Let’s Talk About Digital Identity with Lisa Forte, Partner at Red Goat Cyber Security and Host of the Rebooting YouTube Channel.

In episode 29, Oscar talks to Lisa about her fascinating journey to cybersecurity, the lucrative schemes that hackers and scammers have been employing since the start of the pandemic, the group of volunteers (CV19) she co-founded to help protect hospitals against cyber-attacks with the onset of COVID19 in Europe, and top tips for individuals and organisations on cybersecurity and identity.

They also discuss a new Tomorrow Unlocked documentary that Lisa appears in – Ha(CK)c1ne: Healthcare on the Edge. It explores the shocking cyber-attacks that have hit vulnerable hospitals, healthcare supply chains and vaccine labs since the COVID-19 pandemic. Released on 25th September, watch Ha(CK)c1ne on YouTube now.

[Scroll down for transcript]

“The pandemic is a crisis, but security has to continue. Even though we’re fighting a biological virus at the moment, security still has massive ramifications If you ignore it.”

Lisa Forte headshotLisa Forte is a social engineering and insider threat expert. She is a partner at Red Goat Cyber Security and Host of the Rebooting YouTube Channel. Lisa is a regular on TV shows, documentary films and news broadcasts. Her career started in a very unlikely place, working to stop pirates off the coast of Somalia! She worked in one of the UK Police Cyber Crime Units before starting Red Goat Cyber Security. Lisa is also one of the very proud co-founders of the Cyber Volunteers 19 (CV19) initiative providing free help and intelligence to healthcare providers in Europe during the pandemic, an organisation that has been recognised and praised by Governments around Europe.

Find Lisa on Twitter @LisaForteUK and LinkedIn.

Find out more about Red Goat Cyber Security at red-goat.com.

Watch Ha(CK)c1ne here, embedded from YouTube:

We’ll be continuing this conversation on LinkedIn and Twitter using #LTADI – join us @ubisecure!

­Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.


Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host Oscar Santolalla.

Oscar Santolalla: Hi and thank you for joining today. Already in the second week of March, I started hearing on social media news about ransomware gangs that were targeting hospitals in the very beginning of the pandemic and that was really horrible to hear and hard to believe. Today, we’re going to discuss what has happened since then until now because our guest will tell us how we can also protect ourselves, both as individuals and as organisations.

Our special guest today is Lisa Forte. She is a social engineering and insider threat expert. She is a partner at Red Goat Cyber Security and Host of the Rebooting YouTube Channel. Lisa is a regular on TV shows, documentary films and news broadcasts. Her career started in a very unlikely place, working to stop pirates off the coast of Somalia! She worked in one of the UK Police Cyber Crime Units before starting Red Goat Cyber Security. Lisa is also one of the very proud co-founders of the Cyber Volunteers 19 (CV 19) initiative providing free help and intelligence to healthcare providers in Europe during the pandemic, an organisation that has been recognised and praised by governments around Europe.

Hello Lisa.

Lisa Forte: Hello, it’s wonderful to be here.

Oscar: It’s a pleasure having you Lisa and super interesting what we’re going to discuss. But first, I would like to hear how you started, what was your journey to this world of cyber security.

Lisa: So, it was a bit weird because I actually studied Law at university, and I thought I was going to become a lawyer for many years. And then I got a job working for a private armed security company that put armed guards onboard commercial ships to protect them from pirates. I started working there and I started getting more interested in security and more specifically how pirates were targeting ships because they were not targeting them at random. They obviously had intelligence on which ships had security and which ships did not. And so, we started looking into that and gathering intelligence and I got more and more interested in the sort of online side of how this business was operating.

I then moved into working for the UK government in counter-terrorism and I focused a lot on preparing the UK for a serious terrorist incident and how we would handle that as a country. And we also looked at cyber elements of terrorism as well. And that’s how I really got into cyber security. And I then moved into one of the police cybercrime units here in the United Kingdom and from there I just got the impression, the problem was a lot of the attacks that we would have would not be sophisticated or really complicated. They would be the same sort of attack over and over again with the different organisations and I started to feel that my skills could be better used in the private sector.

