With a new year come new threats, smarter hackers, and new best practices for minimizing risk. In this webinar, you’ll learn how to keep your clients’ personal information protected while enabling your employees to securely work anywhere on any device utilizing virtualization, biometrics, multi-factor authentication, and other security best practices.


Download webinar slides here

Kalei White

Hello everyone and welcome to today's webinar. My name is Kalei White and I'm a marketing coordinator here at AbacusNext. Today we have the fortune of being with Tomas Suros. He's our Chief Solutions Architect and we'll be going over the latest in cyber security and the cyber exploits from which you should guard your firm. This will be about a 30 to 45 minute webinar. Later you will receive the video recording via email, so don't worry about taking notes or anything like that. We'll also make the slides available to you as well.

Please feel free to insert your questions into the questions portion of the GoToWebinar control panel, and we can get to those towards the end if there is time. If not, we will get back to you. Without further ado, I'll let Tomas take it away.

Tomas Suros

Alright. Thanks Kalei. Thanks everyone for attending today. We have a lot to cover. I will jump right in. What we'll cover today is a view of the landscape, specifically what are the current attack vectors? What are the new ones? What is known? Overall kind of a view of extortion, based on ransomware, and some trends, internet of things and things like that, that are becoming more and more prevalent from a user perspective, but also how security on those environments help you or not.

We'll examine specifically the attack vectors and the landscape. What we've seen, especially in 2017 was an overall growth by something like 300% of ransomware, specifically. It's a global threat. Often times the attacks are focused on infrastructure, on small businesses, on really businesses of any size. We'll also talk about passwords and biometrics as we move forward. I want to give you a sense of how this specific graphic is displaying ransomware attacks across the globe.

It's not just a North American issue. It truly is a global attack. A lot of the actual innovation, to use that word kind of loosely, a lot of the kind of newer attacks are coming out of eastern Europe and have been based on kind of global espionage between states who use these attacks to gain information, specific information about other states, other actors, on the global stage. That same technology is being used to exploit and extort information and money from business within countries all over the globe.

Just to kind of quickly review some of the major attacks that were publicized from last year, Equifax effected more than 145 million people across the world. If you think about that, that's pretty close to the majority of adults within the United States. That is not only your contact information, your name but also social security numbers, financial information. It was truly a breech that happened at one of the organizations that is on the forefront in protecting your most private, most personal information. That breech happened basically because a customer feedback site that Equifax had was using an unpatched web server. It's this idea of these organizations where maybe their front end, the front door where they're protecting their information is guarded and focused on, but there's always that one. All it really takes is one weakness right, one point that can be exploited and basically led to the exposure of very personal information for over almost 150 million people.

Also Uber, I think the hack on Uber is instructive, specifically in the way that they mishandled it. Uber was violated, or they had information stolen and instead of being transparent, owning up to it, recognizing this is a threat. We need to contact individuals. We need to close that loop as soon as possible. Instead, Uber paid the ransom and asked the hackers to sign non-disclosure agreements. Then eventually that information was released. The CIO was forced to resign. It was yet another black eye to Uber over a series of missteps let's say at a corporate level, but 57 million people's information that they used to sign up with Uber was exposed via that hack. The cover up actually ended up being worse than the hack in some ways, and we've yet to see the end of that because there are a flurry of lawsuits being filed currently against Uber for their mishandling of that specific attack.

Also, WannaCry is probably the most prevalent ransomware from last year. It effected over 300,000 systems across the world. One of the things that was very significant was the National Health Service. This is the UK's networked health services where patient records, and medications, prescriptions, things like that were on that system. WannaCry effected a couple of locations and then spread its way throughout that entire network encrypting every single workstation, every single facility, every single clinic, and led to the latest information I saw: over 19,000 procedures including surgeries, were forced to be canceled based on that type of attack.

Some other ones, you know Yahoo, three billion accounts were exposed and in San Francisco, their municipal transport system, the light rail ticketing system was brought down for a number of days by a ransomware attack. We're seeing these attacks, not only at the business level, the PC, the network level, but globally and against infrastructures, power grids, water grids, water supply conduits, and transit systems. Also, universities, hotel chains, Verizon they were also affected significantly. What we're seeing is broad, global based attacks against these networked systems where the information and its value, the protection of that information is really the value. That's why they become targets for these types of attacks.

