Ask The Howlers // Securing Your Financial Data This Holiday Season

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

i'm back welcome everyone around the world for the astor howlers episode 30. we're on the vmware channel how awesome is this episode 30 securing your financial data this holiday season and yes we are live 6 48 p.m here and everyone joining around the world it's such a pleasure of course always to host you all again and for those who don't know me my name is james aliband senior security strategist and manager of product marketing at vmware just before we dive into the session remember this is a cyber security expert roundtable where trusted advisors i've got three of them today and security strategists discuss the latest threat and security challenges providing actionable tips resources and of course most importantly to answer your questions last time we were out on the vmware channel rick tom kellerman and i this was back in june 2021 when we're back on this channel we're discussing the global threat insights report it's so good to be back so just before i do introduce to my guest today i want to remind you of course we've got the q a running but you're going to be able to ask your questions live today to all of our guests and we're going to answer a few of them later also of course my ask is when you're posting on the q a tell us what country you're from tell us what state you're from it's great to see everybody around the world see all the countries flags who's joining the sessions where you're listening in from so add where you're from which state you're from what country you're from and where you are in the world so with no further ado let's take some time and individually introduce my guests today first off from all the way in south calif california we have our principal cyber security strategist here at vmware rick mcelroy rick of course influences our vmware security strategy and discusses the vmware security strategy with csos around the world and of course i'm also proud to say just in recent times that rick is also a veteran of the military after serving the marines rick rick thank you for being on today hey thanks for having me james super happy to be here let's talk about some scams and frauds it's going to be great right should we get another guest on let's do it next we have karen walstahl joining us from denver colorado karen is an esteemed author author of the security books including your amazing itty bitty book for personal data protection i feel like we're going to need some abstracts from that book today karen and of course karen you've served as a ciso for the likes of microsoft att wireless and russell investments of course today karen spends the time influencing csos around the world and topics from zero trust to stop in security operation teams from burning out karen thank you for joining me today hey james it's so great to be here i'm really excited about our topic i can't wait to get started it's gonna be so much fun and finally we have eric o'neill eric of course is best known from obtaining the smoking gun which led to the explosion of rest of robert hansen america's first cyber spy today while selling thousands of books worldwide grade a the undercover mission to expose america's first cyber spy get your christmas orders in he also operates as vmware's car vmware carbon black's national security strategist let's wait for eric to uh jump onto the uh stream there we go there it is i wasn't trying to make a hollywood entrance there that had nothing to do with me great to be here james karen now thank you good to be on a screen with you and uh man it's almost black friday and these fraudsters are out there the scammers are getting ready so we need to as well yeah exactly it's timely to have this conversation well of course ladies and gentlemen it's an absolute pleasure to have you in the stream today as i said and of course with our listeners our listeners know what i do they know how i start this off and of course i'm going to start with ice breaker no surprises anymore let's jump let's jump around the room karen i'm going to start with you ladies first of course what's the number one thing that you're looking forward to this holiday season oh my gosh i'm in colorado yeah we have mountains to get out in and uh yeah i'm still looking forward to spending as much time as i can up in the rockies uh snow showing and skiing this season awesome rick how about yourself um you know the the maple rides are spread around the globe like uh i i don't know we're everywhere and so um a bunch of us actually happen to be meeting up at my brother's house so i'm super looking forward to getting to hang out with my nieces and nephews um who are all super young and i don't see you often enough that's awesome especially so timely as well like after pandemic and everything like that we had to spend time with people eric how about yourself you know for me it's just spending that uh quiet time with my immediate family last year during the height of the pandemic when the schools closed my wife took my youngest two to germany and lived there for six months and my oldest stayed here with me for six months so we were a split family and i'm looking forward to not being that this holiday season and being together that's amazing that's amazing for myself well you'll see this isn't always my familiar office as i do move into my new house in three weeks so i'm super excited for spending the uh spending christmas supporting my new house that's gonna be pretty awesome it's been a long way um let's jump in because