Worried about email spoofing and data hacking of your websites? In Episode #5 of the Digital Cowboys, Cameron Francis and Mark Cohane from SecurityShift.com discuss email hacking, application whitelisting, relying on hosting companies and the risk-based approach to information technology security. Tune in to learn more about cyber security for your business.

Show Notes:

  • Risk Based Approach to IT Security – 00:04:01:26
  • Have an understanding of you business – 00:08:08:07
  • Hosting for small to medium businesses – 00:14:27:07
  • Backing up websites – 00:15:47:10
  • Email security – 00:18:00:05
  • Application Whitelisting – 00:45:22:18
  • How do you know if your site’s down – 00:59:59:24
  • Should business owners rely on the hosting companies – 01:02:30:25

Resources mentioned:


Digital Cowboys Episode# 4 | Cyber Security Safeguards For Your Business

Mark Culhane:

Just first establish where your assets are, what you care about, how much their


worth, and then that actually guides your investment in security. You don’t want


to spend $100,000 protecting an asset that’s only worth $200,000.

Cameron Francis:

So ladies and gentleman, login to your CMS, whatever it is, make sure that the


CMS version’s up to date so it’s the latest version of WordPress, it’s the latest


version of Magento, it’s the latest version of Joomla, and make sure that all of


your plug-ins are updated as well.

Mark Culhane:

That’s a big thing that people often miss out because people automatically go in


their minds to all the hackers are out there to get me, but information security is


about more than that. It’s about the stability of your business.


Digital Cowboys episode four. We discuss everything digital marketing and


growth hacking for small businesses, start-ups, and entrepreneurs. If you want


that competitive edge, then saddle up because Cameron Francis and Sam


Roshan are about to drop some value bombs.

Cameron Francis:

Hey everybody, this is Cameron Francis and this is episode four of the Digital


Cowboys. Super excited today. It’s Saturday. I’m in my office. It’s actually a


beautiful day waiting for the football to start, and I’m joined with Mark Culhane.


Now, Mark is the CTO and CISO at Security Shift. Security Shift is a


Melbourne-based IT company that specialize in secure Cloud services, managed


IT operations, InfoSec auditing, whole bunch of nerd stuff. Mark has a track


record of success at organizations and major projects, including the Department


of Defense, [ARS 00:01:41] Registry, Compuware, and AssetOwl. He has fulfilled


a range of roles like the Head of IT, Information Security Officer, Onsite


Consultant, and Systems Administrator. He’s presented on topics like


information security, management systems, and attack vectors and DNS at


conferences, including the Australian Internet Governance Forum. I was lucky


enough to be his celebrant at his wedding and have spent some time overseas


running amuck. He’s probably the smartest guy I know and someone you can


liken to as Sheldon from the Big Bang Theory. Ladies and gentlemen, Mark


Culhane. Whoo.


Hey, Mark, how are you doing?

Mark Culhane:

Hey. Good, thank you.

Cameron Francis:

Get close to that microphone there, buddy.

Mark Culhane:

There we go, there we go.

Cameron Francis:

What’s going on?

Mark Culhane:

Not much. Just relaxing here in the office, in the lovely eTraffic office.

Cameron Francis:

What’s the biggest news that’s happened to you in the last three, four months?

Mark Culhane:

So it’s been a busy three or four months, actually. Myself and a business partner


actually founded Security Shift about four months ago so we did that through a


couple of acquisitions and a couple of key clients that we have. I also, actually,


had my first baby, a baby boy, yes.

Cameron Francis:

What’s his name?

Mark Culhane:

His name’s Maxwell.

Cameron Francis:

Maximus Aurelius.

Mark Culhane:

No, Maxwell not Maximus.

Cameron Francis:

Sorry, that’s Maxwell. Middle name?

Mark Culhane:


Cameron Francis:

Sorry. So his name’s Maxwell Keanu.

Mark Culhane:

Culhane, yeah.

Cameron Francis:

Culhane. That’s really nice. How come you’ve never told me his middle name?

Mark Culhane:

Because you’ve never asked.

Cameron Francis:

Because that exact reason. You’ve gotta tell me where Keanu came from. Is it


the actor?

Mark Culhane:

It’s actually an Indonesian name. My wife’s Indonesian and Kiano is an


Indonesian name, which represents good luck and good fortune.

Cameron Francis:

So Keanu Reeves, is he Indonesian?

Mark Culhane:

No, it’s a different spelling. It’s Kiano, like piano with a K.

Cameron Francis:

Okay. Is there any lines above any letters?

Mark Culhane:

No, they don’t have that-

Cameron Francis:

No, they don’t do that?

Mark Culhane:


Cameron Francis:

Okay cool. I actually wanted to get you here today because you, as I was saying


in the intro that you know a lot about security, right? And I think that there’s a


little bit of a gap for typical business owners on how to safeguard and keep their


web assets safe. Yeah, first thing I wanted to go through would be what would


you advise, from a security point of view, for typical businesses?

Mark Culhane:

Yeah, so the place that I always start, especially small to medium businesses


businesses is a risk-based approach. With IT security, it’s basically a never


ending bucket of money that you can spend, and there has to be a point where


you say, “All right. I’m not gonna spend that money because I’m not gonna get a


return on investment.”

Cameron Francis:


Mark Culhane:

So the place that I always start, especially for small to medium businesses, is


first, establish where your assets are, what you care about, how much their


worth, and then that actually guides your investment in security. You don’t want


to spend $100,000 protecting an asset that’s only worth $200,000.

Cameron Francis:

Sorry, when you say assets, we’re talking purely online, right?

Mark Culhane:

We’re talking about any informational-based asset. That can be, for example,


your website. It can be your emails and your calendar and your contacts. It can


even be stuff like your brand. You might say, “If we get our website hacked,


that’s not actually gonna influence our revenue because we don’t really get


revenue from the site, but we know that a lot of our customers visit the site and


if we get hacked, then that’s gonna damage our brand value.” And you can infer


some type of financial impact from something like that.

Cameron Francis:

So you would look at your assets and you basically gotta work out what’s the


value to you?

Mark Culhane:

Exactly and it’s not like a perfect science. For example, brand value, it’s always


difficult to pin down to a specific thing, but you can use that as a guide for, all


right, I understand that this is something that we care about to an extent of, say,


$100,000 a year or $10,000 a year or maybe it’s something that’s really not that


material. Maybe it’s only worth $200 to you or something.

Cameron Francis:

That’s really interesting. If I’m a business and I ask myself, “Okay. If my website


shut down and I don’t have it anymore, what impact does that have on my



Mark Culhane:


Cameron Francis:

That’s the question?

Mark Culhane:

That’s the question. That’s exactly what you need to answer.

Cameron Francis:


Mark Culhane:

Because that is how you decide how much money are you gonna spend on


protecting it.

Cameron Francis:

Never thought of it that way. That’s really interesting. Okay, so like, for example,


if my website shut down, I’d reckon that it would have a very minimal impact, to


be honest. I’d just build up a new one.

Mark Culhane:

Exactly. Exactly. So that would mean that you would not want to spend so much


money on protecting that asset, but you might say that if we’re unable to


communicate via phone, so if that phone system goes down, then that might be


something that you want to protect more. When I’m talking about protection,


it’s not just oh, the hackers are out to get us.

