Hanno Ekdahl With Idenhaus Consulting

Intro: [00:00:04] Broadcasting live from the Business RadioX Studios in Atlanta, Georgia. It’s time for Atlanta Business Radio brought to you by onpay built in Atlanta. On Pay is the top rated payroll and HR software anywhere. Get one month free at onpay. Now here’s your host.

Lee Kantor: [00:00:31] Lee Kantor here, another episode of Atlanta Business Radio, and this is going to be a fun one. But before we get started, it’s important to recognize our sponsor onpay. Without them, we couldn’t be sharing these important stories today on the Atlanta Business Radio. We have HannoEkdahl with IdenHaus. Welcome.

Hanno Ekdahl: [00:00:49] Thanks, Lee. It’s a pleasure to be here.

Lee Kantor: [00:00:51] Well, I’m excited to learn what you’re up to. Tell us about in-house consulting. How are you serving, folks?

Hanno Ekdahl: [00:00:57] Are we certain folks well, hopefully with a lot of good cybersecurity advice, so I’ve now started almost eight years ago in March of twenty fourteen. We started with some identity management and cybersecurity work for some local Atlanta companies and have evolved from there. Part of what we do is help organizations get their arms around their cybersecurity posture. How well are they protecting their systems and then help them move from where they are today to a more secure position in the future?

Lee Kantor: [00:01:29] So now what was the genesis of the idea? I’m sure the tactics have changed dramatically in the eight years you’ve been around, but maybe foundationally and fundamentally the idea of cybersecurity is kind of the same, I would think.

Hanno Ekdahl: [00:01:45] So, yeah, the notion of cybersecurity, I mean, you know, it started with usernames and passwords back in the day, right? And then once we started networking computers together, the security model started to change because now it’s not me logging into my local desktop. Now I’m logging into a network, and so everyone potentially has access to everything. If anyone can log into your network, so then how do we start segregating things off to protect them? And those techniques have evolved dramatically over time. So password protecting folders. But on a more sophisticated level, if you think about your network as it used to be, like inside, outside, like a castle, right? So anyone who got through the front door of your castle could get access to everything that was inside the castle, and we’ve changed that model now. So we have things like network segmentation where you think about having like secure rooms within the castle that each one has its own security that’s hardened and makes it very difficult to get in. So just getting in the front door doesn’t necessarily get you anywhere interesting.

Lee Kantor: [00:02:49] Now, how has the pandemic impacted your business in terms of, you know, at one point, the only way to get in the castle was to physically be in the in the office of the castle. And now people are taking their own devices, their own computers and their, you know, accessing the castle from all over the planet. As you know, work becomes more remote and their client base is more remote and everybody wants instant access without any friction. But friction is kind of important to keep the bad guys out.

Hanno Ekdahl: [00:03:21] I couldn’t have said it any better myself. So it’s almost like you want to think of an analogy that everyone can understand, it’s like having brakes on your car. Right? The idea is you wouldn’t want to drive your car at one hundred miles an hour if you couldn’t stop, right? Right. So security really should be like breaks, it’s a fundamental part of running the organization. It doesn’t necessarily have to create friction with customers and your employees. They can have a relatively seamless access experience and get to the assets that they should get access to. But the brakes are there to make sure that bad guys aren’t able to access things and that internal employees aren’t able to access things they shouldn’t access. Like, I wouldn’t want someone accessing my medical records just because there are some staff person at the hospital, for example.

Lee Kantor: [00:04:12] Now, I always thought that this was a problem early on when it came to passwords. Just give me your take on this. If they would have said initially, instead of passwords being like eight characters or six characters, they would say like, make a sentence or, you know, phrase that you recognize rather than letters or numbers. I would have thought that you would have had more protection in an easier way for the person to remember what that password is. And, you know, in a world that requires you to change it, it seems like every 30 to 90 days.

Hanno Ekdahl: [00:04:45] Yeah, that’s that’s correct, so a lot of people refer to that as a past phrase because, like you said, it’s a sentence, right? It could be something that’s meaningful to you personally, and because it’s long and complex, it’s going to be more difficult to hack by brute force. Right, so I can’t just sit there and crank through a set of eight characters at random until I finally crack the password, right? Because these phrases are 20 characters long, maybe even longer. So a lot of that actually came from limitations and IT systems from back in the day when I was coming up. We won’t say how long ago that was, where memory was a premium, and so passwords were limited to these eight character passwords. And as organizations evolved and our technology evolved, processing power got more advanced. Now, computers are able to just process so many transactions so quickly you can do these brute force hacks that just weren’t possible 20 years ago. So we’re a little bit trapped by this legacy model where computers weren’t so tightly networked and memory was a premium, and so we did sort of the minimum level of security that we could get away with and still preserve the functionality of the computer.