of course as we know and our listeners know every year this time of year black friday eric you mentioned it earlier the world flocks typically online starting around october time ready to spend billions and billions of dollars on food presence and nice it is for the family and of course for friends as well but we all know that cyber criminals of course are opportunists and the holiday period just creates massive opportunity of course for putting our financial data at risk rick can you kick us off today we all know that cyber criminals are opportunists but if we dive straight in why is a holiday seed season just so prevalent for attackers when they're spending their money online or yeah why is it the holiday season which makes it such a big opportunity yeah well look i i think normally um there's a uh there's a scarcity that occurs with certain items you know during christmas anyway i think when we were um you know kind of doing our practice run for this session we brought up uh you know the one off the top of my head which is like the furbys uh or uh uh you know beanie babies i mean we can go all the way back cabbage patch kids when i was people yeah right people were fighting in stores and so i think under normal circumstances you have this sense of urgency and uh you know great parents grandparents looking to source some items for for grandkids and and kids now compounded by a global pandemic that has also caused some massive shock waves uh to our supply chain um and so now hard to get items are even harder to get and that becomes the right playing field for these scammers fraudsters and criminals to uh to take advantage of yeah no exactly and eric you want to jump in there we spoke about the furby example there but do you think of some other examples in in the sense of like why we'd be drawn and why hackers would and bad bad actors would just use that opportunity just to ultimately steal our data yeah precisely there there are a number of unique every year there are a number of unique scams that are out there this year i'm tracking one that the fcc has been warning about it's um tracking delivery scams so basically there's our delivery notification scams but they can be calls or text because now we do so much of our online shopping on our phones sitting wherever we are that the attackers have started using text it's harder to do a lot of the diligence you need to do when you receive one of these scam emails on your phone but if it's a text especially if there's a link to a tracking number and this is what we're looking at right now we've got a millions of billions of packages that are going to move around in the next couple weeks and and months and a lot of it is being dealt with online we're tracking our packages through text numbers and emails and what's happened is the scammers will send you a fake tracking link and it'll look like it comes from ups or fedex or whatever delivery service you want um if you click on it on your phone thinking oh yeah i want to see what's coming because you ordered 10 things and you're trying to manage when they're coming it'll take you to a fake website that'll ask you to enter your personal information and they'll steal that information that way or it could just start installing malware on your computer it also gets worse you're going to see a lot we're going to see a lot of voicemail messages or phone calls where scammers are pretending to be part of a delivery service and they're calling to say we had a problem with your delivery from ups we had a problem with your delivery from the postal service or from the post and we need you to pay a customs fee or we need you to pay a tax on it or we a re-delivery fee and try to get your bank account number your credit card number so that they can charge that delivery fee and now they've got your information so we're going to see a lot of these scams and we're going to see them even more at a time when the pandemic has thrust us in our homes and ordering more things online than ever before yep yeah you know and i think one of the things i just wanted to jump in and add that um we are doing like you mentioned so many things on our phone cyber criminals are super smart i mean they actually aren't just kind of randomly sending things out hoping that they're going to land somewhere but they know who they're sending their things to and we know from analyzing uh you know the the the cyber crime thread that they are very targeted very specific and very niched in who they're going after even after children so if you happen to be in a certain market or you happen to be in a certain demographic they're gonna target their messages so it looks like it's tailored for you it makes it more believable so that you know we're just at the time where we're dealing with probably lots and lots of messages we're trying to get a lot of things done in less time we're going to be quickly going through things and and they've essentially made the rerouting we're so used to being redirected now like if we make an order from our text and we get redirected to a site and we get redirected to a site they'll redirect you to a number of sites makes it look super legitimate and then all of a sudden bam they'll get you on the site where they'll either download the the malware on a click or they'll they'll steal your information so yeah it's going to be really tough on people especially on kids yeah and remember we we just talked about texts and calls and this happens this constantly happens over email beware the emails you receive and clicking those links and opening those attachments