Cameron Francis:


Mark Culhane:

Information security is about confidentiality and integrity, so that’s about


preventing people from hacking stuff or preventing people from accessing data


that should be confidential, but the other big one is availability. You can say that


we want to provide information security for our phone system, and that may


not be that important that it’s confidential or it has integrity of its information.


It may be about we need our phones to be up and available and if something


happens, we need a plan for how to get them back online as soon as possible.


Yeah, so that’s a big thing that people often miss out because people sort of


automatically go with their minds to ‘oh, the hackers are out there to get me’,


but information security is about more than that. It’s about the stability of your



Cameron Francis:

Very good. Very good. I can’t believe we’ve never actually spoken about this



Mark Culhane:

Yeah, well, it’s not exactly the most entertaining of topics.

Cameron Francis:

But it’s important though, right?

Mark Culhane:


Cameron Francis:

Okay so, let’s go with our website security. I’ve calculated that if it was to go


down, then the cost, to me, is going to be X, so what would you invest into?

Mark Culhane:

Exactly. So that’s where you generally need some expertise. Like, it would be,


for most small businesses that don’t have an experienced IT department or


Information Security Specialist, then once you’ve decided that, you want to


figure out what the best value for money protections are. To use, I guess, a


well-trodden term, you want to go for the low hanging fruit. You want to do the


stuff that costs the least and provides the highest level of protection.

Cameron Francis:


Mark Culhane:

So for example, having a redundant web server. For example, having SSL


encryption on your site.

Cameron Francis:

Okay. Step one. What should someone do?

Mark Culhane:

It’s hard to say, specifically for a person … You really need to have an


understanding of the business and of what they’re doing. Like I said, you want to


start with the risk-based approach, then you want to start going into those


steps, one, two, and three. For example, most business’s email and website,


generally import online assets, and the reason why we start there is because


online assets are open to attack by everyone. It’s not like your mailbox


downstairs where someone actually has to physically come and access it.


Anyone from all over the world can hit your emails and can hit your online


applications. Just doing some basic security on those things is generally



Cameron Francis:

Let’s put it from a practical point of view. Okay, so I want to secure my web,


hosting and my emails. Where do I go? What do I do? What do I look for?

Mark Culhane:

So, generally, you’ll engage someone or a company to say, “Can you have a look


at what we’ve currently got?” And then they’ll do a basic check, a basic scan.


They might login and-

Cameron Francis:

What are they gonna scan? What are they gonna check? So what are the


questions? Yeah, you know what I mean? What are they gonna be asking?

Mark Culhane:

The big thing, generally, is patching. If you’re running an old version of a web


server or an old version of WordPress or old version of WordPress plugins and


stuff like that, they’re generally vulnerable to automated attacks. So when


you’re looking at someone that’s trying to attack you, there’s different layers.


And the vast, vast, vast majority of attacks are guys, not like really organized


guys, they’re guys that are just doing online scans across huge ranges of the


Internet, not looking for you in particular, they’re just looking for a WordPress


site or-

Cameron Francis:

That hasn’t been updated.

Mark Culhane:

Yeah, exactly. That is just the most basic level of security is saying that I don’t


want to be the most vulnerable person on the Internet because you’re gonna be


the first one to be attacked.

Cameron Francis:

So, ladies and gentlemen, login to your CMS, whatever it is, make sure that the


CMS version is up to date so it’s the latest version of WordPress, it’s the latest


version of Magento, it’s the latest version of Joomla, and make sure that all of


your plugins are updated as well. Before we actually had someone managing


our server itself, we had a couple of accounts that actually got hacked. When we


actually did the analysis and how they got hacked, it was through these bloody



Mark Culhane:

Yeah and it’s not something to be embarrassed or ashamed about. I’ve worked


at really advanced IT companies that do really serious and technical IT


operations, but stuff like your websites and your blogs, they’re not in the


forefront of your mind, depending on what you do. It is really easy to not patch


them if you don’t have it automated. And having things automated is also


difficult because, for example, if you’re a WordPress user, sometimes updating


WordPress breaks your site.

Cameron Francis:

It always breaks your site, all right, especially if you have a lot … Try not to have


too many plugins. Every time it’s updated, something always breaks. It’s just the


way it is and when you do that, you’ve gotta spend and pay money to actually


get the website back to what it actually is.

Mark Culhane:


Cameron Francis:

One of the things that we do is we take a backup of the site, update the CMS


version, update all the plugins, then we just check the site to see what needs to


be changed.

Mark Culhane:

Yeah exactly. Again, with information security, a lot of people focus on these


technical wizardry and all of the cool black magic stuff, but a lot of the best


value comes from just having some simple processes, like what you said. The


simple processes are every week or every month we do patching. When we do


patching, we take a backup, we deploy it, we do this test. This test covers those


things. And just doing that basic process stuff, it’s boring and it’s not sexy, but


that’s the sort of thing that really doesn’t cost a lot of money. It costs a little bit


of time, but that provides a massive increase in your protection. That means


that you’re no longer the primary target for those guys doing random scanning


around the Internet.

Cameron Francis:

Now that we do that, knock on wood and you know, all of that stuff, we haven’t


been attacked and really that’s it. You just check it. Just update it. That’s it.

Mark Culhane:

Exactly and that’s the point where it comes to, again, a risk-based approach. I


would argue if you’re doing that, yes, you’re gonna be much more protected,


but if, for example, China or Russia or an intelligence agency comes along and


tries to attack you or really advanced attacker targets you specifically, you’re


still gonna get-

Cameron Francis:

Don’t skip it. Why would China attack Billy Bob’s Plumber.

Mark Culhane:

Exactly. So why would they bother spending the money on protecting against an


advanced system threat when they’re not gonna be a target for it. I think that’s


a big problem in the security industry is that it’s not really a differentiation


between a small to medium enterprise that doesn’t need to worry about those


threats, and then a big enterprise that’s got thousands of people that does

Cameron Francis:

Okay. There needs to be some kind of tiering and I guess this is something that


… Right now, we’re probably gonna be touching tier one, if that’s what you want


to call it, whatever’s the entry level. Update your CMS. And I know that


everyone has a host or they all have a web development company, don’t rely on


them. You should not be relying on a company that has no say in your business.


That’s your responsibility, as the business owner.

Mark Culhane:

The other thing to be aware of is that in general, the large-scale generic hosting


companies, that offer fantastic prices, if they’re getting, let’s say, $50, $100, or


$200 a month-

Cameron Francis:

You’re kidding yourself, mate. It’s $9 a month.

Mark Culhane:

Yeah, exactly.

Cameron Francis:

You know what I mean?

Mark Culhane:

How are they going to make money if they have to have a system admin look at


your site.The system admin, even for an hour, is gonna cost them, what, $400 in


ongoing costs and all that sort of stuff.$400 an hour for a $9 a month client. It


just doesn’t make sense.

Cameron Francis:

What would you recommend for hosting for small to medium?

Mark Culhane:

So, again, it depends how important the asset is to you. If it is your primary


source of income, then the hosting provider, yes and no, it does matter, but the


fact that what you need is someone either internal to your organization or


external just providing that high level of expertise, making sure that they


actually apply those processes, and being able to understand … So, for example,


if you do a scan of the website and the server and there’s vulnerabilities that


come up, most people are not going to be able to say, “I know what this


vulnerability means. I know that this cipher is insecure because of x, y, z.” It’s


not realistic for a small to medium business to have people like that. In general,


it’s a good idea to get a company like, for example, Security Shift does that.


