Cybersecurity for Engineers

By: Eduardo Robles
Find me at https://erwtc.com/links

A presentation for ASCE 2019 Student Symposium
April 11, 2019

About speaker

  • Hi! I'm Eduardo Robles
  • Owner of Eduardo Robles Web & Technology Consulting (ERWTC)
  • Since I was a kid technology was a passion of mine and I wanted to be an inventor.
  • I would tinker and take apart all kinds of electronics, much to my mothers dismay.

  • The primary function of my business is education and consultation all while specializing in remote support.
  • I have worked with Engineers, Accountants, Lawyers and other small businesses.
  • I have been serving the South Texas region for 3 years.
  • I have degrees in Anthropology and Mexican American Studies.

Cybersecurity for Engineers

Main Topics:

  1. Understand the importance of securing yourself and your business.
  2. How to work with I.T department to best protect the company.
  3. Learn to spot the most common cyberattacks.
  4. Actionable steps to secure yourself from cyberattacks.

1. Understand the importance of securing yourself and your business

Why is cybersecurity important?

We are more connected today than we have ever been before.

  • Our jobs require us to use computer systems on a daily basis.
  • So we have to take extra steps to ensure that our work is safe from cyberattacks.

What's the cost to engineering professionals?

  • As engineers you often work on projects that deal directly with the general public.
  • Falling victim to cyberattack can have a negative effect on public safety.

Cyberattacks cost billions in damages every year

  • Nowadays opening the wrong email can take down the entire company network.
  • Are you able to continue to work if your entire company network is down?

Hackers are extremely smart and not lazy.

via GIPHY

Continued

  • We need to stop stereotyping the "evil hackers" as a bunch "dudes in their mom's basements" staring at computer screens.
  • Most hackers start their careers at a very young age (avg. age is 15).
  • And you do NOT need a college degree to learn the skills to take down a business network.
  • All you need is Youtube.

Let's see some examples of hacks

Are there "unhackable" systems?

There is no such thing as "Unhackable" software or hardware

  • This is marketing scam.
  • Everything that runs in a computer is hackable.

Can a system be hacker proof?

No, every piece of software ever written has the potential of being exploited.

  • Software is written by humans and humans are imperfect creatures. We make mistakes.
  • Errors in software a commonly known as "bugs".

2016 LinkedIn Hack

LinkedIn breach in 2016

  • 167 Million accounts were exposed in this attack.
  • I'm sure at least 2 people in this room were affected by this. I was affected by this.

LinkedIn fake job postings

  • LinkedIn is a social network for "professionals", hackers know this.
  • It is common practice for many professionals to use their company emails to sign up for LinkedIn.
  • So hackers exploit this and find ways to attack you, in this case their were sending fake job posting to trick you into clicking them.
  • The attack would basically steal your credentials for LinkedIn.

More hacks…

Saudi Aramco

  • Saudi Aramco is one the most profitable company in the entire world. And they suffered a massive cyberattack in 2012 that forced the entire company to disconnect from the internet entirely.
  • Saudi Aramco has oil wells that are connected to the internet to monitor their status. They had to manually send engineers out the wells to personally manage them.

  • The attack was so devastating that it destroyed 30,000 workstations!
  • Estimates indicate that this attack cost them Billions in damages.

It proved you don't have to be sophisticated do a lot of damage — Richard A. Clarke, former Counterterrorism official at the National Security Council

Darknet Dairies Podcast

The podcast Darknet Dairies did an episode on the Saudi Aramco cyberattack. Here's a clip of that episode titled Shamoon.

Cyberattacks can cause serious damage

Those are just 2 examples of some serious cyberattacks.

  • The general idea is that no system is safe from attacks.
  • So you should be extra paranoid and take steps to ensure that you protect yourself and your company.

And by "paranoid", I mean "extra-cautious.

2. How to work with I.T department to best protect the company.

Listen to your I.T department

  • I.T departments get a bad rap.

via GIPHY

  • But it's their job to ensure that all the technology you need to get your job done works.

  • So be patient and be professional.

Follow your companies security policy

  • Many companies have security policies in place and they probably have a section on Cybersecurity.

