you really want to be putting thousands into checking that it was built right? You want to just put resources into building a business and not worry about upgrades?
Conor O’Neill 31:44
Security will slow you down. That affects the rate. So if you’re a business, you’ve got to get something out the door to start generating revenue from it. So, 100%, there’s a solution out there. And just as he was, I think you’re the same, as those were effectively SaaS businesses. And there is nearly something for everything. These days, whereas we used to, we used to write our own, like onboarding guides, let’s say, for when people first log on to a platform, and then in the last three or four years, tonnes of solutions have popped up where you can just do drag and drop and no code solutions for that kind of thing. So that’d be an example of how we would, for us, write code as a last resort that we use, and probably the same for you guys as well. But security is an ordered benefit.
Matt Nally 32:36
So I suppose overall, the basics are secure passwords and password managers to handle them. Multifactor. And then, what was the last one?
Conor O’Neill 32:47
Basically, by patching that situational awareness, depending on the type of business you are in, there are a lot of products available. If you’ve got something critical, like a web app or something like that, get that pen tested. But put it in terms of day-to-day. And then that exercise about writing phishing emails to each other is quite a nice little one that I recommend. And before you do anything technical, there’s that thought exercise around threat modelling. So, start with that, and then we’ll naturally and effectively create, like, a roadmap for security for you.
Matt Nally 33:28
So, if you’re a surveyor, go and look at what types of data you’ve got and where you’re storing them. And which bits do you need to really protect? And the rest of what do you not need to worry about so much?
Conor O’Neill 33:38
So, we mentioned that concept of the crown jewels, like so, for an individual, your crown jewels are your primary email. So, if someone gets into my Gmail account, they’re effectively me, because they can reset all my other stuff. They can use that to leverage attacks; they can pretend to be me. And they can access almost all the way under accounts if they compromise with Gmail. So, I spend a lot of time and effort making sure that that single account is secure because, ultimately, with Google Drive as well, where I store a lot of documents, personal finance admin stuff, I really don’t want anyone getting access to that account. So again, with the password manager, I only ever access my Gmail from one laptop on my phone. I think it’s two-factor authentication, obviously, so as an individual, rather than at the business level, focuses on that single account. That’s like your crown jewels, effectively.
Matt Nally 34:42
That’s very, very important because, as soon as you’ve got access to that, you can go and do a password reset on anything.
Conor O’Neill34:49
And just one little thing is that, if you can, rather than SMS, use the authenticator stuff. And it was just like, any more secure, SMS can be spoofed, and things like that can be done reasonably easily.
Matt Nally 35:04
Interesting. Well, thanks for coming on today. And then, if anyone wants to get in touch just about security stuff or pen testing, where can they contact you?
Conor O’Neill35:13
They can go to our website, which is onsecurity.io. Or on my LinkedIn, Conor O’Neill.
Matt Nally 35:29
Well, thanks for coming on, and we will touch base ourselves again soon.
Conor O’Neill 35:33
Cheers, Matt. It was good talking to you. Enjoy