So, I started Red Goat Cyber Security three years ago and we focused on social engineering predominantly, but also on other aspects of awareness and preparing organisations for cyber attack and training them for how to handle that cyber attack.

Oscar: Why it is named Red Goat?

Lisa: Everybody asks me this. So when I started the company, I was reading a scientific article and it said that researchers had discovered that goats were able to identify intruders into their herd just hearing their voice. So just hearing the goat’s voice they could tell if it was part of their herd or not. And I sort of thought that’s a little bit like social engineering, recognising if an email is from an attacker or from a colleague or a phone call. So we decided to call it Red Goat. And it’s quite funny because some of my clients when I show up to have a meeting, their receptionist will call up and say, “The goat lady is in reception.” So I think that’s quite fun.

Oscar: Oh yeah, super interesting story and the origin of the name of the company. So, we cannot easily social engineer a goat, that’s the conclusion.

Lisa: No, they are very, very good at their defences. You wouldn’t be able to send them phishing emails very easily.

Oscar: OK, they’re hard targets, OK. OK, pretty interesting. Tell us about the European Cyber Volunteers 19 group you’ve been part of.

Lisa: Yes. So, when the pandemic really hit Europe in March, three of us, three friends, we started talking and we started saying, maybe we should all get together and provide some help to hospitals. And initially, this was just going to be as small group of friends who are offering our services to hospitals for free to help them. Within sort of two weeks of starting it we had over 2,000 volunteers in two weeks. It grew exponentially. It’s such an amazing response from the community.

And it was all European based so all European countries. We have volunteers from every European country pretty much who got involved. And it was brilliant because it really showed that in a time of crisis the cyber security community will come together and put our differences aside and give up time with our families to go and help hospitals stay secure. Because we all felt we cannot allow cyber attackers to hit hospitals with any kind of attack during this pandemic. And it was just a really inspiring experience to see everybody want to help. It was brilliant.

Oscar: Sure. Excellent. Your fantastic initiative was the response of the community of course, I understand as you said, people from different countries, different type of organisations working together. So there were real attacks from many countries, most of the countries in Europe and also across the world, I believe.

Lisa: Yeah, sadly. So, we had several situations with hospitals. One hospital, thankfully their Intensive Care Unit was empty, but they had some ransomware that actually shut down all of their life support machines. And thankfully, nobody was in that hospital, in that ward. But had that happened, there could have been deaths.

Oscar: A project that you are now working I know is coming pretty, pretty soon you will tell us is a documentary that I saw the teaser of the documentary, actually I don’t know how to pronounce it’s Ha(CK)c1ne or something like that?

Lisa: Yes. Yes, like vaccine but with hack. Yes. So this documentary really looked at a number of things that happened during the pandemic, namely healthcare providers being targeted and attacked but also their supply chains because obviously, if you have a hospital who relies on masks or ventilators and the company providing that is shut down then the hospital does not have ventilators. So, it’s not just the hospital that’s vulnerable, it’s the entire supply chain. And then we also looked at attempts to compromise accounts that were related to labs, laboratories that were working on the vaccine. We saw a lot of very clever attempts to get to scientists and get into their accounts to get information on the vaccine.

Oscar: In the case of vaccines, for instance, what is the purpose of a hacker to get information about the scientist?

Lisa: Well, I think it’s incredibly valuable information because at the moment, there is no real widespread vaccine that’s had approval. If you compromise a scientist’s account and you manage to get hold of the information on the research that they have done into the vaccine, you could sell that to another country. You can sell that to China, you could sell it Russia, you could sell it to Venezuela or wherever you wanted to sell it for a large amount of money. I think the thing we saw a lot of was a lot of scientists being contacted on LinkedIn by strange LinkedIn profiles trying to get information as well. So, I think it was very valuable from a financial perspective for attackers to get hold of this vaccine information.