We’ll do cursory scans of the sites and then we’ll just make sure that there’s


nothing glaring. It’s not gonna provide you with 100% protection. It’s just gonna


get you off that bottom rung of vulnerability.

Cameron Francis:

And again, it’s got to do with risk, right? If you don’t have a level two, three,


four, five risk, then why pay for that protection?

Mark Culhane:

Exactly. Exactly.

Cameron Francis:

Very good. Okay, so that’s from the website point of view. What about …


actually, no, let’s stay on that. Do you think that a business owner should be


backing up their own website and if also they’d be paying someone, that should


be a service that they should be getting?

Mark Culhane:

Again, it depends on the expertise of the person. It depends whether they have


an IT department.

Cameron Francis:

They don’t and they don’t have expertise. Let’s go null and null for both.

Mark Culhane:

Then, yes. You need to figure out how to get a backup of your site because


there’s just an unending list of people that lose their sites, whether it’s through


malicious activities, whether it’s through the hosting company having a


mess-up, whether it’s through them accidentally deleting their website. There’s


so many ways that you can lose assets online and you just need to have



Cameron Francis:

How often, would you say, do it?

Mark Culhane:

Well, the key is to automate it. You shouldn’t have to do it. You should be able


to get it in a place where I know that my site and my assets are getting backed


up every day and not only are they getting backed up, I know that they can be


restored easily and I know how they’re restored. There’s no point in taking


backups if you don’t know how to restore them, right? It is a little bit more


complicated than just, “I’m just gonna make sure that these files are all kept on


this disk.” It has to be also, if we do lose our site, how do we get it back up


online? How long does it take? Is that acceptable for us? How much lost data do


we have? If we lose all of the audience from the day, is that okay or not? There’s


a lot of finer grain detail when you start looking into it, but at a minimum, yes,


you need to have the backup.

Cameron Francis:

I’m just gonna login to our CMS now. We actually have a plugin on our site that


does automatically backup the site and we set the frequency. So I want it


backed up every week at this time and then I want that backup to be stored,


that version, for the next three months, and then they start to-

Mark Culhane:

Rotate it.

Cameron Francis:

Yeah, over … what is the word?

Mark Culhane:


Cameron Francis:

Yeah, overwriting it. That’s enough for me because I mean, shit, if you are not


monitoring after three months that your website, there’s a mistake on there,


then it doesn’t mean a lot to you.

Mark Culhane:

Yes, exactly. Exactly.

Cameron Francis:

Okay cool. So let’s jump to emails.

Mark Culhane:

Yeah, so email is one of the really, really interesting protocol that got created at


the very beginnings of the Internet.

Cameron Francis:

Can I tell you my issue with emails?

Mark Culhane:


Cameron Francis:

We started off … I forget where we started. We’ve got Google Apps, right? And


I’ve got a Mac. So I logged in my emails through the Mac Mail, the issue is being


able to get back my emails, my archives. That’s a problem. I just can’t. So what I


do now … I’ve gone back to Gmail. Gmail has an absolutely disgusting search bar


for previous … It is terrible. I couldn’t do that. I need to have my emails stored,


you know? Just for my own security. So what I’ve done now is every single


email, whether it’s through inbox, sent, junk, trash, whatever it is, every single


one of them’s archived. It’s just in my … I’ve got 34,200 emails in-

Mark Culhane:

That’s quite a lot of emails.

Cameron Francis:

But it’s all there. I know that if I need something that’s been sent or if someone


sent something to me that’s in my junk folder, it’s in that bad boy right there. At


some point, I’m gonna run out of space. I’ll let Future Cameron worry that.

Mark Culhane:

That’s Future Cameron’s problem.

Cameron Francis:

But what do you reckon about emails? What should one do?

Mark Culhane:

So definitely, in terms of storing and backing up, if you’ve got a requirement like


that, in general the Cloud service providers like Office 365 and Gmail, they’ve


come a long way and they’re pretty good services now.

Cameron Francis:


Mark Culhane:

But the interesting stuff about email is how trust-based it is and how much


people believe it more than they should. For example, right now I could write a


little script and send you an email from accounts@etraffic.com.au. So you’re


gonna receive the email to your inbox and you’re gonna see that it’s from


accounts@etraffic.com.au. I’m gonna say, “Hey Cameron, I need you to transfer


a thousand bucks to this account because we’ve got a lot or something.” It’s


amazing how many people assume that when an email comes into their inbox, if


it says it’s from accounts@etraffic.com.au, that it’s from you guys.

Cameron Francis:

You just clicked this here. What I’ve done here is I’ve, this is an email from


BuzzSumo. You click there and it actually has the email. Are you saying in that


it’ll have accounts?

Mark Culhane:

Yeah, you can completely spoof an email. Email is completely insecure.

Cameron Francis:

I don’t believe you. Are you kidding me?

Mark Culhane:

I’ve got a script right here. I can do it for you.

Cameron Francis:

Will it take long?

Mark Culhane:

I’ll figure it out

Cameron Francis:

If you can multitask, I’d be … so what, ladies and gentlemen, he’s gonna do, he’s


gonna send me an email from … This is kinda scary now. You get this from the


government, saying you’ve gotta pay tax, or the bank, log in, and then it would


be a firewall or something that you go to a different site, you put in your details-

Mark Culhane:

Yeah or even just like, so the big thing that’s happening, amazingly regularly, at


the moment, is corporations are losing money because people are spoofing


emails from the CEO and they’re sending it to accounts and saying, “Ah I’m in


Japan or I’m in the Philippines or whatever, I need you to wire this money


immediately.” If it’s a large organization and people never talk to the CEO and


they know his name and they know that’s his email account, they’re just wiring


the money and it’s amazing how often it’s happening.

Cameron Francis:

Yeah, but see. For me, like I would be a victim of this, right? My safeguard, when


you get those emails from the commonwealth Bank or you get those emails


from government, when you do click there and you see it’s from like


aandz-bank-commonwealth.com, you know what I mean? It’s not the actual …


This is where I always look. If you can actually get it so it appears the email is


accounts@etraffic.com.au, that’s really scary.

Mark Culhane:

There are a bunch of controls that you can actually do to prevent that from


being able to be done, but it’s very rare, well it’s not very rare, but it’s very rare


for a small to medium business to implement those controls because-

Cameron Francis:

When you’re saying controls, is this like a common sense, one, two, three step


kind of pattern? So like if I see an email from accounts, the first thing I’m gonna


do is I’m gonna give a call to Carla , ask her, “Did you send this?”

Mark Culhane:

So that’s an excellent one and that comes back to the not sexy process stuff.


That is a control that would … if you had a policy at your organization that said,


“No one can transfer money to anyone without phone verification,” that would


stop the problem.

Cameron Francis:

Okay, so everyone, implement that today and I’m not joking. That’s gonna be


done. The fact that … I want you to prove it. I want you to send. Again, Mark’s


gonna be sending me an email saying, “Hey can you transfer some money from


accounts,” but that’s now a protocol. If money needs to be transferred, there


needs to be phone verification and is that enough of a safeguard?

Mark Culhane:

Yeah, so when you say enough of a safeguard, like there’s a bunch of other


intricacies to it that could mess that up, but that’s gonna cover so much of it


that, for something that’s free and you can implement right away, yeah.