Lee Kantor: [00:06:05] Now, as things have changed and now memory is probably less of an issue than it was, there’s always this promise of these biometrics, you know, whether it’s my eye or fingerprint or something that’s going to eliminate passwords. Are we getting closer to that kind of world? Is that dream can ever come true? Or is it something that we’re always going to be like in a world where someone’s going to text me some numbers that I’m going to have to type in? Is that kind of the future of this?

Hanno Ekdahl: [00:06:36] That’s a very intriguing question, and the answer, I think, is also fairly complex because biometrics originally, you know, the whole fingerprint scanning was really the first one that came around for more general, consumer based access, right? How do you get into your laptop? You can actually scan your fingerprint, but the readers themselves were so primitive initially, they actually could be defeated with a gummy bear or by lifting someone’s fingerprint off a glass. Right now, the technology has gotten more sophisticated since then, but biometrics can also be bypassed in certain ways. Face face recognition all these things are possible. The technology is getting much better. The algorithms are getting more sophisticated. That is much more and more becoming a possibility so that you look at your phone right and you can get into your iPhone, for example, right? They have that face based recognition. The flip side of that, though, is that you’re also giving up some of your privacy potentially, right? You’re having your fingerprint, your face is logged and processed through this algorithm. And so countries like, well, sorry, I should say, regions like the EU under their GDPR and privacy regulations are putting some rules and regulations around what data can be collected and how it can be used. So we actually start getting into a privacy issue because it’s something about me that’s very personally identifiable. How much protection are we putting around that information?

Lee Kantor: [00:08:06] So is there, and I would imagine also as cameras get better, they’re able to make such a great copy of my face that that might be able to kind of be used instead of my face.

Hanno Ekdahl: [00:08:18] Exactly. Exactly, so some of the earlier faith based technologies, they were able to defeat it by just using a picture of the person.

Lee Kantor: [00:08:26] So it’s kind of this constant cat and mouse game.

Hanno Ekdahl: [00:08:31] It is it’s it’s an evolving it’s trying to strike a balance between ease of use. Having sufficient security and also protecting the person’s privacy, and sometimes those things are at odds. Which makes it for a very complex landscape.

Lee Kantor: [00:08:47] But it’s good job security for you and your firm.

Hanno Ekdahl: [00:08:51] It doesn’t hurt.

Lee Kantor: [00:08:52] It doesn’t hurt. So now what are some of the specific challenges your customers are facing nowadays?

Hanno Ekdahl: [00:08:59] Uh, well, you would talk a little bit earlier about the remote working, right, so you have folks who are working from home now, possibly using their own devices to access corporate systems, and those devices may not be patched, they may not be scanning them for viruses. Moreover, if you’re working from home and you’re leaving your laptop open, it’s accessible to any number of people who could potentially get on and copy some data or log in and take away your intellectual property. So there’s a number of risks there that I think are really. Impacting organizations in ways that they didn’t expect. Uh, part of that also, too, is being able to roll out things like virtual private networks, which VPN, which allows you to connect securely to the corporate network and that offers some level of protection by encrypting all the traffic between your home computer and. The company network, the problem is a lot of organizations didn’t have enough VPN accounts, and they didn’t know how to get their users enrolled in the VPN solution so they could actually implement it. So there’s been a lot of heartburn. I think organizations have realized that their security models now need to be able to adapt to scale up relatively quickly, and they need to find ways to help manage end user devices and lock down their systems almost on a system by system basis. So I can implement more advanced and sophisticated security to only allow you to access certain applications from your phone, for example. And those considerations weren’t something that organizations really had to think about too much before the pandemic, and then all of a sudden it became front and center top of mind. And that’s been a big struggle for them to adapt to that reality.

Lee Kantor: [00:10:45] So now is that typically the point of entry for you and your firm that you know they’re going remote or they’re dealing with remote for the first time, that kind of in large numbers and they need somebody like you and your team to help them think through all of the dangers.

Hanno Ekdahl: [00:11:01] That is an area where we play, so one of the things that we do. One of the multiple domains in cybersecurity, one of them is identity management. And so what identity management is getting back to your biometric example where we are establishing an identity? So it used to be username and password. Now it can be username, password and a biometric or some combination of credentials, right? Something you know, something you are to make sure that we establish an identity for you. And once we have an identity that we know is valid, we can actually automate the processes to provision things to you as a user. So I can say everyone who’s located in the Dallas office needs VPN access tomorrow and then have the system automatically grant that access. And then the system can automatically revoke that access when someone leaves the organization or that need no longer exists. And so we help organizations identify. Security models that work for them and how they can. Allocate resources and revoke resources based on security policies in an automated fashion.