Okay, if we're talking about the landscape currently, ransomware remains the most virulent attack vector, but also Meltdown and Specter are maybe two types of hacks that kind of burst into the news, probably in the middle of last month and certainly have been getting a lot of press recently. Let's take a look at exactly what those types of exploits are.

The Meltdown and Spectre Attacks

Tomas Suros

Meltdown specifically is a vulnerability that has been found in Intel chipsets. Intel basically means most Windows machines, most Mac machines, MacOS machines, tablets and what not, are affected, because the speculative execution means that your system is predicting, based on what you've done in the past and what you're doing now, what it anticipates that you'll do next. By doing that, it actually loads information into memory. That speculative execution stores that information and from it, basically that information via Meltdown can be actually extracted. That can include passwords, personal information, and other items that your system is loading at a chip level. This is really interesting where it's an Intel chipset and the memory that that chipset uses to optimize speed, that is an exploit where the meltdown is effecting a system's ability really to protect that information, because it can be exposed and a hacker that uses Meltdown and has applied that to a system, can actually extract that information in a readable format.

Another thing you've heard maybe is Spectre. Spectre is harder to apply but it's also harder to prevent, or to mitigate against. Specifically Spectre is another vulnerability at the chip level. This one is in AMD and ARM chipsets. Basically, this is where malicious code can be introduced, which breaks the isolation between different applications. What that means is you can have access to one application, and pull protective information from a different application. That data leak is a risk that we're all kind of assessing and mitigating against now, with some things that you can do today, obviously to protect yourself.

Ways to Protect Yourself from Meltdown and Spectre

Tomas Suros

Firstly, patch your operating systems. I know that for Macs, Apple has released an OS patch. I know that Windows has as well. I know that Google has issued a patch for the Chrome browser. The Chrome browser actually stores quite a bit of information for you as you kind of navigate your way through the web.

These are the things that we should all do today. Don't do the remind me later. Don't push it off. These types of exploits, especially as they're being used now by hackers, you can't protect yourself if you don't patch your operating system. Patch your browser. Patch your servers or clearly reach out to your IT support professionals to patch your servers. Update any applications that you have and you rely on regularly. It is kind of a blanket need to update all of them as quickly as you can.

Also, something that I would recommend, and this is more of kind of going forward, is to move away from discrete or specific antivirus applications that run on individual machines, and move towards end point antivirus. End point antivirus basically means throughout a network, you can actually control when and how the update process works, rather than having it being piece meal or having one machine that was patched. The other machine wasn't, creating kind of an inconsistency that often times exposes or presents opportunities for hackers. Those are some quick ways that you can protect yourself against Spectre and Meltdown specifically, and also do your Googling. Do your research. Make sure you are aware of exactly how these exploits are being used now, and as we go forward, security experts are really learning quickly how to one, protect against the risks but also how to define the risks. It's another way of educating yourself.


Tomas Suros

Okay. The next main topic I wanted to cover is ransomware. You, as a small business owner or someone who is involved with a small business are a target for ransomware, more and more so over the years. What is ransomware? Very quickly, it's a type of malicious software, malware, that's programmed to encrypt data and block access to a computer system until the money is paid. That's truly ransomware.

WannaCry entered the scene in May of 2017. It was a global attack where over 300,000 systems were infected. Most of ransomware looking backwards has come in via kind of phishing emails where it tries to trick you into clicking and downloading the malware. It takes one attack in order to spread throughout your entire systems. And that is one of the things that's really become more troubling about ransomware. It used to be truly encrypting your data, offering you a decryption key for a price. However, ransomware is also used, as I mentioned, in kind of state sponsored espionage and attacks going back and forth.

The NotPetya specifically was a variant where it infected the power grid in the Ukraine. It spread around the world via emails that were forwarded and other bad actors that were using that. The problem with NotPetya is you couldn't pay the ransom. The actual mechanism that was built into that ransomware, meaning pay this bitcoin by this date into this encrypted account. The encrypted account didn't exist. That's kind of what we're seeing is as ransomware has grown so quickly, your ability to even kind of pay the ransom to get your data back, is being effected, because ransomware is being used for other devious purposes beyond just extortion. That's something to really concern ourselves with, understanding that that is one of the risks that we need to mitigate against.