Cameron Francis:

I mean, it’s a phone call. No one’s that busy. It’s a phone call, or even a text, like


“Relax. Not an email.” Can you spoof a text?

Mark Culhane:

Yes, of course you can spoof a text.

Cameron Francis:

How do you spoof texts?

Mark Culhane:

These protocols are not implemented to have authentication of senders.

Cameron Francis:

Okay, no texting for verification of money transfers. Wow. You’re opening my


eyes here, Mr. Culhane. That’s excellent. All right, so we’re looking at … Okay,


keep going through email protocol because this is fascinating.

Mark Culhane:

So email stuff, as you mentioned, the phone call is a great process, way to


protect against that. There are other automated ways. So automated ways are


always a little bit better because that means that you don’t have to do anything.


There’s stuff like SPF records, which set a policy framework, so that’s like a DNS


entry where you specify which servers can send emails on behalf of your


domain, but again, if you’re going down to a small to medium business and you


go, “Can you just implement a SPF record on your DNS.” They’re gonna-

Cameron Francis:

I don’t even know what you just said. They’re gonna look at you like the way I’m


looking at you. Whole bunch of letters there, man.

Mark Culhane:

Yeah, so there comes a point where it’s worth it for an organization to not just


say, “All right. We’ll be aware of this and we’ll make the phone call.” Where it


becomes worth it to say, “We’re gonna get a little bit of help and get someone


in that can do that extra level of automation and that extra level of assurance.”

Cameron Francis:

I think what it would come down to, again, guys, is when you’re talking initially


about the threat, like what is the risk for your business, right? The bigger the


business is, the bigger the risk are. The more money you can transfer, the more


levels there are to the CEO, to the person, to the accounts team. I mean, from


my point of view, and for businesses of similar sizes, then that phone


verification, I mean, really just implement it, right?

Mark Culhane:

Yeah, yeah. Let me touch on the topic of how much large organizations spend


on security. If you look at the Australian Big Four banks and the US banks, they


spend literally billions of dollars on information security. It’s insane how much


they’re spending.

Cameron Francis:

Do you have any data on it?

Mark Culhane:

I’m looking it up. According to Gartner Worldwide Spending on information has


reached 75.4 billion in 2015. They’re spending a lot of money on it.

Cameron Francis:

Wow, so that’s why you chose this industry, huh? Not bad. It’s not bad. And the


digital marketing industry comes in. Well played, sir. So you know how we’re


talking about storing and saving emails, I want some data around that and some


steps around that, and other things that someone running a small to medium


business, up to 100 employees, from one employee, what are some of the


things [crosstalk 00:26:30] just the basic email.

Mark Culhane:

So basic email, of course, storing and backing up the emails.

Cameron Francis:

See, you know how I’m telling you I’ve archived 35,000? I’m not doing that with


every one, right? I really should be, especially if they’re sending emails through


to clients, then I really should be.

Mark Culhane:

One of the great things about the big Cloud service providers like your


Office365s and your Gmail is you’re basically getting unlimited, well not


unlimited storage, but more storage than you could ever need at a price that is


insanely good.It’s actually really simple to set up basic email routing that will


mean that every email that comes in and out of your organization will be stored


in an archive accountwhere it’s something that you can go and look at and you


can go and review and restore if required.


That is, of course, meaning that you’re still trusting that Google and Microsoft


are not going to lose your data. Honestly, for a small to medium business, I think


that’s pretty reasonable. Microsoft and Google have not, to my knowledge, had


any major data loss of clients in the past five years. I think for most


organizations, it’s completely reasonable just to depend on your Cloud services


provider to provide that level of assurance.


If you want to take that extra step, then there’s plenty of tools available to go in


and pull those emails down to somewhere offline. When I say offline, the key


point of that is one of the biggest risks of how you’re gonna lose emails is


through accidental or bad user deletion. For example, if you accidentally delete


your emails or if you’ve got someone in your organization who’s got access to all


those emails, all those email accounts, who accidentally or maliciously deletes


them. Having an offline backup means that you can only send data to it. You


can’t go in and delete data from it. So there’s a lot of services provide that.

Cameron Francis:

Any recommend … We’ll put it in the show notes. What do you recommend?

Mark Culhane:

Best recommendation for small to medium businesses is Amazon’s Glacier


Service. So basically what that is is you can send unlimited data to the Glacier


Service, which is like a bunch of tapes and hard disks and you just send data to it


and it’s almost free to send data to it, it’s like a matter of cents, and then the


only time you really pay for it is when you go, “All right. We’ve had a major


problem. I need to go and retrieve that data.” You have to go through a series of



Cameron Francis:

I’m gonna look it up. How do you spell it?

Mark Culhane:

It’s Glacier, as in like the melting glaciers.

Cameron Francis:

If I type in Glacier-

Mark Culhane:

AWS Glacier.

Cameron Francis:

AWS, all right. I’m gonna put this in the show notes and most likely gonna


purchase it, but yeah, sorry, continue.

Mark Culhane:

Okay. We were talking about … I think we’ve covered backing up emails.

Cameron Francis:

But is there anything else that someone should look for because this is actually,


from my point of view and security and all of that stuff, if someone in my


organization sends an email, I’m liable for the contents in that email, right? It’s


important that I need to have … But then there’s also confidentiality. I can’t just


look up my employee’s emails.

Mark Culhane:

Well, yeah. It depends on your information security policies and your employee


agreements. So, in general, most corporations will have a part in their employee


agreement that allow them, for a specific reason, to go and look at any email


that’s been sent or received to it.

Cameron Francis:

For a reason. It’s like how a policeman can frisk someone if they feel that they’re



Mark Culhane:

Yes, except that this is generally contract and lawyer terms for, basically,


whenever we want. It’s pretty general, but the law strictly says-

Cameron Francis:

Etraffickers, I’m not checking your emails, don’t worry.


Okay, Glacier, checking emails, backing them all up, is there anything else that


someone should … Okay, what about the disclaimer in the email?

Mark Culhane:

Yeah, that is just-

Cameron Francis:


Mark Culhane:

A bunch of bullshit.

Cameron Francis:

I knew it. I don’t have it in mine. What does that mean?

Mark Culhane:

Yeah it’s completely unenforceable. What it means, if you don’t have it in your


email, is that if someone reads your email and is trying to be really formal and


thinks that important then maybe they’ll be like, “Oh, well you’re not a


professional,” but really there’s no legal value to having those.

Cameron Francis:

All it does, it takes up real estate. From a marketing standpoint, use that space


to show accreditations and more links.

Mark Culhane:

I can’t believe it’s lasted so long actually. You know, we’ve got it in our emails.

Cameron Francis:

Do you really? That’s so funny. See, I don’t have it out of laziness, but I love that


I can justify it. Yeah, so, okay cool. So we’ve covered website, covered backups.

Mark Culhane:

Well there’s more in email, there’s more in email.

Cameron Francis:

Okay, tell us.

Mark Culhane:

So some of the biggest attack factors for small to medium businesses, via email,


is not just what we call the spoofing of emails. So the spoofing of email means


that I send you an email-

Cameron Francis:

I’m still waiting for that spoof, just FYI.

Mark Culhane:

Well, I’m talking to you.

Cameron Francis:

Sure, sure. Multitask.

Mark Culhane:

So, there’s that spoofing of email, but there’s also malicious URLs within emails.