Oscar: Sure. Sure. Because actually there are many, both countries and companies competing at this moment for having successful vaccination and being first of course.

Lisa: Yes, definitely.

Oscar: Tell us more about the film itself, who had started the project of the film and how and when it’s going to be released?

Lisa: So, I think it’s going to be released in a few days’ time. I think it’s either the 24th or the 25th of September. We’ve done the press day and everything for it already. It had the three cyber volunteer founders so myself, my friend, Daniel Card and Rad as well. And also people from INTERPOL, people from the EU, people from laboratories, so there was a lot of people involved in the making of this film. And the idea is really to communicate to everybody at all levels that the pandemic is a crisis and it has been disastrous for all of us. But security has to continue because even though we’re fighting a biological virus at the moment, security is still there, it’s still a concern. It still has massive ramifications if you ignore it.

So, I think that’s the problem that the pandemic has had and I’m sure you’ll agree that with working from home and all the other things that have happened to our society, people forget that security is important. We’re only focusing on wearing our masks and washing our hands and things like this. But it’s still very important to make sure your accounts are secure and that you’re using a VPN and that you’re doing all of these other things that we tell people to do usually when there’s not a pandemic.

Oscar: Yeah, exactly. As you said, of course, the focus of people went to wearing mask, work at home, make it work at home, make it possible and several changes in the behaviour of people. But also for instance if you work at the office, you will see from time to time the security officer or the IT person who is going to remind you about security and in this case, it gets a bit more lax, so I think is inevitable that’s why it’s important not only for organisations to remind but people to be aware all the time.

Lisa: Yeah, definitely. And it has been difficult during the pandemic. And we’ve seen that a lot with the cyber volunteers with the hospitals. We have had doctors who haven’t realised that they shouldn’t be uploading patient records to Google Docs or to Dropbox and they don’t realise that that’s a mistake. They just think that are trying to help their patients and they are trying to have consultations over Zoom because they can’t have them in person. They don’t realise the risk to data. They are just trying to help their patients. So, I think there was a lot of problems that came out of the sudden need to lock down Europe. And I think it provided attackers and cyber criminals with a real opportunity to make a lot of money as well, unfortunately.

Oscar: Where can we watch the film when it’s ready? In which platform is it going to be available?

Lisa: It’s going to be published on YouTube and Vimeo so if you keep an eye of my social media accounts you’ll see on the day that it’s released I’ll post it. So, yes, it will be on YouTube and Vimeo so it will be available all over the world.

Oscar: OK. Perfect, it’s going to be quite to be easy to find and of course, we are going to share it as well. It’s going to be excellent. And you are one of the protagonists, one of the person who are interviewed there.

Lisa: Yeah.

Oscar: Yes. Yes, for the ones who want to see you not only hear you like now, they will have the chance to.

Lisa: Exactly. I don’t know if I recommend watching me, I’m better over audio I think instead of coming to look at me.

Oscar: OK. What other ways we are talking since March, since these first ransomware attacks, since then until now, in what other ways are hackers are exploiting the pandemic?

Lisa: So, the other thing we saw a lot of a few months ago was the hospitals wanted to buy PPE so masks and gloves and things like this. And we started to see fake companies being set up, mainly from Vietnam but in other countries as well, selling masks and gloves and other things to hospitals. And one hospital spent just under 200,000 Euros on masks from this company and it didn’t exist. It was all a scam. And we saw this a lot, lots of scammers and fraudsters contacting hospitals and selling cheap masks, cheap parts and ventilators and all these different things and they didn’t exist. It was all a con. And I think a lot of money, a lot of money got spent fraudulently which is a real shame.

