critical conversations

“Everyone on the planet is a target”: Ethical hacker Terry Cutler

Adam Bannister

Editor, IFSEC Global

Author Bio ▼

Adam Bannister is editor of IFSEC Global. A former managing editor at Dynamis Online Media Group, he has been at the helm of the UK's leading fire and security publication since 2014.
November 2, 2018

Sign up to free email newsletters

Download

Want a Future-Proof Cyber Security Strategy? Look at Physical Security Now

Topping our cybersecurity influencers for 2018 is someone whose internet training courses have “easily helped over a million people”, in the words of someone who nominated him.

Judges were impressed with both the volume of nominations he received – far outstripping anyone else, in any category – and their persuasiveness. “His ability to connect with his students and his talent at teaching simple concepts, as well as more advanced topics, are both truly superior,” said one of many admirers.

Terry Cutler is founder and CEO of Cyology Labs, vice-president of cybersecurity at SIRCO Investigation and Protection and the brains behind courses designed to help the general public protect themselves against the fast-evolving threats posed by cybercriminals.

The Canadian, whose impact is sufficient to merit his own Wikipedia page, has also imparted his views on the subject on various TV shows.

We caught up with Cutler to find out more about his internet safety courses, the awareness deficit, how security threats are evolving and the merits of ethical hacking, among other things.

IFSEC Global: Could we start with a history of your career and how you go to where you are now?

Terry Cutler: I was very passionate about computers when I was 10 years old. I’ve always loved it.

I started working in IT at a young age and in 2001 started working for a software company called Novell, a competitor to Microsoft at the time.

In 2005 I started getting into cybersecurity and being inspired by watching shows like CSI and 24. I always wondered how Chloe O’Brian was able to hack into all these systems so fast.

I found a course called the Certified Ethical Hacker where they taught you the same techniques the bad guys used except we’re using these skills for good.

Armed with that knowledge I started training the general public, children and companies on how to keep safe from cyber pitfalls and internet predators.

Eventually the media started calling me for advice and comments. At one point I was doing so many presentations and keynotes, I couldn’t be in 50 places at once, so a couple of years ago I started putting together an online training course that would teach people to be cyber-aware at their own pace.

Due to all the years of pushing out free awareness content in the form of articles, TV media, radio media and live presentations I was awarded some heavy industry awards like the Cybersecurity Excellence Award for Educator and Cybersecurity and Intelligence Academic and Leadership Award, and then in 2018 was named #1 most influential expert in the cybersecurity category. This brought a lot of attention to my Internet Safety University training course.

For a training course to be successful, it needs to be ‘edu-taining’. It has to be fun to listen to, with a bit of humour. It has to be thorough and in layman’s terms – so simplicity is key.

IG: What kind of people tend to take the course?

TC: The course is for people just starting out with cybersecurity: the general public, parents, small businesses… There’s a whole bit about how to stay safe online, how predators track kids to the doorstep and lure them into prostitution and such.

“My goal is not to make them cybersecurity experts, just to make them aware so they don’t get hacked”

My goal is not to make them cybersecurity experts, just to make them aware so they don’t get hacked.

I’m starting a course now where I take an IT guy and bring him into the cyber world. We’re short-staffed [in terms of cybersecurity professionals] by about two million people worldwide.

IG: There’s a good income to be made in cybersecurity then…

TC: Yes, but at the same time nobody wants their services until it’s too late – so it’s like insurance. Your house gets robbed and now you want to buy an alarm system.

IG: So people tend to be complacent about the threat?

TC: Yeah. For example, I often go up to [small-business owners] and say “when was your last intrusion test?” They say “never, because I’m a small company and nobody will want to hack me.”

Then they get hacked, and it’s like: “Terry, help!” Then I say: “I told you about this last year…”

IG: Whereas people would never dream of leaving their physical doors unlocked or not setting their intruder alarm… Will attitudes towards cyber ever become more like they are in relation to physical security?

TC: I find it’s changing more and more now. But the problem is, they don’t grasp something like ransomware.

Everyone on the planet right now is a target – whether you’re the IT guy or a grandmother who turns on her computer once a month to check her email. The goal is to get this training programme into everyone’s hands so they’re aware of these dangers.