So, the reality of the Internet is that if I can get you to click on a link, there’s a


good chance that I can compromise your computer or compromise information


from you. So that means if I send you an email and I don’t even bother spoofing


it, so, say, for example, I pretend it’s from Westpac and I put a link. I make the


email exactly the same as Westpac’s email and instead of it being from Westpac,


I put something that looks very much similar to Westpac. I might send an email


from marketing@westpac.com.000 blah blah blah, and you can’t see the rest of


it. It’s generally very difficult to pick that up.

Cameron Francis:

We’ve all received them. You just go to your junk folder now and you’ll see



Mark Culhane:

And that’s another fantastic part about the Cloud services, the Office365 and


the Gmail-

Cameron Francis:

Their spam folders are really good.

Mark Culhane:

They have actually really impressive. I’m really impressed.

Cameron Francis:

A lot of that would be to do with the volume of emails.

Mark Culhane:

Exactly. They’ve got that massive volume and they can do like heuristics and


detection and figure out who’s sending all this stuff and block it. Yeah, that’s a


big pro for using one of those big suppliers, but still, if you get targeted by


someone, they’re only gonna pick up the mass spammers who are sending those


emails to millions of people. If I decide to be a little bit less lazy and I start


sending those emails, instead of doing it to a million people, I go to the yellow


pages and do it to 10,000 people, then my emails are gonna get through.

Cameron Francis:

Yeah, okay.

Mark Culhane:

Yeah and so there’s a number of ways that you can be malicious with the emails


and some of them might be pretending to be a bank-based email and getting


you a link to your bank interface and you click on the link and it looks exactly the


same as Commonwealth Bank’s login page, and it’s got SSL and it looks perfect,


but yeah, to the untrained eye it looks perfect.

Cameron Francis:

But the URL would be different?

Mark Culhane:

Yeah, but there’s so many little techniques to make those URLs look exactly the


same. You really have to be looking to be able to pick that up and even myself,


as someone that works in Information Security, I don’t trust myself to pick that


sort of stuff up, so I put controls in place that check that.

Cameron Francis:

Is there firewalls that you would put in place or Lehmann’s terms?

Mark Culhane:

No, so firewalls are more of a network traffic control. If you had a firewall, that


would stop all emails coming in, which is no good, but a lot of firewalls do have


an extra module in them that basically checks the URLs that are coming into


your mailbox and checks them for malicious content and that sort of stuff.

Cameron Francis:

So what protocols would you put in place?

Mark Culhane:

You can use services like Proofpoint. What Proofpoint does is when an email


comes to you, you first send it to Proofpoint and they have millions and millions


of emails coming through them and they’ve got a bunch of technology in place,


that before they forward the email onto your actual account for your reading,


they just double check the content and all of the links in it for anything



Cameron Francis:

Why wouldn’t you recommend this to me previously? This is very important



Mark Culhane:

It’s because there’s a list of thousands of those things and-

Cameron Francis:

But we’re only giving the … This is one that you recommend?

Mark Culhane:

Yeah, so it goes through the basics, but yeah, that’s the reason why it’s a


hundred billion dollar industry, right, is because there’s just-

Cameron Francis:

There’s everything.

Mark Culhane:

That’s the reason why I talk about the risk-based approach because if you go, all


right, I want to be safe from attackers, there’s just too much. Where do you


start? There’s just too much stuff to do. Yeah, Proofpoint’s a great one. They’ve


got an essential product that’s free.

Cameron Francis:

What is it? What’s it called? I’m on the site now.

Mark Culhane:

Yeah it’s called Proofpoint Essentials.

Cameron Francis:

Great site.

Mark Culhane:


Cameron Francis:

Could do with some SEO, but yeah, great site.

Mark Culhane:

Yeah. That’s a good one. There’s a bunch of alternatives to Proofpoint, of


course. I’m not associated with Proofpoint. I’m not getting money from them. So


I probably shouldn’t recommend it.

Cameron Francis:

No, no. If that’s the one you recommend, then that’s one that we’ll look at.


Okay, so this is going to help when clicking links from email browsers.

Mark Culhane:

Yes, so that’s one thing it helps with. Basically, that’s just, every time an email


comes to you, it’s first going through a washing machine. Proofpoint is a


washing machine and it’s gonna … There’s a bunch of things. You can either


have it warn you if there’s bad content and still send it to you or you can have a


block or whatever, but basically, again, as we talked about with the websites, it’s


getting you off that bottom level of vulnerability so you’re no longer the easiest


target on the Internet.

Cameron Francis:

We were talking about email spoofing earlier before where-

Mark Culhane:

Yeah, so I guess one of the most misunderstood aspects of email is that I can


send email, myself, from anyone. I can send email as accounts@etraffic.com.au


to cam@etraffic.com.auand assuming you don’t have any other controls in


place, like sender policy framework, etc., etc. then the email’s gonna come


through to you and most people, when they see that the from address is


someone they know or part of their organization, assume that it is from their



Cameron Francis:

This is the scary thing, right? I have received it. I didn’t believe him. It didn’t go


to my inbox because of the spam. Mark’s just sent me an email. First of all, it


says etraffic.com. There’s no etraffic.com.

Mark Culhane:

Okay, sorry.

Cameron Francis:

eTraffic.com.au , but you could’ve changed that, right?

Mark Culhane:


Cameron Francis:

Yep. So there’s that aspect, and then on the email, and I’ve just taken a photo


and I’ll add it into the show notes. It basically says, “Test spoof.


cam@etraffic.com.au. Reply to accounts@etraffic.com.au.” So if I reply to this,


will this go to you?

Mark Culhane:

No that would go to accounts@etraffic.com.au.

Cameron Francis:

But the point is, in the text, because in the body of the email it just says, “Send


me money.”

Mark Culhane:

Yeah, so if I really wanted to try it, then I would put an email like, “Hi, Cam. We


need to pay this invoice blah blah blah blah, please transfer or go to this



Cameron Francis:

Do another one because this is actually both interesting, alarming, and scary at


the same time, the fact that you’ve just done this, right? In some ways, I’m in


the digital text space and I didn’t think that this was possible. Later on, I want


you to send an email from David, saying “Dude, I need you to send me some


money.” And then put our bank details to see if that actually works.

Mark Culhane:

It definitely will. The good part about what you guys have got is someone who


has put in an SPF record in your DNS … So what that does is … Well, the way


how the SPF record is configured means that if the email comes from a server


that’s not listed in something you created, so you can say, only Google servers


can send email on behalf of etraffic.com.au. You’ve got that in place, but you’ve


got it in place in what’s called a soft block, which means that it will still go


through, but it will get tagged as junk or something like that.

Cameron Francis:

And that’s where it went straight through to … So if Claro , our IT guy, didn’t


actually have that in place, with the SPF-

Mark Culhane:

Then it would go straight to your inbox.

Cameron Francis:

Interesting. So, honestly, every business person, get this fixed. This is incredible.


How do people get this fixed, man?

Mark Culhane:

It’s really simple. Anyone who’s technical is listening to me saying, “You’re an


idiot. That’s so simple to fix.” And it is. It is simple, but the reason why I’m


talking about it is because if you’re not someone that knows about DNS and DNS


records [crosstalk 00:40:23]

Cameron Francis:

Hands up. Many people.

Mark Culhane:

Most business owners won’t know about that and it doesn’t mean that they’re


stupid. It means that they’re concentrating on something else.