Oscar: Yeah, it is. And also remember a few cases in different countries of course and the urgency of hospitals or government organisations for buying this equipment and many of their suppliers, the one that were found and the ones who were also, as you say contacting the buyers were fake. So we can see for instance here that it’s still it’s difficult to know the real identity of the organisation that is trying to make business with you and of course there are still, not everybody in hospitals, in healthcare and also in the government are so aware of doing this due diligence about verifying the identity of this providers.

Lisa: And I think also it’s not just that, it’s the rush that had to happen. You needed these masks tomorrow. It was really urgent. And because of that you didn’t have time to go and start looking into these companies so you had to just trust that it was going to work. And I think because it was so urgent and we were running low on these supplies in Europe, it gave the attackers a real opportunity to make a lot of money. You see this all the time with let’s say, there’s a hurricane or a wildfire or something happens, some disaster happens and you always see these same sort of cyber criminals, scammers taking advantage in the same way each time. And they are opportunistic and this was an opportunity.

Oscar: Yeah, exactly. As you said, because of the urgency, a very short window of time and the attackers are ready to use social engineering, anything they have to exploit these situations. And how criminals are attacking identity today? We focus a bit more on the identity side.

Lisa: I think the issue we have with identity is two-fold. We have a two-fold problem. The first is that now more than ever before, we are posting a huge quantity of information about ourselves online everywhere – on social media, when we sign up to things, we hand over data about ourselves and our identity so many times. And I think we also, as society have a tendency because we have so many accounts to just start reusing passwords because it’s easier to have one password that you apply to every single account, your Facebook, your Amazon, everything, than it is to have 50, 60 different passwords. And I know from speaking to my friends that often that’s what they do because it’s easy.

The problem is you’ve then made it very easy for attackers as well to get into all of your accounts. So, I think the problem we have is today is passwords. I think passwords alone are a not a good idea anymore. And I think we need to move to single sign-on, we need to move to different authentication methods to provide more security, both in our companies and in our personal lives because it’s proved time and time again that a lot of these attacks are just basic sort of credential stuffing attacks that end up getting a hit on the username and password. So, I think we need to really start being more aware of how precious all of our accounts are and protecting them because at the moment I think it’s becoming a little bit like the wild west.

Oscar: Yeah, unfortunately, it’s true what you’re saying. The passwords are still a big nightmare and the way to attack both people and organisations of course. And then other thing you said first was about how we are sharing, disclosing information. Let’s say I’m active on Twitter which is public. Everything I put there is public after all unless I do it private, but that’s not common. But – so I would then put some information about myself, where I live or who I know or what about today et cetera, so someone can collect all this information and make it much easier to attack you in like social engineering or any other way, absolutely.

Lisa: Yeah. I might think guessing your passwords. If you’ve put your names of your family and your dog online, the chances are it’s going to be a combination of something to do with your dog’s name and your family’s name. So, you’re kind of handing all that information over and you’re making their job too easy. I think that’s the problem. I think we have to work so hard for our money yet cyber criminals don’t have to work hard. It’s very easy for them. And we’re making it very easy for them at the moment.

Oscar: Yeah, exactly. We are doing part of the job actually by sharing too much personal information exactly. So, have you heard there are new ways of identity theft?

Lisa: The issue that we have I think generally is, and I’ve had this experience as well, I’ve had people online make social media accounts with my name and my profile picture and then start contacting people asking for information, asking for phone calls, asking for other things. And it’s not me. It’s not me who’s done that. Somebody else has done that. And I think that is a new thing that we haven’t seen previously and that we are now seeing. That these fake social media accounts get set up for people and there’s no way of verifying if that’s me or if that’s someone pretending to be me.

So I think that’s a really big problem. And we do a lot of business and a lot of talking and socialising on social media which I think is a very difficult situation to manage because it’s very, as you’ll know, it’s very difficult to really authenticate who somebody is on social media. And it’s very difficult to say 100% that’s who this person is because you don’t have their email address, you don’t have their telephone number, you don’t have a way of proving that this person is who they say they are.

