Episode #67 Getting the basics right with Craig Ford
Craig Ford is an experienced cybersecurity professional with various qualifications; an accomplished author with the books “A Hacker, I Am” and “A Hacker, I Am – Vol 2” from his first cyber security series and “Foresight” a cyberpunk novel published in March 2021; and now works as a senior security architect for Baidam Solutions, currently placed in the ATO.
Craig shares how he became an author; we discuss basic business security measures every company can implement; and what it’s like working for an inspiring and philanthropic company like Baidam Solutions.
Links
Transcript
CP: Hi, it's Claire here, I just quickly wanted to jump in before the episode and mentioned to you that today's guest Craig Ford and I, after I finished recording with him, we kept talking and he gave me a bit more insight into his book, ‘Foresight’. And if you listen to today's episode, this will make more sense. But I just wanted to give a plug for the book because it's a book that's really focused on a central female character. It's really, really important for us to get more women into cybersecurity. And Craig wrote the book 'Foresight' with teenage girls in mind, to try to help them to better understand our industry and get more excited about the opportunity of working in cyber. So, if you have a tween or a teenage girl, the feedback on this book has been amazing. And even if you have a teenage boy, I'm going to sit down and read it with my son. So, I just wanted to mention that before we jump into the episode, because Craig and I had stopped recording and I didn't get to capture that gold from him. So over to the show now and thanks for listening.
Hello, and welcome to The Security Collective podcast. I'm your host Claire Pales, and today's guest is Craig Ford. Craig is an experienced cybersecurity professional with various qualifications. He works as a senior security architect, where he is placed full time at the ATO via Baidam Solutions. In his previous positions, he has managed the Davichi SOC (Security Operations Centre) and incident response capabilities as well as conduct pentesting, security audits and cyber security awareness training for managed clients. Craig is a published author with the books ' Hacker, I Am', 'A Hacker, I Am – Vol 2' from his first cyber security series, and 'Foresight' a cyberpunk novel published in March 2021. He is a freelance cybersecurity journalist who is best known for his work on CSO Australia but more recently as a regular columnist for the "Women in Security" Magazine. I'm absolutely thrilled to welcome Craig to the podcast today.
CF: Thank you. It's great to be here.
CP: So, we've talked a little bit about you in your bio, but I'm very keen to hear about how did you become an author of three cybersecurity books, all of which are quite different. So what's driven you to express your thoughts in this way?
CF: I think if I think about it, probably the initial reason I sort of started to do the writing, which started with CSO itself, with the articles, was more about sharing some of the ideas and thoughts I had that no one else seemed to be talking about at the time. Working for an MSP I went to the, I think it was around 2018 or 2017, the last ACSC conference in Canberra. And they seem to be talking more about the government institutions and those sort of cybersecurity related issues, and they weren't talking about anybody else. And I thought that was bad. I thought we needed to talk about the whole picture, not just the government side of things. So, I pitched an article to CSO initially and they loved it. I think it was a bit of a prod from a colleague of mine that sort of said that they really liked my sort of more story like and sort of casual style of explaining some of the ideas in those articles and that I should sort of convert into the book, which is where the 'A Hacker I Am' series sort of started out, I guess you would say. And it was sort of, I didn't know how successful it would be to start with then it's quite popular, which is great. It's always good that people like your stuff. But yeah, it's sort of really about driving that message. It's sharing that knowledge because particularly when I was sort of coming up initially in cybersecurity, I found that no one was sort of explaining some of the problems and some of the issues in a language everyone can understand, particularly when you're starting out, it's hard to get all that jargon and everything to make sense. And a lot of the some of the more formal cybersecurity books are a bit dry to read. And that's definitely not my style, as you would know, as you've read my book. So basically, I decided, yeah, give it a go and see how it went. And yeah, now there's two of the 'A Hacker, I Am' series, which a third one eventually will be sort of come along as I finish off the cyberpunk series, because I'm writing a second book for that series at the moment.
CP: I haven't read the 'Foresight' book, but the 'A Hacker, I Am' series is really, I guess, pitched at quite a broad audience because it gives the reader 15 really kind of bite sized chapters and each of them has a different lesson to learn. And I really like this sort of light hearted time that you take. Everything in the book goes from sort of mentoring, to cyber warfare, to insider threat. Cyber really does cover a broad spectrum. So, if you think about it from an organisational perspective, where should organisations be focusing their cybersecurity attention?