Cameron Francis:


Mark Culhane:

Yeah, there’s a very simple way to fix it and it’s called an SPF record. The place


where it gets a little bit complicated is what that does is it says, “Only these


servers can send email from eTraffic,” but if, for example, you use something



Cameron Francis:

Why did it still get sent through?

Mark Culhane:

Because the way that you’ve got the record configured is in soft block mode. If


you look at the actual DNS record, it’s got a squiggle instead of a dash, and even


the technical folk that are listening, a lot of them won’t know the difference


between the squiggle and a dash. So the squiggle and the dash means let it


through, but tag it. The dash means don’t let it through at all.

Cameron Francis:

So would you suggest not let it through at all?

Mark Culhane:

No, I actually reckon that the squiggle is fine, especially … It’s called a tilde, not a


squiggle, but it’s fine.

Cameron Francis:

Like waltzing.

Mark Culhane:

Yeah, except in ASCII mode. So, yeah, it’s fine the way it is, especially if you’re


using an email provider like Gmail or Office365. They’ll see your SPF record.


They’ll see that it’s in soft enforcement and they’ll go okay, this is junk or this is


malicious. The place where it gets a little bit complicated and where some


people need help is, say you didn’t know that your IT guy had done this, right?

Cameron Francis:

Correct because that’s his job.

Mark Culhane:

Exactly, and that is his job, right? But, say, for example, you wanted to do an


email marketing campaign and you used a service like SendGrid or, what’s the


other one? MailChimp. If MailChimp and SendGrid are not listed in this record,


then that means every email that you send in your marketing campaign is gonna


get tagged as junk and no one’s gonna read it. So that is another aspect of


information security that is often sort of overlooked. What’s the cost of putting


in that control? Yeah, it’s fantastic that you guys have got it and that email got


put into junk, but I bet my bottom dollar that if you decided to do a MailChimp


or a SendGrid email marketing campaign, it’s unlikely that you would


communicate with your IT guy and make sure that your SPF record is correct so


that those emails don’t go to all of your marketing targets’ junk. Yeah, so that is


an interesting aspect, but all in all, I’d say that you guys were successful in


blocking my remedial attempt.

Cameron Francis:

The fact that it came through though and I don’t think that any of our clients


would actually have this, we don’t offer that as a service, though, right? I saw it,


I didn’t believe that it was possible. It did go through, went to our junk, and


even then it’s got my tailbone up a little bit. That’s really scary.

Mark Culhane:

It really is amazing.

Cameron Francis:

Because that’s a simple thing. You just did that in front of me.

Mark Culhane:

In terms of sophistication of attacks, this is the absolute lowest, simplest … I’m a


little bit embarrassed to be talking about it because anyone that’s really


technical is just like, “Oh my God. That’s stupid.”

Cameron Francis:

But that’s your domain, right?

Mark Culhane:

Exactly. That’s why I am talking about it because we’re not talking to the guys


that understand this. We’re talking to business owners who don’t have $100,000


to pay an IT guy.

Cameron Francis:

They don’t need that $100,000 or IT guy, right?

Mark Culhane:

No, they don’t.

Cameron Francis:

So what do they do to stop this?

Mark Culhane:

Yeah, so there’s a bunch of things that they can do. Number one is if you want


to get some understanding yourself or if you do have an IT guy that’s got no


experience in security, get them to have a look at … There’s a lot of resources.


One of the best ones that I recommend is the Australian Signals Directorate. So


the Australian Signals Directorate is Australia’s version of the NSA. So that’s our


intelligence agency that does all of the offensive hacking and all that sort of cool


stuff, but what they also do is they provide Australian businesses and Australian


citizens with recommendations on how to do basic security, a basic information


security. So they actually publish a top 32 mitigation strategies. So that’s a list of


controls like SPF, what we’re talking about, and patching, and all that sort of


stuff. They provide recommendations on the basic things that you can do. Not


every business owner’s gonna be able to do that, but if they’ve got someone


who has got the basic levels of technical ability, they’re gonna be able to read


that and glean from it what some basic controls are and implement them. For


example, I’ve their top four mitigation strategies up in front of me. Number one


is application whitelisting. What that means is if you’ve got a few staff members


in your office, you want to restrict what they can install on their work stations.

Cameron Francis:

North Korea, sure.

Mark Culhane:

For example, if you give someone a laptop and they’re working in your office,


and they go home and they go, “I’m gonna stream something from, for free” or


whatever. Free streaming sites are terrible because what they do is they use


Flash, which is one of the most vulnerable things on the Internet, or on your


computer, and they’re gonna get breached, so they’re gonna get a bunch of


malware installed on their computer. Most of it’s not that serious, but some of it



Cameron Francis:

Can I give you an example of one? Okay, so, one of my very first jobs, actually, I


was working at Corporate Choice sales company and they didn’t have this in


place and I downloaded [Vuze 00:46:22] and at the office, I thought, Jesus


Christ, this is fast. I’m pretty sure, like, this is over a decade ago, right? So this is


still dialup.

Mark Culhane:

Dialup’s 20 years ago, mate.

Cameron Francis:

Is it? No, it wasn’t. I had dialup around 15, 16 years ago. We didn’t go to the


rich, pretty boy school, but yeah, so I remember I was there and I thought,


“Jeez, this is downloading really, really quickly.” So I downloaded Vuze and I put


on my TV shows. I put on my movies. At that time, they had an Internet plan


where if you exceed X, you pay for every megabyte over, and their Internet bill


came in, and it was a lot. From memory, it was at least $5, $6 grand, and it was


500%, 600% over. Now, because they didn’t have the prevent in place-

Mark Culhane:

Whitelisting, yeah. Application whitelisting.

Cameron Francis:

I didn’t have to pay for it, but that is a perfect example of where this comes into


play and it cost them a lot of money.

Mark Culhane:

Exactly. Exactly. The other aspect of application whitelisting, it’s not just work


sanctions, it’s also the service that you have. So if you’ve got a web server or


something like that, then you need to ensure that, if you have a basic


vulnerability whereby people can do some really basic sort of exploits, you still


need to have application whitelisting in place because that prevents them from


escalating their privileges and from doing something really malicious on your


computer. The primary thing that will happen to small to medium businesses is


their server will get turned into to what’s called a zombie and that becomes part


of a botnet and people use them for distributed denial of service attacks.


If I send out a basic exploit that goes around to and breaches 100,000


computers just because it’s got a really basic thing. I don’t actually have full


control of their server, but what I can get it to do is I can get it to send requests


to another website. Then I say to … One of the famous examples is a lot of the


Australian online gambling companies, on Melbourne Cup Day, every single


year, they get emails from these distributed denial of service guys, saying, “If


you don’t pay us $50 grand or if you don’t pay us $20 grand or whatever, then


we’re going to send millions of requests to your site and no one’s gonna be able


to use it, so on Melbourne Cup Day, no one can place bets.

Cameron Francis:

Whoa. Because that’s not hard to do. Every website can only handle a certain


amount of traffic. That’s why you hear websites crashing. If you send any normal


website millions of visitors, website goes down. They can’t handle the



Mark Culhane:

Exactly and if I’m a small to medium business, there’s no way that … The cost for



Cameron Francis:

Is that a DDOS attack?

Mark Culhane:

Exactly, a distributed denial of service, DDOS.