Okay, so what are some of the common elements? All it takes is one infection, so it's that one computer back on the oldest computer on your network that was the last to get patched, all it takes is that one workstation to then move to shared drives, and to your back up files and even in that kind of WannaCry, in the UK, it literally moved from network to network throughout their entire system. Maersk the shipping magnet is another example where in Denmark a server was effected that then populated or spread itself through their global network including their data farms in India. It's this idea of if all it takes is one kind of weak point to attack, once it's secured that foothold, it can then spread itself quickly throughout a global network in many instances.

Common elements: some recent attacks, Mecklenburg County in North Carolina where I think Raleigh is, was attacked with a ransomware. This was a municipality. They decided no, they weren't going to pay the $30,000 and today they are still in the recovery process, and it will take them months if not years to be back up and running. You certainly have compassion for a group that's been attacked like that, where they did not have a disaster recovery or business continuity plan in place and they were faced with a tough position and basically decided no. We're going to rebuild from scratch and they'll be effected by that from a long time. I touched on the WannaCry. That's the National Health Service in the UK. Maersk the shipping magnet, with their Denmark server being exploited and spreading around the world. Merck Pharmaceuticals.

Also, there as an ISP called Nayana in South Korea that actually paid a million dollar bitcoin ransom and really set a new precedent for who's going to pay, and another way to look at it, it's also attracting players who see this as a profitable way to attack, to the extent whereas of Q3 of last year, there was a ransomware attack in the world, every 40 seconds. It's showing you how rampant and how really popular, for lack of a better term, this type of hacking attack is happening.

Why would you be effected? Well, it's extortion. It's a for profit global criminal enterprise. Because of the rapid escalation in the value of Kalei's bitcoin, and bitcoin on the market, the prediction of one billion dollars extorted quickly rose to over five billion in the last year.

Kalei White


Tomas Suros

You are a target because based on the analysis, you will pay. If given the opportunity and the pro/con that the risk analysis or your decision point is, do I have the ability to restore all my data or not? It really puts you in a very difficult position. Also, there is that high duty of care. Your reputation, the regulatory and compliance standards that you must follow, once you've kind of taken on information that you hold and protect to your clients, if it's been exposed, if you've been the victim of a ransomware attack, you're in a very bad position. Not only do you have to notify clients, but if you pay that ransom, it certainly puts you on a list and increases the likelihood that you'll be attacked in the future.

Some other ways and why now exactly? Why is this growth happening? Well, there are still vulnerabilities that are widespread, specifically with outdated infrastructure. Equifax, whose job, whose sole role is to kind of protect information and be this kind of industry leader in accounting and financial information for clients, had an outdated server that was unpatched and was exploited. That type of layered, legacy architecture to a lot of IT solutions that are out there, all it takes is that single point of failure.

Also, there's this misconception that's pretty widespread, specifically that "Oh we back up our data, both in the cloud and locally and offsite." We have this strategy in place. A back up of data means you can restore any file in that backup. That's only the starting point, because what these types of attacks actually do is, they effect the machine you're typing on at this moment, and the server, and the servers down the hall, and the servers that are across the world. Really these types of attacks bring down your entire environment. Literally, every machine, every file, and every server and all your hardware. It's a different way of thinking about it. It's not necessarily just backing up your data, you literally need to back up your systems and be able to restore them to the last good state, which is why a lot of kind of virtualization and cloud architecture is becoming a necessity.

Here's another thing that drove me mad. There was a test recently conducted earlier last year, where subjects basically went to a business and they took everyone through a training plan. They said, "This is what Ransomware is. This is how you're most likely to be attacked. This is what you can do to prevent it."

Then, a week later they came in and sent out a phishing email to the firm saying, "Click here. We need to update your password. This is security..." or whatever it said in it. 78% of those people who had just gone through a training clicked on the link anyway. That's kind of the maddening concern now, where there's not enough education. How ransomware is delivered and the attacks are implemented changes rapidly. There's this cat and mouse game and outdated infrastructure presents those opportunities for this malware to go into a system and encrypt everything and in other words create a block, being able to conduct business going forward.