the rule of thumb is always if you suspect anything i mean i never click on the links anyway but go directly to the website if it looks like it comes from the post office then go to the post office and manually enter the tracking number there instead of clicking through on a link it's just a smart thing to do now when uh these scams are out there yeah i love that like err on the side of caution like if there's any anything in an email that makes you nervous don't open it don't click on anything don't reply just you know don't just table it if you have to and come back to it later but don't or delete it but don't take action on the thing because every single time we get something from scammers what they're trying to do is they're they do two things that we always fall for they create a sense of urgency and they create a problem and as human beings we are wired to respond to urgency especially if it's an emergency and to try to solve a problem for somebody to be helpful so that's why this works so often that's why it continues to happen because it does work right very effective exactly that's one of the one of the great examples of that that we've seen a lot in the last year um more the year before but is the the police phone call so you get a call usually it's a grandma they're going through social email and they're finding grandparents and they they get a call at home uh or on their cell phone that says so and so because they've gone through your social ema em media they know who your grandkids name is you know is little rick is uh in prison in guatemala you know and uh or they say they they pretend they're him and say i'm in prison in guatemala it's a bad connection you know i just need some money so i can deal with this they say that if i pay them a little i can get out please don't tell mom and dad and you know everyone out there is probably thinking i would never pay that but you'd be shocked at how many people fall for it particularly if little rick is uh it has all this knowledge about the real person because they've gone through all the social media profiles all the data that we we just throw out there and provide for scammers to use it's a massive wealth of it yeah yeah what do you guys think is going to be the the biggest issue going on this this season sorry hurry james i jumped right in there with a question but i actually think you carry on i think one of the ones i think about um is counterfeit products right so you're actually receiving a product that's broken or um you know purports to be something on a uh you know less than um optimal websites right uh you you purchase it so so you get a fake product and they steal your credit card information and are able to do things with that i also think um the other prolific one we see almost annually is the publication of holiday apps that are scraping data off your phone yeah so whether that's a santa tracker or whatever the case may be look i won't endorse any one of the major manufacturers more than another one um however that being said if you find that the application associated with the holidays was published in the last two months maybe skip installing that on your phone um and going yeah at least error on the side of something that's existed that's been out there for a while that um that people have been able to test yeah one thing that happened i'm gonna okay go ahead james one that when when you came when you came to mind ricky came to mind when he said about counterfeit products and i'll take it one step further because i actually received possibly the best text message actually over the weekend which was we've got um a potential supply chain issue with turkish this christmas in the uk i came to light and i was like okay well we went out and got a couple of turkeys put them in the freezer and then i had a text message on the weekend order your turkeys today from this legitimate website to make sure you get them at christmas it takes it to one step further because only on bbc news last week they were talking about turkeys and talking about the fact that like the supply chain is good and you know eric you mentioned it earlier like the supply chain is so broken there's actually a vast amount of opportunities and like you mentioned earlier grandparents could not imagine christmas without the turkey in the middle of the table well they're gonna you know the text message is so targeted and it you know brings me to a question as well i think that i really wanted to pick your brains all today around is like targeted campaigns typically are always so successful and yet for me it's like they they never look great you know okay i'm probably savvy in the sense of being in the industry as well but why do we think that targeted campaigns especially when we think about the audience as well today why do we think that targeting campaigns are just so successful year after year after year well i think what i think you know um one reason for that is um it's generational james um you know previous generations were more trust they were just more trusting right and also um had to retrofit their lives for technology right so if you took the boomers they didn't grow up with a you know whole lot of technology had to adopt that gen x sort of was that hybrid and then now we have what i'll refer to as like native technology generations the millennials in gen z where you know from very early age it's presented to him um which does present some other interesting issues i think we'll talk about uh later in the broadcast but i do think some of it's generational and then honestly um it you