Cameron Francis:

Very good. I remember because this has happened to us. It was from Russia or


something like that and I randomly went to a site and it was down. I went to


Claro , “Hey what’s going on?” And he’s like, “I’m on it.” He was up really early in


the morning. He said, “We’re being attacked.” He said, “DDOS.” It was just a


whole bunch of traffic. That’s not even hard to do.

Mark Culhane:

No, and amongst information security professionals or whatever, it’s not a


respected thing because it’s something that 14 year olds can do. It doesn’t


require any intelligence. It just requires a willingness to break the law.

Cameron Francis:

So let’s just say, competitor A has a beef with competitor B, then he pays … I


mean, it’s as simple as, “I’ll pay this person to send thousands of …”

Mark Culhane:

100%. There’s thousands of services. They’re called DDOS for hire and you can-

Cameron Francis:

DDOS for hire. Don’t Google that.

Mark Culhane:

Yeah, I don’t think we’re helping the Internet.

Cameron Francis:

But how do you safeguard against it?

Mark Culhane:

That’s one thing that I can’t give a small to medium business a simple fix for.

Cameron Francis:

Can I attempt? Can you just say I don’t want traffic from Russia?

Mark Culhane:

Yeah, you can, but so the problem is that-

Cameron Francis:

Or I don’t want traffic from Uzbekistan?

Mark Culhane:

Yeah, so the problem is that wherever you have control up to … So say you have


control of your server or even if you’re a little bit more advanced, you have


control of the router in front of your server, then you can control that part and


say, “Whenever traffic gets there, I want to drop it if it’s from a certain area,”


but what happens with denial of service attacks or distributed denial of service



Cameron Francis:


Mark Culhane:

Is they throw so much traffic that the point of failure is not where your control


is. The point of failure is gonna be the Internet service provider just before


where you’re in control, so there’s really nothing you can do about it unless you


pay … Another sad thing about the information security business is now, to


counteract these distributed denial of service groups, there’s a bunch of


companies that offer DDOS mitigation, and basically you pay them thousands of


dollars a month to, when you get under attack, you route all your traffic through


them, and they have huge amounts of bandwidth and they can filter that all out,


but basically you pay for the privilege of being able to devote your traffic to


them and then they clear it up and send it on to you. But that’s getting onto-

Cameron Francis:

But you know what’s interesting? DDOS mitigation, Australia, searches per


month, it’s only 50.

Mark Culhane:


Cameron Francis:

Yeah. Yeah. I agree. But you use it as a guide. It’s no exactly 50, but the fact that


it’s that low, and it’s that important.

Mark Culhane:

Yeah, well, of course it depends … Let’s go back to the risk-based approach.

Cameron Francis:

But if it happens once, right? So risk-based approach, how much will it cost your


business if your website is down for a day?

Mark Culhane:


Cameron Francis:

How much would that cost you? If it happens once, okay. If it happens twice,


okay. If it happens three, do something about it?

Mark Culhane:

Well, yeah.

Cameron Francis:

If it happens often, then someone’s got a boner for you.

Mark Culhane:

Even if you assess the risk. So at an organization I previously worked at, we did


not actually come under a DDOS attack, but we assessed the risk of, and


likelihood of, it occurring, and we decided that just the risk of it occurring was


sufficient for us to pay, and we ended up paying $120 grand a year just for the


mitigation of that risk. It’s not realistic for every small to medium business that’s


gonna pay that, but when you start moving up. So say your business is making


$2 million a month or $3 million a month or whatever, then it really-

Cameron Francis:

You can’t afford for your site to go down.

Mark Culhane:

Yeah, it’s like insurance.

Cameron Francis:

Do you still get DDOS attacks now? Have you ever had one?

Mark Culhane:

Yeah, we’ve had a lot of them. What? When I say we, the company-

Cameron Francis:

Stop making enemies, man.

Mark Culhane:

That’s the thing. It really is sort of random. Because of the ease of the attack and


the people that are doing it, are just doing it every day to whoever they can, and


it’s just extortion.

Cameron Francis:

Is it malicious or is there a reason behind it?

Mark Culhane:

No, it’s purely malicious. It’s just basic extortion. It’s we’re gonna attack this


company because we think that they’re gonna pay us.

Cameron Francis:

So when you’re using, is it the TAB or whatever Melbourne Cup example?

Mark Culhane:


Cameron Francis:

Do they pay?

Mark Culhane:

Yeah, I believe so.

Cameron Francis:

They pay for terrorists? They’re funding terrorists?

Mark Culhane:

Well, it’s extortion. They’re paying for Internet gangsters.

Cameron Francis:

Wow. What would your advice be to them?

Mark Culhane:

Well [crosstalk 00:54:11] My ideology is that you should never pay them.

Cameron Francis:

I agree because then they’ll just keep on doing it.

Mark Culhane:

Exactly. It just keeps on doing it. And then, the sad part about it all is that if all of


the Internet service providers actually agreed, as an industry, there’s a very


simple way of preventing it ever from happening again, but the fact of the


matter is that there’s too much politics around it all and instead of just doing


the basic simple fix that could be implemented, we still all have to deal with this


problem and we have to pay extortion one way or another, whether it’s through


paying the criminals or paying the guys that-

Cameron Francis:

To fix it.

Mark Culhane:

Well, the guys that charge you for the risk mitigation. Anyways.

Cameron Francis:

So, no, but that’s really interesting as well. Really, really fascinating topic. What


would Mr. and Mrs. business owner, what should they do?

Mark Culhane:

Mr. and Mrs. business owner, don’t even worry about it. Until you actually have


a problem with it, don’t worry about it too much and don’t pay unnecessarily for


a DDOS mitigation service that you can’t really test, you can’t really ensure


works, and costs thousands of dollars for something that may or may not


happen. I would recommend not doing a DDOS mitigation service, but back to


the topic, the reason why we’re talking about that is because application


whitelisting is something that prevents your server from being one of the


servers that contributes to those attacks. So that’s just being a good Internet


citizen, is application whitelisting. Same thing goes for patching systems.


Ensuring that your WordPress, ensuring that your web server, whether it’s


APACHE or NGINX or whatever, ensuring that the operating system are all up to



Cameron Francis:

So, let me piggyback a bit because I don’t think that a lot of people would know


that, and so what the general population would do is they would be either, so


there’s two. So they’d either get a BlueHost, GoDaddy, CrazyDomains, or they


would pay for a company that has their own server, like us for example, and


then we manage that for them. Those are the two, but they wouldn’t know any


of those [crosstalk 00:56:30]

Mark Culhane:

Exactly. So when you say that and the business owner says, “Well, we don’t have


the resources to do that. I don’t know how to do that.” If you go with a managed


service provider like a GoDaddy or a same company like that, then they


basically, for better or worse, take care of your lower level patching, like your


operating system and your web server and that sort of stuff.

Cameron Francis:

Do you know why I don’t like those? How many sites would be on one of these-

Mark Culhane:

Exactly. Exactly.


Cameron Francis:

And, how do you know you’re not sharing a server with a porn site, a gambling


site, and your website, that trickles through. That affects a lot of different




Mark Culhane:

100%. If you’ve got a business that makes money online, particularly through a




Cameron Francis:

No, but it’s not just makes money online. That’s lead generationMark



Exactly. Very good point. If you’ve got a website that’s a


valuable asset to your business, whether it’s revenue generating or otherwise, if


you say, “All right. I think this website is worth $10,000 a year or $100,000 a


year or whatever.” And you’re paying $7 a month for hosting.

