Download the presentation here

Q&A

A hacker’s point of view:

Q: (related to RCE/Ransomware demo) “can this hack work when the Victim Device is locked?”
A: Most RCEs (Remote Code Execution) work on both locked and unlocked devices, of course exploits can differ.

Q: “How risky is it to work on an older computer, like my 7 year old iMac at home?”
A: If it's very old and no longer receives the latest updates, then it's not as safe. A quick Google search with the operating system and version can provide you with information if your device is still ‘supported’ to receive updates. When buying a new device, it’s a good idea to consider its supported life. For example, Apple devices typically receive 7 years of support, which is beneficial not only for security but also for resale value. In contrast, some other devices may only be supported for 2 or 3 years.

Cybersecurity framework - building blocks:

Q: (related to password managers) “What are the criteria for choosing one?”
A: We suggest performing a quick online check regarding the password manager vendor’s history with security incidents and their response to such incidents. This research helps to check the company's commitment to security and the robustness of their systems.

Also check whether the password manager employs proper client-side encryption, as it ensures your data is encrypted on your device before it's sent anywhere else.

Additionally, user-friendliness should be a key consideration. A well-designed interface makes it easier to adopt and use the password manager regularly, enhancing your overall security posture. By prioritizing both security features and ease of use, you can select a password manager that effectively protects your passwords while remaining convenient to use.

Q: (related to password managers) “Can you trust the password manager on browsers?”
A: In general, yes, the password managers in browsers mostly use secure storage and proper encryption. In terms of extra features and ease-of-use, especially between different devices, dedicated password managers provide more value.

Do not forget that the encryption provided by the browser's embedded password managers is derived from your password with the browser provider (e.g. Google password for Chrome, or your Firefox login when using Firefox,...), this means that this password becomes the key to all your passwords, and just like with the master password at password managers, it is the most important you have. Choose a long password that you can remember, such as a sentence, and that you never re-use for any other service.

Q: (related to password managers) “How often do you recommend updating passwords?”
A: We actually don't recommend asking users to update their passwords on a regular schedule (this will often only lead to 'originalpassword57'). Use unique passwords and update when it appears breached, or when you are in doubt. Also, when talking about the topic of passwords, please make sure to also use multi-factor authentication.

Q: “What can companies do against human/user errors, especially with the rise of remote work?”
A: It remains important to create some awareness among users. We used to do this kind of hacking demos for employees to amplify the risks and emphasize the actions a user can take. Other protections are: proper isolation between applications, and using the principle of least privilege, this way the impact of any error can be restricted to a minimum.

Cyber insurance:

Q: “Given the certainty of cyber incidents, how do you see the future in cyber insurance?”
A: To ensure the landscape of cyber incidents remains insurable, it's crucial for all of us to take proactive steps. This is similar to performing regular maintenance on your car to prevent accidents. Given that hackers often don't operate within moral boundaries and tend to stay a step ahead, adopting a comprehensive cybersecurity strategy is essential.

The specifics of this strategy can vary significantly between small and large companies. For small companies, it might mean focusing on essential protections and employee training, while large companies might implement a more complex, layered defense mechanism. Regardless of the size, the objective remains the same: to mitigate the risk of cyber incidents through diligent preparation and safeguarding measures.