know people have picked on and you know forgive me for using this term but people would picked on senior citizens for a long time um there's targeted funeral scams when someone dies and insurance scams and all of those things and and so um eric does a great job talking about this in his talk and uh if you haven't seen one of his keynotes i would absolutely suggest that you do um but you know to steal a little bit of his thunder all the attackers have done is modernize their tactics using technology right and so it's the same thing they're they're lying to you to get you to do something they just happen to be using the tool of technology uh to enable that right yeah it's a vector to get that to get that scam right in front of you and what they're trying to do is look i i often talk about cyber security in terms of counter intelligence because my background is i'm a spy hunter i used to catch spies and now i kept cyber spies right and the idea is that you are fooling a person but you're using technology as a victor as a vector to get that trick in front of the person to get that social engineering attack in front of the person and that's why email phishing still is the top way that most cyber attacks occur is getting someone to click a link or open attachment on an email that they trust but you know the the interesting thing is is many of the attacks we've talked about today already have a framework put in place the texting scams the email scams the as karen said creating a pressure situation actually i'm paraphrasing a little but i like to say that you know don't examine your security in a pressure situation they want to create that sense of urgency which is what karen said and was is completely correct that sense that i can't take the time to relax about this if i don't do this something bad is going to happen i'm going to have to pay you know 480 for an abroad or it didn't order or what was happening last year the biggest scam last year was get in line for your covet shop get in line for a um antibody test was the first thing before we knew anything about covid the government is going to have antibody tests here's where you can register and then you go to the registration site and of course you're putting in your social security number you're ed putting in a credit card we're just going to put a hold for the ultimate payment and people were doing this because they were afraid of the disease and they felt like if i don't do this right away if i take the time to think then i'm not going to be getting a spot to get something that i need for my health and that's what the scammers are looking at they want to put you in that moment where you just if you had the time to take five minutes to to to look at the spelling mistakes the grammar mistakes or the blurry logo maybe you would think oh maybe i shouldn't do this but if they can trick you if they can get you to feel like if you you're gonna miss out on something or something's gonna cost you a lot of money if you don't do it people do it and it turns out that statistically uh 25 of people no matter how good their training is click on those links i wanted something you just said there because you know the mistakes the spelling mistakes and everything in those emails and we think how stupid how could somebody send those out like the nigerian prince emails yeah we've been around forever they're still around because they work right here's something i learned about this in the marketing training and that is nigerian prince emails are not actually a mistake or an or sloppy they are very intentionally crafted to to target a very narrow niche of people who are careless about details and greedy yeah and that's their niche and that's the people who click on the link right so it's still you might not do anything for you but it's definitely going to hit a group of people that uh that fit that that fit that profile so yeah there's these things are are carefully crafted and um you'll be i've been there's been times maybe you haven't ever clicked on one of those links eric but i have and it's like it's like what like oh yes right i had a sandbox of course believe me i i have and then the second you do it you realize oh crap and now you're going through and changing all your passwords and yeah and scrubbing your computer and right yeah i think you brought up a good point karen around um greed uh because because i think that's the other um that's the other lever they pull right so um you'll start to see uh more and more of these show up whether they're on social media groups um or or some sweepstakes offer so so again going back to common sense because a lot of compute and interactions common sense if it seems too good to be true yes if you think you're going to be the one human on the planet that gets oculus rift when no one else is yeah it's probably not going to happen and uh and you're entering all this information right and so again um i think be realistic this year there's going to be shortages all over the place you know maybe talk to your people maybe it's a gift free year i don't know what the case may be for your family but uh but but i think if if you're if you think you can get to the front of the line on something there's a good chance you're probably being scammed yep definitely i'm taking a segway in that because i know for our listeners especially being on the vmware channel eric i wanted to pick your brains a little bit around the dark web and kind of really digging in like let's give a real overview like what is the dark web we hear about this thing we hear about all the dark