And one thing we saw with the laboratories who are working on the vaccine was that they were getting contacted on LinkedIn by people who were looking like they worked for their World Health Organization or looking like they worked for another lab, and it was all fake. It was a fake account. We have situations with email that help us filter those emails. We have DMARC, we have other things.

But on social media, all of that goes. I’m starting to believe that social media is the root of all evil, actually. And a lot of our problems in society flow from our use of social media. And I think this situation is becoming very, very dangerous and we’re seeing a lot of people in high value situations – so maybe CEOs of big companies, of investment banks, scientists, university researchers – being contacted and befriended on social media and then they end up leaking information. So, it’s clearly a very lucrative way for attackers to get information without having to go through email.

And I think we need to have a better situation for how we verify and validate different accounts on social media because you’ll probably know from being on Twitter, you could get contacted by people and who send you a message asking for information, you don’t know who that person is. They could tell you they were anybody, but you have no way of really checking that.

Oscar: Yeah, exactly. Two cases you mentioned about social media that someone can, for instance, create a fake account of me. And the other is that they create a fake account that’s of someone who I would trust, someone from you say World Health Organization, OK. I will trust and start a conversation with someone like that. So, definitely the topic of the lack of verifying an identity on social media is quite a big problem.

Lisa: Yes, definitely. Definitely.

Oscar: Moving this to what we have been discussing now towards the enterprise, the organisations, what would be the top things that you would tell to people working responsibly for organisations to prepare themselves from attacks?

Lisa: I would say, first and foremost, train your staff on social engineering. Get them to understand exactly what social engineering is and why it can affect them. Then I think we also need to move away from the simple username and password login situation and have single sign-on, other ways of authenticating because I think we’ve got to recognise that passwords are really not a good solution anymore.

And I think this is also important in your staff, in their personal accounts as well. Not just in their work accounts because I think if they are using the same passwords for their Facebook and their Amazon, the chances are they’re going to use that same password at work. So, it’s much better to say to your staff, turn on 2FA, turn on SMS 2FA, or make sure you use a password manager. Because it’s much better if they get into the habit of using better authentication methods than if they’re lazy and using the same password over and over again.

And the final thing is I think you’ve just got to be aware of what things you have in your organisation that have value. It might be research, it might be personal data, it might be intellectual property, whatever it is, you have to think almost like you’re a cyber criminal yourself and think, “If I was going to hack this organisation, what would I go after?” And once you’ve identified that, you can start channelling all your resources and your money to protecting the data and the people who have access to that data in your company. And I think that’s where we’ve got to start being a bit smarter and thinking like we are a cyber criminal.

Oscar: Yes, we have to. We have to, yes. Otherwise, they are outsmarting us. So, I would like to ask you a final question is some practical advice, if you can give us a tip for anybody to protect our digital identity.

Lisa: Go into your social media accounts and your Amazon and all your personal accounts and go into Security and go and turn on 2FA, because it’s not 100% secure, 100% secure doesn’t exist. But if you have a terrible password but they text you an SMS code that makes you a little bit harder to attack than you were before you had that. So, make sure all of your accounts have at least another factor of authentication on them and it’s not just username and password.

Oscar: Yes, yes, definitely. And as you said many of these services or the most popular services they already offer two-factor authentication. So yeah, there is no excuse for not using that. So, thanks a lot Lisa for this conversation, it’s very, very interesting. The work you are doing fabulous job. I have to commend you about what you are doing. And please let us know how we can learn more about your projects or get in touch with you. What are the best ways for that?

Lisa: So, my company is Red Goat, it’s www.red-goat.com , the website. You can follow me on LinkedIn, Lisa Forte, and on Twitter where I am @LisaForteUK.

Oscar: Perfect.

Lisa: Thank you so much for having me.

Oscar: It was a pleasure. It was a pleasure talking with you, and all the best.

Lisa: Thank you very much.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]