Kalei White

Even at Abacus, I received phishing emails and one way to guard yourself against that is do you know that that's your boss sending you that email? Is it out of left field? Should you call them and say, "Hey. Did you just email me this document? Should I open it?" That's really important because they can even impersonate your boss and you don't even know.

Tomas Suros

Right, and that's part of why these are really so effective is that the ability to kind of exploit that one person on the wrong day and the wrong time, who just happens to click. That's all it takes. It's really difficult to protect yourself. Instead, really the goal now is to kind of mitigate the risk and like in a webinar like this, the goal is to kind of explain exactly how the current state of these attacks are happening. You know that. You won't click on the last known type of attack, but the next one is something that we aim to kind of educate and show you as well.

A couple other things, it takes a second to encrypt. These types of malware encrypt 200 files per second. You can imagine how very quickly it could work its way through your network and make all those files unreadable to you. Even the average ransomware amount in 2016 was just over $1,000. Of course that's growing rapidly as we mentioned earlier.

Phishing Emails and Other Attack Vectors

Tomas Suros

Some of the attack vectors, how you might kind of recognize them coming in, clearly those phishing emails. If there's anything fishy about it, it feels wrong, they misspelled or the language doesn't quite jive, step back. Don't click. Don't use that email. Trust and verify. Go out and ask your boss. Spend the additional time and ask for confirmation from anyone who might be attempting to kind of trick you with that phishing email when they really just want you to click on that link.

The problem with a lot of these ransomware kind of phishing emails is the files appear legitimate to an antivirus program. What we used to do, we used to rely on antivirus to identify and weed out files before we'd ever touch them. There's even more nefarious attack sectors specifically driven by downloads or kind of web ads that all you really need to do is visit a website, and you're visiting, you're loading that page in your browser which can actually bring malware into your local system. Those are the cutting edge ways of attack vectors, I should say.

Vulnerability of The Internet of Things

Tomas Suros

Some of the security trends we're seeing have to do with the internet of things, IoT, that's what that acronym stands for. Everything from thermostats, you can kind of send email or text back and forth to your thermostat to your toaster. That's being a little glib but all of these connected devices, all of them being part of your network and being rushed to market, where the next kind of cool way to use the internet and connect to all these different types of devices and services, create attack opportunities.

In all my reading and all my research looking forward to 2018 is the internet of Things, everything from your Alexa to your smart phone, to the apps to the webcams to the baby monitors, all of those are connected devices that also share common information in a cloud environment. That's something where a lot of cyber security is focused now on locking down a lot of devices that are already out in the wild, which is of some concern.

Kalei White

Alexa is always listening. She scares me!

Tomas Suros

Yeah, it's true.

I'll be playing a game with my friends for game night and everyone forgets that she's on and she's listening to every single thing we say.

Tomas Suros


Kalei White


Tomas Suros

Where that information is stored, who's using it for what, and who has access to it, those are some of the really important questions that will need to be resolved quickly. I think this year we'll see a lot of movement towards protecting and locking down the internet of things.

Anyone Can Be a Hacker Today

Tomas Suros

Also, now there is Ransomware-as-a-Service. It's gotten to the point now where you can go in the deep web and actually buy a ransomware kit. That's why these millions and millions of files are flooding the internet because it no longer takes a true hacker or somebody who has an in depth knowledge of hacking or even to create the attack themselves. Instead, you can actually go out now; it's almost like ransomware in a box, that you can buy.

This is not going away. What we're doing [At AbacusNext] is always asking ourselves, "What are the trends?" What are the common elements and then of course how can we continue to advise and protect clients, and mitigate the risk based on that awareness.

Tools and Methods for Cyber Threat Protection in 2018

Tomas Suros

Okay, what are some of the ways that you can protect yourself now that we're kind of aware of the current landscape and maybe some things that we'll keep an eye on looking forward. Mulit-factor authentication is something that I'm a proponent of. I think it's easy to implement and it gives you multiple factors, protection that most people, I should say, don't currently have. Availing yourself of encryption, email encryption and encrypting your phone. There are a number of easy ways you can implement that.

Biometric identifiers, I'll touch on that in a second in a little bit more detail but I like biometrics because they are now using sensors that are more accurate so they give you some protections that way, and it's easy for you to remember because it's basically your voice, your fingerprint, a number of different ways that you can identify yourself uniquely and easily.