web what what actually is it certainly well you know that the dark web's an interesting place and i know and rick's got to jump into i know he's done a lot of research in there um it it doesn't it doesn't exist in a physical space there's no land there's no property there's no brick and mortar store for the dark web you can't go into a store in some back alley and say hey i'd like to buy a kidney but you can on the dark web uh you can buy virtually anything there from a attacker for hire and in the beginning the pandemic we were seeing a lot of schools get taken down by denial of service attacks and ransomware attacks and traced back to some kid who decided they didn't want to take their test that morning so had their their school zoom bombed or their school um taken down their network taken down so they they couldn't do zoom learning uh everything from that to custom malware malicious software that is built uh for ransomware there's there's complete business verticals from developers to distributors to customer support and service to an entire financial infrastructure to collect money in cryptocurrency and get it in the hands of everyone who works through these verticals uh and to get to it you have to have a particular browser a little bit of know-how but virtually anyone can find themselves there if they want to the interesting thing about the dark web and you know and one thing i can say is it's it's led to this massive uh epidemic or pandemic if you will of us ransomware we've been suffering the last number of years is it's it is it's incredibly lucrative it has made fortunes for criminals and it's uh now according to the world economic forum the third largest economy on earth so let that sink in right it it still goes to us and then china you know and those two are sort of on top and bouncing uh u.s state on top you know good for us but it goes u.s china dark web right now not not the uk where you are james not you know not any other country the dark web is the third biggest economy on earth and that scares the hell out of me yeah yeah and and you know um i always like when scammers scam scammers uh so don't think that they don't do this activity to each other as well um one of the ones that i've tracked for a few years is like if you go on the dark web you'll start to see um marketing campaigns around um tumbling and cleaning your bitcoins that uh are you know you you've gotten through ransoming or some other illicit means um or you'll see like uh hey you know if you give us x number of cryptocurrency uh in this form we'll give you you know bitcoin so so again like um scammers are going to scam and that's what they do but um but yeah there's a there's a lot of scams around uh actually trying to tumble your money and and hide it from law enforcement as well right i mean if we didn't if the dark web wasn't a place where you know it's also a place where many of the criminals are learning they they can learn from each other they can buy attacks from each other entire in entire attack toolkits from each other someone will develop it and just wants to sell it somewhere for others to actually launch the attacks because then they don't have to deal with collecting the money and trying to move it through crypto while it's fast enough that the fbi doesn't track them down so it leads to further cyber attacks and you know the interesting thing is this is despite the fact that i think half the people on their criminals and the other half are security or law enforcement trying to catch them an interpol with u.s cyber command has been very successful um in recent months in in capturing some of the most prolific cyber attackers but it it continues uh and i think that the old the old statistics were that the cost of cyber crime by the end of this year we're almost there will be six trillion dollars and we're gonna exceed that amount right that was an old prediction a few years ago if you take that out the next five years it will easily double so um in in five years from now it'll be over 12 trillion dollars and that that's a lot of money that could be spent in better places especially during a time when we're in the middle of a global crisis could i just bring something up really quick in case there's anybody watching and listening that is thinking that it might be kind of a cool thing to go take a look at the dark web like even if you assemble all the tools yeah when you get a throwaway computer maybe or not just don't do it yeah like you just don't do it it's going to invite so much pain and trouble in your life by getting started there because i can tell you from the experience we had when we were monitoring a group of people that were planning to do attack in seattle heard me several years ago the we were watching them they were watching us watch them we were watching them watch us watch them like just go back and forth this this you you're not ever going to be surreptitiously browsing through the dark web so just don't do it don't and i think to add to that as well it's you know as eric when he said about like this it got me thinking like cyber criminal academy you know of in the dark web but like you know but joke jokes aside in that sense like i always kind of try to relate to it as well i think karen you make a really really strong and good point and i want to emphasize that is i think about like you know physically you know you wouldn't go and think about joining the gang i really hope our audience isn't going to like join a gang like a physical gang right because you know you know what the mentality is like and yes it is like