Cybersecurity policies include things such as…

  1. Recommendations of software to use and what not to use
  2. Email safety tips
  3. Password policies
  4. Cybersecurity training for employees
  5. Data retention policies
  6. Workstation safety

For managers/employers/owners

Create or adopt a security minded business culture

  • Assign or find someone to a "Cybersecurity Officer" position.
  • Create a cybersecurity policy.
  • Have regular cybersecurity awareness training for your employees.

Continued…

Determine Threat and Risk

  1. Assets: Your employees data, bank/credit card info.
  2. Threats: A negative event that can cause losses or damages.
  3. Vulnerabilities: A weakness in your business operations. E.I, Do you lock your computer when you walk away from it?
  4. Risks: Basically what bad things can happen and how badly would it affect me?
  5. Countermeasures: What systems and plans do you have in place to get your business back from an cyber attack?

3. Learn to spot the most common cyberattacks

How to spot some of the most common cybersecurity threats

It's good to have a healthy dose of skepticism.

Spearphishing/Phishing/Spam

  1. Spearphising is targeted email or phone attacks. The attacker knows enough of your job/business to able to exploit you and get something usually extortion or theft.
  2. Phising is random emails that are impersonating a company or person. Usually after login credentials or spreading malware.
  3. Spam is a flood of emails to a users inbox, resulting in crippling company servers or spreading malware.

"Your Invoice is past Due" email

  • This is a common phising/spam email I see all the time.
  • If you are an intern or entry level engineer, you have no business opening emails about invoices.
  • If your job role doesn't require you to look at invoices, don't open emails about them.

Social Engineering

  • Is an attack that goes after the biggest vulnerability in any business "it's people".
  • If you get an email or call about a project make sure to verify you are speaking with the correct person.
  • Young engineers in the room, be mindful of this when working on projects.

Pirated Software

  • This is software that is exploited to circumvent the license requirements.
  • Not only is it illegal to use pirated software, it can be extremely dangerous.
  • You cannot trust pirated software to act the way it was intended.
  • You can be in "Breach of Contract", when using pirated software. Many government contracts have clauses stating the use of pirated software is prohibited.
  • Software licenses are expensive. But will you risk millions in damages just because you didn't want to pay for legitimate software.

Malicious/Outdated software

  • Malicious software can come from emails, USB drives, CD's/DVD's, or links.
  • Links don't necessarily have to be from bad sites. If you are getting files to work on a project from another firm and they were hacked those files could also be infected.
  • Outdated software no longer receives security updates and can leave you business vulnerable to an attacker by them exploiting the security hole in the software.

Video Demonstration

4. Actionable steps to secure yourself from cyberattacks

Take actionable steps to protect yourself and your data

via GIPHY

Deploy "Multifactor Authentication"

  • Multifactor authentication refers to "logging into" accounts with 2 different steps.
  • The idea of is that you use "something you have" and "something you know".
  • A simple example is your debit card. You have your debit card and you know it's pin number.
  • It's a good idea to use this not just for work but in your personal life as well.

Follow company security policy

Did you get an email that looks suspicious? Don't open it, simply forward it to IT or mark it spam.

  • SERIOUSLY DO NOT OPEN IT.

Backup your work or other important data

  • There 2 strategies you need to think about.
  1. Backups: a backup is done for security purposes. If your computer fails or if you are hacked you can get back to work from a backup.
  2. Archives: an archive is a backup that you do not need immediately but you will need to recall it for a specific situation. For example you may have archived a project file a year ago but you now need to recall because of an audit.

You should implement a backup strategy

  • In general you can use the 3-2-1 strategy
    • 3 total copies of your data
    • 2 local copies but on different places
    • 1 offsite copy of your data

Is this the best backup strategy?

  • No, this is not the best backup strategy but it is a good start.
  • This strategy was developed by the United States Computer Emergency Readiness Team, you can read more about it here.