Lee Kantor: [00:12:07] And then it can flex like maybe I’m in the Dallas office, but today I’m in Seattle. Like, it knows that

Hanno Ekdahl: [00:12:15] Yes, you can actually do some fairly sophisticated things based on location changes, whether it’s tying into a badging system. So we can also manage your physical security and also identify things like which office you’re working out of. So as long as we’re tracking it in a system and I have it available in the IT world, I can make a decision based on that. So we usually call that attribute based access control. And so I can look at a whole series of attributes based on your user session where you’re logging in from what device you’re logging in with and make a decision about what I let you see and not see. And that’s a great way for organizations to manage risks on a real time basis.

Lee Kantor: [00:12:56] Now, you know, like financial and health care, fintech, health care, those seem like obvious places where they’re paying attention to cybersecurity. Do you find that cybersecurity is trickling down into other businesses or other industries that maybe they weren’t as kind of active in that space, or maybe weren’t paying as much attention because they didn’t feel like they had anything worth taking or worth, you know, hacking into? And now that that is changing.

Hanno Ekdahl: [00:13:28] Yes, so I think you can look at the Colonial Pipeline, it’s a great example, right? So that’s part of our critical infrastructure, right? Transportation of oil, the impact of that ransomware attack where they shut down the pipeline. Gas prices in the southeast went to five and a half six dollars a gallon. There were shortages of supply. I think that made it very real for a lot of people that you know, anything that’s not properly secured can bring our economy or certainly regions of our country to a screeching halt, whether that’s the energy industry. You mentioned health care, and there’s actually a big exposure there around all the medical devices, right? And so there’s all these different places that organizations are now becoming more aware that, yes, we have to do something. We’re in manufacturing, but our operating systems are vulnerable, right? Our operating technology is vulnerable. We’ve exposed it to the internet because that made our life easier from a business standpoint. But we didn’t think through the security model to make sure that these devices are protected, can’t be hacked and won’t disrupt our operations.

Lee Kantor: [00:14:40] So now what are some of those organizations that are maybe new to some of these cybersecurity risks? How are they managing their situations?

Hanno Ekdahl: [00:14:51] Well, I think the first thing they’re trying to do is get a handle on what their risk exposure is, so a lot of them like to begin with a risk assessment where they’re using. There’s this, which is actually a u.s.-based federal standard. Others ISO, which is an international standard that defines these cybersecurity risk frameworks, and they actually do a really nice job of laying out these scorecards, if you will, where you can go through step by step and check all your controls. All right, here’s one hundred and eighty controls that we should have in place. How do we rate each of these areas? So let’s understand what controls we have in place where we’re lacking. Do an honest assessment and start doing regular vulnerability scans of our system so we know where our weaknesses are and then start patching them, fixing them.

Lee Kantor: [00:15:42] And then is that the services that you provide? Is that what you’re doing for your clients? You’re kind of helping them see where they’re at and then just kind of shore up any weaknesses.

Hanno Ekdahl: [00:15:53] That’s correct, yes, so we’ll spend time doing an upfront assessment, helping them get a handle on what’s going on in the environment. What controls they have. What their capabilities are. Understand where the gaps are and then help them develop a plan to mature their organization from the current state to that desired future state. And every organization is a bit different, right? Depends on which applications are the most sensitive, as well as what data they contain. Is there personal identifiable information in the application or system? Is there health care information? Is there credit card data more attractive? The data, the more secure you want the system to be?

Lee Kantor: [00:16:32] Now is there any kind of tips or advice you can share for our listeners that they can do themselves? Is there some low hanging fruit that they can be doing to just kind of mitigate some basic risks that maybe people are just taking for granted?

Hanno Ekdahl: [00:16:46] Oh, absolutely. So for the end user, I think sometimes people will click, you know, they get annoyed by having to reboot their machines when they get updates, but it’s strongly encouraged. I mean, you should install those updates promptly to your computers to patch vulnerabilities. That’s why Microsoft needs other companies are pushing these updates out. There is there are some known vulnerabilities there fixing them with these patches, but if you don’t download them and apply them, you’re leaving yourself vulnerable every time you go online. There’s also a number of virus scanning tools, whether it’s Malwarebytes or McAfee, there’s a number of them out there. I scan my computer on a daily basis. It’s just a scheduled scan that runs in the background. I usually do it in the evenings because that’s when I’m usually not working so much. One of the other things, too, that that they can do is thinking about your home wi fi, you may have heard of this league that a lot of folks set up their wi fi and they just use the default username and password out of the box. And doing that just leaves you wide open to someone hacking into your network, taking it over. They can monitor all your traffic, capture everything that you’re sending, and just some basic hygiene around setting up a complex password. When you first open up that access point or router if you’re setting up your network is a huge win.