the films unfortunately like once you're in it's extremely hard to get out as well and i want to make that you know emphasis like don't go in in the first place there's a lot of good that can be done by being out and that you know really to be clear on that karen just bringing you back in as well here because i think we've got like kind of the emphasis of like the dangers around the holiday season and you know ultimately like we'll talk about the top tips we'll talk about what people should do but like let's think about like okay the worst has happened um someone's clicked on a link on a text message they go oh crap like i've clicked on it i've clicked on the link what should they do next like what's the practical advice that we can give them from there that they should do next well one thing i recommend that everybody does is that they monitor or they set it set themselves up to have monitoring for free with a group called uh or a website called have i been pond and we can put the link um in somewhere in the notes so people can see that because i get notified from them the second that my email and maybe my password goes on up for sale so as soon as that happens or as soon as somebody has a breach and my stuff is um i get notified i get notified way before you know any of the other services that you pay for will tell me so i would suggest that everybody do that right now and that way at least you have the notification um i have a set of things that i really recommend people do because if you're like me and you lose your social security number like i did in 2002 you want to be sure that you have documentation and things so that you can quickly move through the financial system get talk to banks talk to the social security administration or anywhere where you have a government national you know a national identity number or card or anything like that you want to be able to be prepared yeah because you're going to need if you do have a compromise and someone does pick up your data they're going to be imitating you you're you're going to i have a person his name is domingo rodriguez and he pops up as me all over the place in my life and every now and then it's a very surprising like letter i get from somebody telling them how i owe them money so um you just want to be prepared for that and it's going to happen to a lot of people i mean ever since equifax had half of the united states population lose every single kind of sensitive information that they possibly could in a breach you know it happened it happens the government's lost our info that the credit card companies everybody's losing your info so just kind of assume that it's out there that's the best thing you can do and um and get prepared to deal with it when it when you do become aware of it it's an awesome comment that just got left as well i just wanted to bring this up because when we're thinking about like fake websites fake emails um just remember as well and and i'm kind of saying this to the audience but i think it's such a good point that you know like these holiday websites and like you know get the latest playstation get the latest xbox or whatever you know they have real paypal pal paypal buttons on there they have real like trademark copied and pasted at the bottom like they're really made to mimic with you click on the paypal button it takes you to paypal and and so on and so forth you know it's and think about again like the time and the engineering that goes into making sure that we're actually you know we're getting you know we're getting fooled by this we you know ultimately getting forward but that one inc and it goes back to exactly what eric said earlier that one link can can can kill you in that sense in in the long non literal term but you know that link just just go go to the website go to the actual website search for it yourself see what the stock levels are let's think about protecting ourselves now team let's think about protecting ourselves if we probably scared the audience enough today and we probably don't want to do that anymore it's holiday season but black friday is coming up so we're hoping that we're getting ahead of the time we've got a few people joining us today let's go around let's think about how can people protect themselves what's some simple things we can do some simple things that we can take forward nothing as complicated i don't mind who wants to kick this off by the way but whoever wants to get this off simple simple things we can do from now i'll take the easy one first uh passwords and multiple factor authentication now what what what is that's a big 64 word right what does that mean it just means that you're not just using a password to log into things but you have a second thing that you use whether it's a text message to your phone or a token or you know something that comes back and says are you really who you say you are so make sure every time you have an opportunity to set that up that you do because it's going to thwart so many of these attacks that try to come in and steal your information so i would go for that and and if you for the passwords that you didn't use make sure they're really really good i like to i like to always use you know a password i have a password algorithm that i use that is always what i use when i have to invent a new password or or i have google do it for me but i um um and i'm not going to say what it is on the air yeah don't do that but find find an app find your little formula of substitutions that you use for certain things it's like a little substitution cipher and use that for creating