Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning everybody. How are you doing today? Um You'll notice a little weirdness in the title today. This is Cybersecurity Basics 11 A and the reason for that is, um, Donnie, who is a regular viewer of the show. And thank you for that very much, Donnie rightfully called me out on youtube yesterday in a very polite way.
Um, and basically was asking, you know, what does, uh, yesterday's topic, risk assessments and penetration testing has to do with individuals and individual cyber security and Tony was 100% spot on. I did not preface or put a proper context around that, which is really bad because this is a basic series.
So yesterday's show was very much around business or the organizational view or those of you who are practicing cybersecurity as a career or trying to get into it. That was that view of risk assessments and penetration testing. Today, we will tackle the personal view or the every person view of risk assessments and we don't have to tackle penetration testing because that's not something that you would regularly do for individuals.
So for risk assessments on a personal level, yesterday, we talked about sort of the formalized procedures around them and how their structures and frameworks and things like that. You're not going to do that on a personal level, but you do, do risk assessments every day.
I'll give you a very real non cyber example. When you cross the street, you're actually doing a risk assessment, right? Or at least I hope you are otherwise we're in trouble. Um So when you go to cross the street, you normally look both ways depending on which country you're in.
Um, you're gonna look, uh, you know, to the left and then to the right and then the left again and then cross or the opposite. If you're in England or New Zealand or, uh in Oz. Right. So, um, or any other country that drives on the left side.
So that's a risk assessment you're evaluating. Is there traffic coming? Uh, no, the risk is really low if something happened to me and I'm gonna walk across the street right now. Um, then there are ways to mitigate that risk. You could cross at a sidewalk.
Um, you could cross at a sidewalk that's, uh, at a light, you cross at a crosswalk like I just did with a crossing guard. Um, right. So there's different ways to mitigate that risk, but you've done an assessment by looking left or right.
And even if there's a mitigation in place, you're still gonna look left or right, you're not gonna just blindly trust. So, that's a risk assessment on the personal side. When you come back to the cyber world, you're doing these kind of kind of and this is where we fall down as a cybersecurity community and where the education isn't there for individuals to protect themselves.
So there are some cases where um you know, you should be going through these things and if any of these ringing a bell, let me know in the comments below um or online at me@markn.ca or by email me@markn.ca.
Um So if you're posting something on Facebook, hopefully you do a bit of a gut check. And you're saying, do I really wanna share this? Who do I want to share this with? And then you can adjust the permissions when you send information by email, you should be doing a bit of a gut check again.
And you know, hey, is this ok to share with this person or somebody else if the email gets intercepted though, that one doesn't really pop across most people's radar when you download a file, are you downloading it from a reputable source? So did you go right to the developer to download the file or to an approved or validated app store or did you get it from some shady third party download site that you had to click through like six or seven ads?
Those have different levels of risk. And I think what, you know, it or not, you're doing a bit of a gut check and a bit of a risk assessment. Is this file worth the risk? Right. I know I'm getting it from the sort of third shady third party download or do I really need this file or can I do, can I get it from a different source?
Is it, is the risk worth it? That's sort of a personalized risk assessment. Now, we don't, like I said, do this very well. On the personal side. Great example, goes back to one of the first topics we covered in the cybersecurity basic segment is passwords.
Passwords are not explained very well because there's a lot of risk around them. So people go, I know my biggest, my biggest pain point with a password is trying to remember it. So I'm going to use the same password again and again, because that's my password.
But you're actually increasing the risk that you're facing. And the reason you're increasing the risk is if you're reusing that password over and over again, there's more chances that that password gets stolen or breached or somebody can see it. And once they see it, now there's more places they can get your data.
So if you understood the context, you would be able to make a better risk assessment and say it's worth it for me to use a tool like a password manager where I have my one password to unlock that password manager and it's a pass phrase.
So it's big and long and complex and check back to that early episode to understand pass phrases. And then I'm going to reduce my risk by using a unique password for every site or app or service that I'm using. The challenge is is that word context in a personal setting, you rarely have the proper context, education or understanding of the situation and the complexities to actually make a proper risk assessment.
So what ends up happening is you just click through whatever prompts are given to you. Now, the team from Google that run the Chrome browser, really, really smart team. I years ago met one of their leads, Adriana felt Porter and she had given a talk at a conference and she quoted a stat where Chrome had been tracking, how often people just clicked through the user dialogues that were prompted.
So like, hey, this site doesn't have a proper certificate. It may not be who they say they are. And people just say, I don't care, I want to go to the website and they click through and it was a shockingly high. It was over 80% of the time people just click through no matter what and that holds steady for pretty much every prompt that's thrown at you on your device or your computers that people just acknowledge it and go.
So from a security perspective, that means that we're not doing a good enough job of educating to give you the context to understand the risk assessment or the risk environment around the choice you're being asked. So when you install an app on Android and ask for a whole list of permissions, you should be doing an evaluation and assessment of the risk of that app, having access to your network, to your photos, to your context, everything it's asking for, but you don't have enough context or information to make that risk assessment.
So unlike crossing the street where that's ingrained in all of us from a really young age and it's a really small context of, is there a vehicle coming this way? Is there a vehicle coming this way or some other in danger on both sides?
Um You know, look both ways before you cross the street. It's pretty easy to sum up how to evaluate that risk. What's the equivalent for installing an app on your phone or sharing something on social media? There isn't one and it comes down to a failure in the security community.
So this is not a positive episode of Mornings with Mark and I apologize for that, but it's a frank and honest. Look at the lack of risk assessments on the personal side, even though it's something that we should be doing all the time.
And I will look at talking to some folks in the community seeing if we can come up with those sort of standard equivalent of look both ways before you cross the street because I think people expose themselves to a lot of risk that there wouldn't if they knew the choice they were.
There's a lot of implicit risk. Acceptance is the technical term for it. And any time you are implicitly accepting risk, that's a bad thing. You should always be explicitly accepting it or denying it or mitigating it. Basically, you need to be aware of the risks you're facing.
This is really complicated stuff that we're dealing with. It doesn't need to be for the end user. So lots to think about there. But thank you, Donnie for calling that out. You're absolutely 100% correct. I need, I will try to do better giving you the context even though this episode was all about context.
Um a little bit of irony to start your day. I hope you were set up for a fantastic one. Hit me up online um at marknca in the comments down below in the vlog and for everybody including our podcast listeners, hit me up by email me at market dot C.
Always happy to answer your questions as demonstrated by today. This show is very much audience driven, happy to tackle whatever topics around security and privacy and technology you guys are interested in. Have a fantastic day. I will see you on the show tomorrow.