CF: It's a bit of a sort of a tough question like particularly as an organisation if you're looking at it, particularly if you have a sort of a limited budget and limited resources, I guess. But I always kind of say the same thing, which you probably know from my book. Yeah, basics, I think is the best place to start. And that includes, yeah, sort of yeah, your backups. Yeah, your patching and your updates. But they've also got to include the staff, the security awareness, I think that is probably a big thing that a lot of people miss. Sort of trying to help your staff learn a bit more about it a little bit, sort of more educated and less likely to fall for some of those particularly with phishing and your ransomware sort of attacks these days. That is one of the biggest threats. So the awareness, I think, is huge in that sort of basic level. But yeah, just get you sort of basics, right, forget all the flashy, fancy sort of stuff to start with. And then just, yeah, focus on that. And yeah, I think that's definitely a good start. And then you can move into some of those bigger stuff, as you sort of embed your updates and test them, make sure you test your backups, a lot of people have them and think they work and when they need them, they don't. So yeah, just that's a good tip I think for everybody, make sure you test your backups. And, yeah, just focus on that, I think. And then that is the best point to start and focus your resources and everything there. And then if you have left over and you start getting that embedded quite well, then sort of move on to something a little bit more advanced, if you if you have the resources to do that.
CP: How would a company know that they're getting the basics, right? I mean, is that through as just as you said, you know, they put backups in place, and they might do penetration testing, and they might have a security awareness programme. Is it through testing the, I guess, efficiency and effectiveness of those tools, is that how they know they're getting it right? Or, I guess, how would you recommend that they continuously assess or improve kind of the basics that they've got in place?
CF: Sort of what you just said that I think is probably exactly right. I think you've got to do the testing, like don't just implement backups, or don't just do a patching regime and never check it never tested. Just go back and just spend some time to make sure that they're working properly. Do some restores of backups and make sure they actually work. And when you're doing the testing, and the hardening and stuff like that of the systems, yeah, get pen tests, if you can afford them. Even vulnerability assessments are better than nothing if that's all you can do. Just do whatever you can to sort of check that what you're doing is the right thing, and nothing's ever perfect, that there will always be probably something that is missed. But the better you can push that through and sort of make it as as tough as possible for the the bad guys, I guess you would say, to get in, the better it is for you. So yeah, just make sure that they actually work as you think they do. Particularly with those backups. I've seen it so many times, particularly when, with ransomware encrypting everything. People don't check their backups. And a lot of the time that's why they do the payments and stuff to get their stuff back because they aren't testing those sort of backups. But yeah, it's a bit of another full on conversation with ransomware. But yes, I think yeah, just make sure you test, make sure what you think is happening is really happening.
CP: You mentioned there about how if you can't afford pentesting, then even vulnerability assessments are better than nothing. It's an interesting conversation, because we want organisations to make risk based investments. But there is a lot of businesses who don't dedicate funds to cybersecurity. What's your thinking around that? Because I believe that every organisation should have a dedicated cybersecurity resource. Even if you have everything outsourced. There should be someone inside your organisation, at a minimum one person that is the pillar, the responsible officer, if you want to put it that way. What if those teams aren't getting any investment? I mean, is it just about influencing the people who hold the purse strings? Or what are the options I guess, for organisations who don't have or are not flush with funds?
CF: I kind of agree, I think there needs to be at least a resource, even if it's only a partial resource or something that that does that sort of checking. And, you know, even if they're just checking the backups and checking that sort of stuff, and making sure there's not default passwords and things and just making an effort towards that security, there needs to be at least a resource, like you said. But it is very hard, particularly when they get to sort of a small to medium sized organisation. They don't always have that sort of funding that they put towards that particularly, which they need to. It needs to be a business decision to, I would say invest in that security protection, particularly with the number of events, particularly with ransomware these days, you need to invest in that. It's too late once it's already happened. You need to make those decisions early. But it's hard to get that sort of influence, I think the media and the amount of sort of incidents happening these days are making that discussion a little bit easier for people. But it's definitely trying to convince the people with the purse strings, I guess you say. The Board and the Management and whoever you can sort of pull into that conversation, I think, yeah, definitely do that. But yeah, it's hard to get that sort of win. But I think yeah, the media and the number of incidents is definitely helping with that conversation. But yeah, definitely need somebody looking at that as part of their job. Whether you go to an external source to do that as a part time thing or something. It needs to be somebody.