your long passwords and i'll tell you make it a complex password and don't make it like six characters or even eight characters make it really long like a passphrase because uh we did a little experiment here with a bank grade secure password that was 16 characters long and we broke it in 24 hours so yeah you know make it complex make it long and make it yours don't share it with anybody else yeah passwords are passwords are horrible passwords are useless passwords don't work uh you know here's the problem with passwords and and i constantly in my talks denigrate the password don't like it think we need to get rid of them i think we need something better if you don't have multi i want to follow up something karen said if you don't have multi-factor turn authentication turned on for your most critical accounts every email account every bank account everything that matters to you think of it as all the things that you lost in your wallet if you know all the work you have to do when you lose your wallet even if no one has it you just can't find it you have to call all the credit card companies you have to call you have to get a new driver's license you have to worry someone might have your driver's license all those all those accounts you have online that matter to you if you don't have multi-factor authentication turned on you're going to be in trouble and here's why people tend to reuse their passwords karen said use multiple passwords come up with an algorithm use a password manager something that has distinct different passwords for everything because you will lose your username and password in a breach they are all there for sale on the dark web hundreds and hundreds millions of them are there username specimen the the website um have they been peoned is great because you can check and see if your your email address uh is is in there and and they'll show you your password that's for sale on the dark web i just want to tell one story about a big ransomware attack that you may have heard of with um colonial pipeline it happened in may of 2021 this was the big company that moves gasoline from the west coast to the east coast the united states they were hit by a massive ransomware attack where they had to shut down their operations for a few weeks gasoline couldn't move across the united states here in the east coast we couldn't fill up our cars in the pump uh it was only a few weeks but people panicked you might have heard silly stories on the news about people filling up trash bags full of gasoline because they were in that pressure situation they were they were panicking there was chaos the way the attackers got in is by buying a user account a a remote access account that the company had uh from the dark web probably cost them 20 cents total for the username and password that is how they got in and they uh they demanded a 4.4 million dollar ransom for that 20 investment the uh username and password did not have a multi-factor authentication turned on for it so all they had to do is buy from the dark web type it in and they were in and so we have to be extremely careful we need to take care that we're adding that second layer of protection in the future i think we won't have passwords i think we'll have something else and you know and you can also use not just the text that comes to your phone but these great authenticator apps that you install on your phone i mean everybody admit it you're never away from your phone ever it's always theirs that you can always use it to log in when you have to and that's what i think the future is going to be and i think indicator apps they're not that hard to use sorry i just wanted to make sure like you might be thinking this sounds really onerous and difficult try get someone to help you if you don't know how to set it up on your phone get someone to help you it's actually not that hard and and using it i use authenticator for a whole bunch of things and um yeah i love it so it's not that it's an easy thing yeah i agree karen i think that's an area that infosec has shined over the last 10 years it's making crypto easier to use and understand it was i you know if you remember all the way back to like the pgp days and onerous and people were like i don't understand it now pretty good protection yeah yeah it's point-and-click i i would say you know uh here's here's pieces of advice i give people around me not in a corporate setting um number one uh probably from a personal perspective it makes no sense to allow anyone to hit your credit so you can turn that off through any of the major services you can turn it on when you actually need to you know get new credit um so so i think that's pretty good preventative control and then i would highly recommend that if you have access to them and can use them uh use an ipad versus a windows box with a good vpn installed um if you're really paranoid reboot that ipad once a week because uh as far as we know uh the advanced persistent threat actors can't gain persistence on a mac os system uh so if you reboot you actually boot out the root kit that's installed already um and have a clean system so i do i do say to people who have the choice between uh you know a macbook and a windows box there's just more stuff that runs on windows today right so it's not a combination of anything it's just if i had to measure per volume of things i'm going to escape to an operating system that has less things that uh are a threat to it and then i think vpn is just a solid usage for anybody out there we know um advanced uh groups and non-advanced groups are targeting