Also, of course this is the one I'm going to touch on and really stress today is strong passwords. There are known and best practices for using passwords and too often I work with clients that simply are not following them correctly.

Password Tricks

The idea of a spoken password is something that's been used throughout history. In 1961 at MIT, their CTSS system was the first time an actual networked computer with different accounts was implemented so they created passwords for each user. Within a year, there was the first password related breach where somebody could find the unencrypted password file and basically expose and remove any kind of protections that those passwords actually presented. Then, fast forward to 1997. That's when the advanced encryption standard, that AES in AES256 bit encryption. That's the current standard. It is exponentially stronger and it's really what I recommend that you use currently at the database level, at the OS level, and certainly on your mobile devices that are maybe easier to gain access to from a hardware perspective.

Okay. We use passwords daily. Daily, in the morning you sit there and you log in using your password. What? That is your operating system. That is to your network, right? All the information that you share and you use regularly, but also smart phones, all the apps we use, software, email that we send back and forth, databases, websites, even your ATM, the alarm system when you leave the house, the WiFi as you move from one network to the next, point of sale terminals that you're typing in a PIN. We're using passwords in a way that I'm not sure all of us are constantly aware of, because it's so prevalent.

Let's talk about some best practices at a password level. I strongly recommend you use strong passwords. Make sure the length is over seven characters. For complexity, use alphanumeric characters. Randomness, don't use your birth date and your girlfriend or your kids or your spouse or anything that can be easily guessed based on who you are and information that could be found about you. This is something that I need to stress. Don't reuse or auto-save your passwords. I understand why people do that from a convenience standpoint. It's maddening if you constantly have to reset your password because you can't remember the one that you added last week, but there are a number of different ways to help you with that.

Specifically, multi-factor authentication and biometrics can actually remove some of that inconvenience from constantly feeling like you're adding or recreating new passwords. Another way that can kind of help you is this idea: It's like a mneumonic. It's the idea of helping you memorize concepts or information. Choose a person, choose an action, and choose an object. That can actually help you create a phrase and a passphrase is often times easier to remember than a random string of numbers and characters. That's something I often recommend. I use that myself, person, action, object. I create these phrases and they're really the first three letters of a person, something that they were doing and where they were doing it. Those are different ways that you can actually create very strong passwords that are random, and that you will remember. Also, please change your passwords regularly.

Biometric Authentication

Let's talk about biometric authentication a little bit. What is biometric authentication? Well, it can be your finger print. I use my fingerprint on my phone every day. It can be the geometry of your hand. In many of our data centers we have actually a palm reader. The palm reader is even stronger than the fingerprint patterns because there's just more data points to use to create that unique identifier. Your voice pattern, that's something that was used regularly and it kind of fell out of favor, and I think it's moving back into something that a lot of people are looking at now. Other biometrics involve your iris or retina and even facial recognition. I kind of left that for last because there's been a big push by the iPhone.

The newest iPhone and Face ID, is really Apple's huge bet on biometric authentication. It creates a 3D map of the user's face. Really the nice kind of use case is, you literally just look at your phone and it authenticates you and unlocks. The way that it creates that 3D map is not just visual. It's using three or four sensors in the phone to create a beyond visible light kind of idea, this concept of creating your profile. That's how it can be a million to one, the accuracy level, versus the 50,000 to one accuracy that was claimed for touch ID.

These are the types of biometric aspects and with 20 million of these devices anticipated to ship, maybe that's been adjusted slightly down, but it's widespread. It's truly a technology leader's biggest bet on this type of authentication.

Kalei White

Have you tried that?

Tomas Suros

I have seen it in action and I've had no issues with it. With glasses on, and yeah. It's pretty spectacular in the way that it, at least in the use case, the ease of use. That's one of the things that will make a big difference is giving you that level of protection without kind of the onerous use case or that you need to jump through too many hoops to gain the benefit of an additional layer of protection.

