Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Good morning everybody. Uh I hope you had a fantastic weekend. Um On this episode, episode 99 of Mornings with Mark, I wanted to talk to you about perspective. Now, this is continuing our cybersecurity basics. We've done a couple of episodes on that already.
We covered the goals of cybersecurity. We covered threats and risks and vulnerabilities and exploits. We also covered passwords. I thought it was time to kind of circle back to the last big concept or occurring big concept. Probably not the last perspective.
Now, this is something I'm going to be brutally honest with you that cybersecurity struggles with constantly. So I'll give you a good example. Hopefully good example. I just finished up my weekly column for CBC. Earlier this morning. On today's topic was VPNS and wi fi networks, crazy, crazy topic to talk about to a general audience.
Uh But we're basing the um segment on the fact that Facebook's um A Novo um had uh VPN was pulled from the Apple App Store last week because they had a number of issues around privacy specifically. They were um explicitly tracking what apps you were using, um what sites you were visiting in order to build better profiles.
So um kind of ran in the of the people thinking that VPNS were for privacy, right? So we were talking about the challenges of connecting straight to Wi Fi of connecting to a VPN and how it was adjusting your trust. Now, the challenge is when you talk to cybersecurity people, they kind of remove the perspective entirely and say you should never connect to public Wi Fi without a VPN and you need a VPN all the time.
Maybe that's good advice, maybe that's advice that even covers, you know, 80 to 90% of most use cases, but it lacks the perspective to give people the information or the context, they need to make the choice. That's right for them. Um So on that issue, you know, Wi Fi is generally encrypted.
Um if you need to have a password to access the Wi Fi, that normally means it's encrypted. But all those encryption schemes under Wi Fi are broken in one way or another and we know that they aren't updated. So connecting to Wi Fi is risky because you don't know who's on that network and who is monitoring that network.
So that means you should always be making sure that on important sites, just like on any device that you're seeing that padlock in your browser because that means that's a secure connection between you and your bank. Are you in that merchant or are you in that web service.
But if you don't want to be tracked, then, you know, using a VPN is a good idea, except for the fact that you need to trust that VPN provider because what you've done is taken one set of trust issues for the Wi Fi network and transfer them all to the VPN provider.
So do you know and trust that VPN provider and then all the traffic from the VPN from you to the VPN is secure. But from the VPN out is completely different, that's just normal internet traffic. So it's not a flat, this is the answer.
That's sort of the challenge with perspective. Um We see it uh for vulnerabilities and bugs as well. So there was another big Apache struts vulnerability. Now, you probably haven't heard of Apache struts. Um But it is a framework that developers use to cut down on the amount of code that they have to write.
So it makes sense, right? It's normally used for really big organizations and really big applications. But this is the third or fourth massive vulnerability it's had in the last year. And again, a pretty easy one to take advantage of to exploit as we learned a couple of videos ago.
Um but with minimal effort, so big consequences, minimal effort. As we know from episode two, that kind of makes the risk significant, but people were coming out in the community saying you just can't use Apache struts anymore. And that's not the right perspective.
You need to put the information in context so that people can make the right decision. If you lose perspective, if you start to say this is the way it has to be for everybody and not make, understand the choices or the trade offs or the context in which you're making these decisions, that starts to make things really difficult to perceive in a logical manner in a data driven manner.
And that's an underlying challenge when it comes to security, not just the lack of perspective, but the lack of data to make data driven decisions. So when we talked about risk and we said, you know, you need a vulnerability, something wrong, you need an exploit some way to take advantage of that thing that's wrong.
And then there needs to be a threat, someone willing to do that. We can figure out vulnerabilities. It's pretty straightforward. We can most of the time know whether or not there's an exploit but worse is, is there a threat normally for that, you would have to evaluate a ton of data.
So if you think of physical insurance, like car insurance, the insurance providers have a massive amount of data with which to make an informed decision, they know that men in their forties. Yikes um in this particular neighborhood have a moderate level of risk based on the driving profile of everybody in that neighborhood kind of thing that helps to make a better decision.
We lack that information in cybersecurity, which makes it even harder to maintain perspective because we're dealing purely with what ifs risk assessments are done on sort of a high, medium, low scale or sometimes numbers, which I hate because numbers imply an accuracy, that's simply not there.
But cybersecurity perspective is a real key to understanding this genre. So continuing the themes of the basics of getting that foundation, you need to understand that a lot of cybersecurity perspective is guesswork. It takes a lot of effort for people to step back and say, wait a minute, it's not the end of the world, the sky isn't falling.
You need to weigh, you know, A versus B to make an informed decision. What do you think? Let me know, hit me up online at marknca for those of you on the vlog in the comments down below for podcast listeners.
And as always, for everybody else, you can hit me up on email me@markn.ca. I love to hear what you think about perspective, what you think about the cybersecurity basic segments that we've been doing. Um definitely want to know what you want to hear next.
There's a ton of stuff where we can go with this basic series. And again, I'm gonna wrap these up into tighter videos and publish them out under the trend micro handle. Um and probably some other places just to make it a nice little tidy, um uh you know, basically a one on one course.
Um But let me know, I hope you guys are set up for a fantastic day. I will talk to you online and I will see you on the show tomorrow.