Hanno Ekdahl: [00:18:07] Two more points. Uh, there is actually more and more multifactor authentication out there for people to use, so you mentioned the SMS text that you get. I am a big fan of setting up multifactor authentication, whether it’s Google Authenticator, a physical token for anything that’s like financial services or health care. Any place that’ll let you set it up, take the time it take you a few minutes to set it up. It does slow down the login process, but it really protects your information. And the last point I would leave our listeners with is don’t click on that, I think there’s a tendency to get you get a suspicious email that appears to be from your credit card company or your bank or brokerage firm and that says your account’s been breached or you need to reset your password or there’s some suspicious activity. We get excited. We want to click on whatever links in the email and see what the problem is. I would encourage people not to do that instead. If you really are concerned, then log into your bank or brokerage through the web browser just like you normally would. Using the saved link and log in and you’ll be able to see any alerts on your account there, and that’ll really help prevent you succumbing to a phishing attacks.

Lee Kantor: [00:19:17] Now, something for folks to understand. The bad guys are are now professionals, right? This isn’t the teenager with a Red Bull and some Cheetos goofing around like this is an organized crime. This is organized criminal activity that they’re doing strategically on purpose. You know their whiteboarding. This is a professional operation. This isn’t just, you know, kids anymore.

Hanno Ekdahl: [00:19:46] Absolutely, and so how do you compete with nation state level resources, right? Because some of the hackers are funded by the state, whether they’re coming out of China or Russia or wherever? Back in 2016, the federal government held a commission on enhancing national cybersecurity, where they’re trying to evaluate the risk and come up with recommendations, especially to help small to medium sized businesses cope with this right. And really, the information that came out of that out of this analysis was that we need to have more public private partnerships and there needs to be more resources for the small and medium sized businesses because they just don’t have the budgets to invest to provide an adequate level of security. So there has to be some federal funding or state level funding to help these organizations become compliant.

Lee Kantor: [00:20:36] And then how are we doing, what do you if you look in your crystal ball, are we winning? Is it a draw? What’s happening out there?

Hanno Ekdahl: [00:20:45] I think at this point, we’re losing, unfortunately, if I’m going to be completely honest, the the biggest weakness we have is actually people. You know, it’s much easier for me to do a little bit of social engineering and figure out who your favorite pet was from Facebook or whatever because you answered a survey and you tend to use that as your password. So hacking people is a lot easier than hacking systems. I can invest a lot of money in protecting my system. But if I’m not. Practicing good cyber hygiene at an individual level, then I’m putting everything at risk. And so the weakest link continues to be people and companies really are underinvesting in cybersecurity training and awareness for their employees.

Lee Kantor: [00:21:31] So it goes beyond the business, it really gets into their personal, which it goes back to the privacy. It’s fascinating how this is all connected.

Hanno Ekdahl: [00:21:40] Yeah, it’s interesting, it’s I don’t know if it’s a virtuous circle or a vicious circle, but yeah, everything does kind of come back on each other. So, you know, we talked a little bit earlier about the Colonial Pipeline breach and the way they think that happened is that this employee who had a VPN account was using the same password on their VPN account that they were using on other personal systems elsewhere. And so there are other accounts or accounts got breached. That information was published on the dark web. Some hackers got a hold of it, figured out that this person worked at the pipeline and got there, was able to access the VPN and get into the system and launch this ransomware attack.

Lee Kantor: [00:22:23] Yeah, everything’s connected, that’s the the good and the bad of this.

Hanno Ekdahl: [00:22:28] Exactly everything is connected and it’s very hard. It’s not an easy thing to do as people were, you know, I can’t remember 50 passwords either. So are you using something like a LastPass or other password solution that you can copy and password? Copy and paste encrypted passwords from so that you’re protected? Most people don’t use those tools, but that’s another way you can help protect yourself.

Lee Kantor: [00:22:52] Well, thank you so much for sharing your story today and doing the work that you do. It’s important, and we appreciate you.

Hanno Ekdahl: [00:22:59] Thank you, Lee, for having me. It was a pleasure.

Lee Kantor: [00:23:01] Now if somebody wants to learn more, have a more substantive conversation with you or somebody on the team, what’s the website?

Hanno Ekdahl: [00:23:07] Website is w w w dot com and that’s spelled i d e n h a U.S. good stuff.

Lee Kantor: [00:23:18] Well, thank you again for sharing your story.

Hanno Ekdahl: [00:23:20] Thank you so much, Leigh.

Lee Kantor: [00:23:21] All right, this is Lee Kantor. We was here all next time on Atlanta Business Radio.