Okay. What are the benefits of biometric authentication? You don't lose your password, because it's always connected to you. You don't worry about forgetting your fingerprints or hack passwords necessarily. There are very specific scenarios where these types of protections can be exploited, everything from your fingerprint on a gummy bear to a Vietnamese kind of security company that was able to trick Face ID. That is really the exception. It's not the norm. Really, if you go through the process of creating your biometric kind of fingerprint, you true profile, it's always unique to you. You don't need to update it or change it regularly. There's a high degree of accuracy specifically in the newer devices. Also the speed, efficiency, and convenience of using biometrics, which is not something you need to remember necessarily. It's something that you literally, it's you. It' something unique to you going forward.

Multi-factor Authentication

What are some other kind of advanced authentication methods for your firm? Multi-factor authentication. This is something that I push and I stress regularly. Your user name and password give you a lot of protection but that single layer of protection, if you add a second layer, you have exponentially improved your ability to protect the network or the system that you're accessing. The use case is not so bad. Specifically, I can go to a system, log in with my user name and password, using a multi-factor authentication tool, it then pings me via a different avenue to confirm my identity, and confirm that for the session I want to access, the network or the system that I'm using.

Here's an example over on the left here. I have an app on my phone so when I log in to my virtual environment, it sends a message. My phone chimes. I look at my phone. I use biometrics to access my phone. Then, I have an approve or deny green or red button on the screen. So, as you can see here, I am 1) using a password, 2) I use my finger to access my phone and 3) I click green. That means a number of steps and as an automation expert, I'm always looking to minimize clicks but those three steps give me a tremendous amount of protection outside of the device I'm using. It's kind of like the idea of your bank card and your PIN or the key to the lock and the key to the deadbolt, making that door that much more secure.

I firmly believe that multi-factor authentication will become a necessity going forward this year. If you don't have it now, certainly reach out to us. We can do a Cybersecurity Assessment with you and recommend a number of easy to adopt and kind of implement, how to roll that out in your organization. The real goal is to not make it more complicated for you to use your system. What it does is it gives you an incredibly more powerful way of protecting that first access and with that, it gives you peace of mind. Often times, I know that I would receive if someone else was trying to hack or access my account, it's likely that I would receive a notification on my device saying, "Do you want to authorize this?" At that point not only can I deny it, but then I can send that information to my IT and my security team would know if an exploit is being attempted.

A couple of ideas about multi-factor authentication, a disconnected token is that idea of a smart phone app. A connected token is a USB dongle that has maybe a rotating series of numbers or something like that, that's synced up with software. That's the idea of inserting a USB device to give you that multifactor authentication. The other one is the inherence factor and the idea of biometrics. What I just described is, I use biometrics and a smart phone app as part of my multi-factor authentication that works nicely with my user name and password that are unique to my account.

Multi-factor authentication and also authentication best practices. This is more of a review. Certainly use strong passwords. Something else that I use that I would recommend is a password manager. We use LastPass. I know a lot of people use One Pass. They are password managers that help you manage all of your passwords. Certainly we all are kind carrying around a lot them. If you use star passwords and have a password manager that helps you update them regularly, that helps you with multi-factor authentication and puts you leaps and bounds forward into a true best practices authentication kind of protocol. It's easy to implement. Certainly reach out to us if you ever want information about the options that are available to you now, and how we can help you get that up and running on your system.

Certainly change your passwords regularly. Use multi-factor authentication. Avail yourself of biometric devices, either on your smart phone or there are even kind of USB kind of dongles that you can add to an existing system and they actually give you the ability to kind of swipe your fingerprint as a way of not necessarily needing to remember yet another strong password. Instead, leverage biometrics as part of your multi-factor authentication strategy. Also, the ability to authorize by MAC address and a MAC address is simply the kind of hardware footprint of the device you'll use to connect, which means even with your multi-factor authentication, if somebody tried to outside or not using the device that is approved to even initiate an access attempt to your network, that's a nice way to lock it down. Or, if you have a remote work force, you can use IP range approval. An IP is just a kind of internet number that identifies where you are when you're connecting to a network.

AbacusNext's Private Cloud and Security Solutions

Tomas Suros

Those are some of the best practices, relatively easy to implement. We can certainly help you in the private cloud in Abacus, or even in your current network we're using any of the products in our system. A lot of what we do is manage multi-factor authentication. We do the IP address filtering. We do encryption at the database level and data in transit and data at rest. There are a number of different layers that we can help you implement any time you're ready to kind of move to a private cloud architecture. It's a nice way to make sure that you're really availing yourself of what the current best practices are, and as your technology partner, we can be there to kind of present options, talk through how you regularly do what you need to do, and really create a solution that gives you best in class protection as of right now with constant awareness of how we need to adapt going forward, always looking to mitigate risk, always looking to ensure that your convenience and access to the information you need is not overly complicated.