IG: Presumably you have to update the course frequently and you’d advise people to update their own knowledge periodically? The threats are mutating all the time…

TC: Exactly. It’s got to the point now where if you get hit by ransomware, the scammer can say: “I feel bad for you. But you know what, go and infect two more friends and I’ll decrypt your data for free.” It’s that bad.

IG: It’s like a pyramid scheme. What other worrying new threats do you see emerging?

TC: There’s a new emerging threat in regards to extortion. A lot of people are receiving emails saying: “Hey, you don’t know me. I’ve hacked into your computer with your password. It might be old, it might be new, maybe the last time you used it was 10 years ago… but I infected your computer. I have you watching porn. And if you don’t send me $2,900 I’ll send this video to all your contacts.”

I think I got nine emails from people hit with this scam this month.

IG: It’s surely pretty easy for these criminals to evade detection compared to those committing traditional, physical crimes like shoplifting or burglary…

TC: Because they’re asking for small amounts of money. It doesn’t make sense to spend tens of thousands of dollars to launch an investigation where a guy’s computer is in China or Russia to get back 3,000 bucks.

IG: Is there anything more that governments, or us as a society, should be doing to better combat this problem?

TC: I definitely think there’s not enough awareness. I have the same problem with my training program – especially when it comes to parents or a small business. They’d rather go home and watch the Bachelorette than learn how to protect their business online.

“Developers are often coding software for convenience without security in mind”

And developers are often coding software for convenience without security in mind.

There’s no accountability – that’s the biggest problem right now. Especially in Canada.

There’s got to be new privacy laws saying that if you get breached, you have to disclose it. We’ve come across cases where a breach happened and they did zero to protect customer data. They had a Linksys firewall and they didn’t get penalised. At the very least, there should be fines or penalties.

IG: Well the GDPR has certainly set the template for such a tough approach. Tell me a bit more about ethical hacking. You still do that personally?

TC: I wear multiple hats. I offer my training programs through my startup company called Cyology Labs and I work full time for a private investigation firm called SIRCO, where I run the cyber division. This is where I offer penetration testing services and what’s called offensive security, which allows us to hack the hackers back, legally – trying to find where they’re coming from and things like that.

IG: What advantages does ethical hacking have over other methods of protection, like a piece of software for instance?

TC: I always tell the customer: “If it’s not me testing you, someone else is.”

The biggest difference between us and the bad guys is that we obviously have legal authorisation by the client to hack them. We try and find as much as we can in the time and budget we’re allocated.

But we can’t find everything. There could be 100 doors that the company is in charge of closing, but the hacker only needs one way in. That’s a challenge.

I can complete a test today and give you a stamp of approval that this thing is rock solid. But two weeks later a zero day might be discovered which will invalidate my whole test.

IG: You mentioned the myriad vectors of attack and the attacker only needs to breach one. The growing number of connected things will surely only amplify this problem?

TC: The weakest point, obviously, is the users. If I can get a user to click on my link, I’m in.

But I think the biggest problem in the future will be about third-party devices coming into the network. These third-party devices often have no security.

You may have heard the case where a Vegas casino had an airtight cybersecurity strategy in place. But they brought in a fish tank with a remote sensor to clean the water. The hackers hacked into the fish tank to get access to the corporate network.

IG: What are your plans for the future?

TC: I’d like to start getting into software development, so I can help consumers protect themselves with an ‘easy button’.

And we want to train more IT guys to be cybersecurity experts to fill that skills gap. That’s my mission for the next couple of years for sure.

I’m starting to get approached now to be a video game advisor for hacking. So there’s a chance I might have my own avatar in a game in future! I’ll be immortalized J

IG: Were you surprised to reach the number one spot on our cybersecurity influencers this year?

TC: My goal was just to make the list! I didn’t care where I was. I didn’t think I’d be number one. I feel like a con, a fraud compared to other in the list!

IG: Seems very well-deserved given the sheer volume and persuasiveness of your nominations!

Find out more about Terry Cutler’s Internet Safety University by visiting TerryCutler.com

 

Free Download: Cybersecurity and physical security systems: how to implement best practices

Discover the five-step process for strengthening your cyber and physical security systems with this free resource from Vanderbilt. Learn how to choose the right equipment to stay diligent and protect your systems against cyberattack, and learn what cyberattacks mean in an interconnected world.

Related Topics

Leave a Reply

avatar
  Subscribe  
Notify of
Topics:

Sign up to free email newsletters