Example

You have a file named roadWay_project_01.cad

  • This file will have 3 total copies roadWay_project_01.cad, roadWay_project_01_copy1.cad, roadWay_project_01_copy2.cad

  • 2 copies will be local
  • roadWay_project_01.cad will be your working copy
  • roadWay_project_01_copy1.cad will be saved elsewhere, like a company server or external hard-drive.

  • 1 copy will be saved offsite, roadWay_project_01_copy2.cad can be saved to cloud storage or on an external hard-drive that is offsite from the office.

Video demonstration

More on backups

You may be thinking "I'm I supposed to redo this strategy every time I make a change to my project?"

  • Not necessarily you will have to make a choice on the "types" of backups you will use.
  • Also, be sure to leverage any project management software your business may use to do automatically do backups.
  • There are 3 backup types.
  1. Full: A full backup of all data related to project, even if it's been backed up before.
  2. Incremental: Only backup the changes or new files to a project since the last backup.
  3. Differential: All data that has been changed from the last full backup.

Let's see some examples of how backups help

The dreaded "Windows update broke something"

I see this often, Windows decides to update and it breaks your computer or deletes a project file. Well if you have a backup you can breathe a bit easier. When you get your computer working again you can continue working from the backups.

Upgrading between program versions

When moving between versions of AutoCAD for example, a 2018 AutoCAD file may not open or work in the AutoCAD 2019. But having a backup can spare you a lot of headaches if you decided downgrade back to 2018.

Project file hand-off becomes corrupted or lost

You are assigned to work on a project and when you complete your portion you hand it off to the next engineer. The hand off doesn't go smoothly and the file ends up corrupted. Or say your coworkers computer is no longer working and they lost all their work. With a backup you can resend the file and work can continue.

Backups are important, so be sure to backup

Now, the most important piece of advice I'm going to give.

And that is…

STOP USING THE SAME PASSWORD FOR EVERYTHING

SERIOUSLY STOP USING THE SAME PASSWORD FOR EVERYTHING

But seriously stop reusing old passwords

The LinkedIn hack demonstrates why you should NOT reuse passwords.

Imagine if you used the same password for your personal/work email as you did for LinkedIn. Hackers would theoretically have access to both your LinkedIn and your email.

But creating complicated passwords is hard. And how I'm supposed to remember all those random characters?

Easy, use a password manager

  • Password managers are great and I recommend everyone start using one.
  • They function like a safe for all your passwords.
  • They can generate strong random passwords for you and even check if your password has been exposed in security breach.
  • Just be sure to give your password manager a strong password.

But what about the passwords I need to use on a daily basis?

Use a passphrase for those occasions.

Passphrases can be just as effective as random passwords.

  • Be sure to only use that passphrase once per service/site.
  • And make slight alterations to it, for example a lot of people use Bible verses, but hackers already know that. So change them up a bit, like switch letters for numbers or combine several verses into one.

What to do if you are hacked?

You think you were hacked, what do you do?

  • Contact your I.T department right away and follow their instructions.
  • Contact your manager/boss.

Be prepared to give a statement.

  • There may be questions as to how you were hacked, so be as honest as possible.
  • The information you provide can be extremely helpful in either stopping or fixing the problem.

For managers/employers/owners

  • If your company is hacked follow your security policy
    • Get I.T to work on the solution as quickly as possible.
    • Provide I.T with any resource they may need.
    • Help manage employees so they don't disrupt I.T from accomplish their task.
    • Contact anyone else the company who needs to be informed e.i. CEO, CIO, CTO, owner, upper management.
    • Lastly, contact law enforcement if hacking is criminal in nature.

Conclusion

  • So you should understand the importance of securing yourself and your company.
  • You should now know how to best work with I.T departments to ensure company security.
  • And you should treat cybersecurity as another safety measure your company takes to ensure safety.
  • You should have an idea on how to spot the most common cyberattacks such as phishing.
  • And finally you should have learned how to take action to best secure yourself and your company.

Final thoughts

  • If you take a proactive approach to security the less likely you will fall victim to a cyberattack.
  • Cyberattacks are not going away and they will become more sophisticated in the future.
  • So be sure to "extra-cautious", and have a healthy dose of paranoia.

Questions/Comments

Thank You!