Instead, we give you a nice way to protect yourself, inherit the best in class security architecture, and have that be a moving target going forward where we're constantly updating, enhancing and rolling out new ways to protect yourself.

The Take-Home Message

Tomas Suros

Okay. Last but not least, these are today's next steps: 

  • Update your system and applications as soon as possible; especially for mitigating the risk of a Meltdown and Spectre attack.
  • Use strong passwords.
  • Change your passwords. 
  • Deploy multi-factor authentication.
  • If and when you're ready, leverage biometric security.
  • Think about using a password manager.

There are a number of different ways where you can avail yourself of these powerful protections and yet not inconvenience yourself by leveraging some of the software solutions that are available.

Maybe the next step also, if you're interested in having us conduct a Cybersecurity Assessment, reach out to us. That's something that we do on a daily basis. Often times it's something where even if we don't end up working together after that, it will give you a clear sense of where your current system stands and we can identify some of the things that if there are weak points, at least you have that awareness after that assessment. That's something I would recommend if you are interested.

Kalei White

Before we get to the question and answers, I'm just going to run a quick poll where you can indicate right here, if you would like more information or about Abacus private cloud. If you would like us to reach out to you for a cyber security assessment, we would be glad to do that. Yeah, please feel free to insert your questions now. I'll also take this minute to announce the winner of the Amazon gift card. We promised we'd award one to one of the attendees of today's webinar. Thank you all so much for being here. It was really fun. The winner is Tammy. We will send you that later on today. Thank you so much for joining us. Thank you everybody for participating in today's poll. I'm going to close that now. We'll get to your questions.


Kalei White

The first question is, "I've read that cloud providers are susceptible to the Meltdown attack. Can you speak to that?"

Tomas Suros

To the Meltdown? Yes, actually. There is a lot of concern where information in the cloud, specifically public cloud environments could be susceptible to Meltdown because a lot of cloud providers use Intel chipsets. Meltdown is a specific exploit where it can basically find and extract protected information from those chipsets. There is kind of a focus on cloud providers and almost they're not exclusive but widespread use of Intel chipsets. I mean, that's a real concern.

One of the things that I can only speak to kind of us as a specific cloud provider, one of the things that our information security and cyber security teams have done is to clearly stay on top of every patch and update. In some ways it's actually an advantage to you or to our clients who are in the Abacus Private Cloud, because we have security teams.

Our engineers who not only are staying on top of information, the kind of cutting edge information as we're learning more and more about these types of exploits, but our ability to patch a cloud system is more proactive rather than reactive. One of the things that often times makes local IT or puts local IT support at risk is that until something is broken, you don't actually know to go out and ask somebody to fix it. It's kind of the idea of kind of proactive application of those updates, at the kind of workstation level, even it's virtual, at the server level, at the database level.

That's something that our teams are right on top of. The moment a patch is released, we go through our protocols to vet it, validate it, and then update it at a system level. Every one of our clients is patched via that kind of proactive process. In many ways that can shorten the time needed to make sure that the patch is rolled out and applied. Also, it removes that idea of patches being inconsistently applied, maybe in one location but not the other, maybe on this machine but not the one down the hall. I do understand the kind of motivation behind the question, but in many ways, cloud providers have that responsibility and are able really, they have the technologies and the processes in place to apply those patches just like everyone else will need to, to protect their chipsets. I do understand the question but it's one of the things that we're doing is being able to proactively apply, roll out, and make sure that our clients are protected against Meltdown today, and Spectre and anything else that may come up in the coming year.

Kalei White

Well thank you so much Tomas. That's about all the time we have today for questions but feel free to send them to webinars@abacusnext.com if anything occurs to you, as you go about your day, and thank you so much again Tomas. It's always so fascinating when we hear your new insights. Have a wonderful day everybody.

Tomas Suros

Thanks everyone.

Want to learn more about what Abacus Private Cloud can do for your firm? Get in touch today!