CP: And you mentioned about how the media is definitely playing a role at the moment in raising awareness for the broader community, I think. You know, previously, there would be pockets of people who had an awareness around cyber security and the threats that were evolving. But now, you know, it feels like it's just so widespread throughout all sorts of media. Since you wrote the first book, how do you feel like our industry's changed and shifted, given every day there's a new threat. But do you feel like there's been a big shift since you wrote the first book? Or do you feel like it's kind of evergreen advice?
CF: I think it's generally the same. I think where the conversations like in the last comment, I think the conversations are probably getting a little easier because of that coverage. But generally, I think that the overall advice and those sort of things is pretty much the same. I think our landscape has changed a little bit because of, like with the pandemic and that sort of stuff with a lot of remote working sort of shift. But generally speaking, I think it's kind of the same kind of advice, we're just probably getting a few more conversations now, because of that coverage. And there does seem to be a little bit from what I've seen a little bit more investment, which is great. And they're sort of pushing that agenda a little bit more, even from the, like the government side and from the large enterprises, that seems to be something that they're sort of pushing as a major agenda, which I think is great news for everybody. But the avalanche kind of thing doesn't seem to be slowing down. And I don't think it's going to. I think it's something we've got to adapt to as we go and sort of try and build our resources around preventing those sort of new threats. But yeah, it's definitely a very busy industry to work in for sure.
CP: They certainly never a dull moment, that's for sure. I want to chat to you a little bit about your work at Baidam. We had Pip Jenkinson on the podcast a few seasons ago, and I think everybody would agree what he's doing, or has done so far in the industry is pretty incredible, both from a cyber perspective, but also from the indigenous side. How did it come about for you to work there? And I guess, what does it mean for you to work in an organisation where their vision, a commitment to improving other's lives is so strong is, is that sort of a guiding light, is it sort of sometimes a lot of pressure? How's that going?
CF: I sort of met Dean and Pip (Philip), over sort of a coffee one time just, they wanted to have a chat to me about my book, they both read it, and they liked it. So it was my book kind of started that initial meet up and conversation with them. And sort of anyone who has sort of met, Pip is basically he's very infectious, his passion is, it's pretty awesome. And for me, it was kind of coming on board was easy. Technically speaking, I do a full time role with the ATO, and I'm sort of connected with the team. And I still do coffees and lunches and catch ups and all their events and everything with them. And I talk to them all the time. And I just think it kind of makes you want to get up in the morning and know that even though what I'm doing by the ATO, or wherever my placement is, at the time, if I'm internal or external, it sort of makes me feel like I'm contributing to something a little bit more. And that sort of passion and what they sort of the social outcomes that Baidam is going for is is huge. And it yeah, just yeah, even though I'm still doing what I would normally do at another organisation, it's just that contribution makes it just so much better. I think they do some great things. And yeah, I love being part of it.
CP: I'm definitely a big believer in having a value alignment with the organisation that you work for. And I love that idea that in the background for you, you know that every day, even though you're going to the ATO, every day you go there, it's contributing to that philanthropic work that Baidam are doing so. And they're growing at such an incredible rate. And, you know, we were saying before we hit the record button that from a client perspective, I don't know how people could say no to Pip, because everything he's doing makes complete sense. So yeah, it must be an incredible place to work and to have such a visionary leader like that is is rare, I think, especially in in this day and age, t's it's definitely worth hanging on to.
CF: Totally agree, yeah, definitely inspiring company. And yeah, Pip and the team, yeah, they are great people. It's great.
CP: Craig, I'm going to put the details of all of your books into the show notes. And also, if people want to go back and listen to Pip's episode, we'll put the details or a link in the show notes to go back and listen to that. But I really want to thank you for your time today. And I've loved your book. And I'm definitely looking forward to the next editions coming out. Good luck with your future writing as well. And I'd love to have you back on the podcast in the future to have a bit more of a chat about 'Foresight' as well. Thanks so much for your time today, and I hope our listeners have enjoyed some of the information that Craig shared with us and will go out and buy his book.
CF: No worries. It's been a pleasure. It's been a great conversation.