Cameron Francis:



Mark Culhane:

Why do you think that there’s service providers that provide a higher level of


service at a higher price? If that shared hosting was fine, there wouldn’t be a


market for better services. There are downfalls to it. I’m not gonna go through


them all right now, there’s no point, but if you care about it, at least you’re


engage a company that’s gonna give you the support and tell you, “All right. You


need to be aware that your WordPress is not patched. You need to be aware


that you’re getting DDOS. You’re on your own IP address so you’re not gonna


get blacklisted because there’s some other site going around.”

Cameron Francis:

Very important. Actually, you know what? From a marketing perspective, it


actually affects your SEO.

Mark Culhane:

Of course.


Cameron Francis:

No, it does because if you’ve got a site on the same server as you and they’re


getting spammed like you wouldn’t believe and they’ve got all of this negative


stuff, that trickles through to you because-

Mark Culhane:

There’s so many aspects to it, as well, because most of the search engine,


especially Google, for example, they’re gonna say, “Is the person searching for


your site in Australia? Is your server in Australia? Does it have its own IP


address? What else is on that IP? It all affects everything.

Cameron Francis:

We’re actually doing some SEO for a customer and we’re doing everything right,


we’re ticking all the boxes, doing a normal A to B, C to D, and their results were


not what we expected. Some person recommended that we get them off, I


would say X server provider, and get them onto someone else, and it had an


immediate impact.

Mark Culhane:


Cameron Francis:

Immediate. And if you think of your website as a revenue generating tool, it’s an


asset, not for branding, not just for [crosstalk 00:59:36]

Mark Culhane:

Well the other argument to that is if you’re paying $9 a month for hosting, then


the hosting provider does not care about your service. Well, they care about


your service, they don’t care about your website.

Cameron Francis:

No, they don’t.

Mark Culhane:

They’re not gonna go overboard.

Cameron Francis:

But if your site goes down, do they notify you or do they try and … That’s a


really important aspect, right? That’s what I wanted to talk about as well. How


do you know if your sites down?

Mark Culhane:

Good question. It’s a lot more complex than is your site down. If your site-

Cameron Francis:

It’s A or B.

Mark Culhane:

No, it’s not A or B. That’s an amazingly complex question for something that’s so


simple. For example, one of the hardest things to pin down when you’re


providing … Say you’re providing a government agency or a large organization


with a really hugely important application, and you’ve got contracts in place that


say this site has to be available 99.9% of the time or 99.9999% blah blah blah.


How do you establish whether the site is available or not? Does that mean that


when you go to the site, if it responds in 20 seconds or 30 seconds, is that



Cameron Francis:

Okay, I see what you mean.

Mark Culhane:

If it responds with an error, is that available? If all of the pages, except for one,


works, is that available? There’s a lot of intricacies to it and-

Cameron Francis:

But would it be to do purely with the server because everything else has got


nothing to do with the actual hosting company itself?

Mark Culhane:

Again, that depends on how valuable the asset is to you. At Security Shift, we


manage some extremely high-value assets and, for example, government


agencies say this is something that handles legal tender, we cannot allow that to


go down. It doesn’t matter if [crosstalk 01:01:33] That’s the thing. If you’ve got


the money to spend, then, for example, we have multiple honed routes to our


site so if our ISP and three other ISPs go down-

Cameron Francis:

But what was the … Obama Health?

Mark Culhane:


Cameron Francis:

That went down. [crosstalk 01:01:53]

Mark Culhane:

The Australian Census, that was a massive one. So the Australian Census was a


huge disaster. They spent hundreds of millions of dollars setting up the census


and telling everyone to do it, and then when everyone went to it, it was broken.

Cameron Francis:


Mark Culhane:

I guess the point that I would make there is that when you’re seeking help, you


need to go to someone with a good track record and who’s reputable. Even the


Australian Census, that was done by IBM and when they did the investigation on


why all of that failed, most technical people would say it was remedial things.

Cameron Francis:

Let’s talk to Mr. and Mrs. business owner. Should they just be relying on the


managed hosting company to just be on top of it?

Mark Culhane:

If I-

Cameron Francis:

Or would … I think we use Pingdom.

Mark Culhane:

Yeah, Pingdom’s a good external monitor. You also want to have internal


monitoring. So you wan to know if you’re going to run out of disk space. You


want to know if you’re running out of resources on your server. There’s huge


amount of effort you can go to. Load balancing, Any cast/cost (?) connecting to


your site. You can do so much stuff. And, again, it’s that risk-based approach


whereby you say, “This is how much this is worth to me. This is how much I’m


willing to spend on doing it.” Then, you need to find someone who is capable of


saying, “All right. I understand this is how much it’s worth. I understand this is


how much you’re willing to spend. Now I’m gonna put the most cost-effective


controls in place to provide you with what you want for the money that you


want to spend.”


In general, you want to find someone, a company that’s technically able to do


that. There are a lot of companies that do it. Finding people that are capable of


doing it is the hard part.

Cameron Francis:

What would expect the cost to be? Don’t give me the risk analysis.

Mark Culhane:

You have to because for example, at Security Shift, we have clients that pay


upwards of $60,000 a month for hosting versus people that pay $10 a month for



Cameron Francis:

Yeah, but I think the people that spend $10 a month for hosting don’t actually


understand what they’re paying for and they just see the dollar amount, right? I


think that this is gonna help them understand if that goes down … Hosting’s not


just hosting.

Mark Culhane:

Yep. If people want someone like Security Shift, our business is really focused


not so much on small to medium business. We do offer services for small to


medium businesses, but at least we can provide … If someone wants help and


they say they need help, then you can contact us at accounts@securityshift.com


and we will point you in the direction of someone that can provide you with the


service that you’re looking for. It might be us. It might be someone else.

Cameron Francis:

This was really fun, man. I really loved it. Do you want to add some final words?

Mark Culhane:

Yeah, I think we’ve gone through it all. Obviously, if you need some help,


contact us at securityshift.com, but yeah, otherwise it’s been fun.

Cameron Francis:

And really, really good luck everyone. Everyone, this has really opened up my


eyes on the email that Mark sent me from my accounts team, just opening my


eyes up of the fact that your website can be hacked really easily, DDOS attacks,


research it. Just look into it. Don’t just rely on that $10 a month hosting account


and thinking that you’re safe because there’s so much more variables to it.


You’ve gotta think, how valuable is your online asset to your business?

Mark Culhane:

Sorry. One more thing that I will say is to all the technical people that have been


frustrated with me talking about the very basic exploits and vulnerabilities,


strong recommendation to listen to the Risky.biz podcast, made out of


Melbourne by Patrick Gray. It’s one of the best podcasts I can recommend, so



Cameron Francis:

He’s adorable. Thank you very much, Mark Culhane.

Mark Culhane:

Cheers. Thank you.


Thanks for listening to the Digital Cowboys with Cameron Francis and Sam


Roshan. Now, if you enjoyed today’s episode, head on over to iTunes and give us


a five star rating and please, write a review. Also, head on over to


digitalcowboys.com.au, where we post the latest episodes and content pieces


for all of our listeners. So saddle up and join us next time for another edition of


the Digital Cowboys.

Download Show Transcript

Google Rating
Based on 48 reviews