home networks the pandemics really highlighted that since it's all part of our business network now so um definitely on your personal devices get a vpn yeah oh yeah and if you've had comcast come and install your router or any of your service providers for internet make sure you have somebody show you how to go in and change the admin password on your router because they set it up with a default that's published on the web and everybody knows it so exactly be careful routers are interesting be careful when you are you know this is one that's popped in my head but there was a great story be careful when you are accessing routers that are free public routers that are free right so there was this story a few years ago about a very famous coffee shop we don't name names it wasn't their fault anyway but they uh uh they were getting a lot of the people going into that shop were getting their identity stolen and massive credit card bills and so they went after the servers thinking that maybe they were uh taking pictures this is what will happen sometimes is someone will you know for example if you leave your uh purse or your backpack and you run to the bathroom someone can go in your bag and take a picture of your credit card and the back with the code and now they they're gonna start charging things on it so they thought maybe it was sort of server fraud but it wasn't what had happened was the the coffee shop was up against an apartment building and the guy who shared the wall with it put his own router on the wall named it the name of that coffee bot coffee shop and made it open and people were connecting to his router that he controlled right and he was capturing all their transactions so you do have to be careful um that's why like rick said using a vpn can protect you from those sort of things he can't capture your traffic if it's if it's going through an encrypted vpn so always use one of those if you're going to public router yeah well like and hotel coffee shop oh yeah who tells us just don't use it unless you have you know you know that you have the right security things in place on your machine like a vpn to protect you and me and a firewall and that your operating system is up to date and patched we can open a can of worms now can't we on that one and you know what just like really simple things as well and i was at the the joy of being on the train this morning so 6 55 on my way to london and i went to the toilet went to the restroom and looked to my left and somebody's laptop had been left there not locked completely open and you just look at it and you go and like my instant thought is like on my days like like come on like this here and again like really simple things you're going to walk away from your laptop lock it yeah just like did you do that that's like the the modern example of uh you're through the parking lot and you see someone who left their lights on you go try and see if you can open their door and turn their lights off somebody leaves their laptop like that you just sort of close the clam shell help them out a little bit change the background on their desktop once my manager when i was in the research group they left their unix machine open when they left the office for lunch they didn't they didn't shut it down or lock it and we went in and we installed ren and stimpy sound files oh that's awesome um every time every time they opened a shop it's like you notice they're idiot so you could do that before you close the climb shell yeah there these are you know these are conversations yesterday yeah these are simple tricks but i mean they have massive ramifications i i'll take you back to 2016 when the united states was in the middle of that election attack uh where where staffers all over the place were being compromised by by intelligence services one of the ways that that a foreign intelligence service was able to gain access to staffers accounts who had good cyber security and were being very careful was to surveil them follow them and when they went to a hotel they set up at the hotel and compromised the hotel's uh network and so when when the staffers uh went into the hotel and then accessed the hotel's you know free wi-fi they were able to compromise them that way so you know attackers will find ways to get to you um but but but there are things that you can do to make it very hard for them and it flips the narrative doesn't it it's really kind of we're driving into a world now where we we all have a security responsibility it doesn't matter what you do for a living it doesn't matter where you are take that responsibility on you take that emphasis on you whether it's your corporate device whether it's your personal device whether you're using an ipad whether you're using the windows but whatever it doesn't really matter in that sense i think the narrative here and i think the biggest take home from all of this is take that responsibility you've got it within yourself to take that responsibility it's really simple things and you know kind of sitting here going well there's really simple things because actually these attacks sometimes are really simple we get count we get caught out karen you said it earlier like these attacks are so simple rinse and repeat rinse and repeat and guess what they catch people out every single year you know and that's that's the point take it upon ourselves and if that's my take my message from that today is take it upon yourself listen to the advice do the really simple things lock your device use a vpn you know make sure that you're not clicking on links and you should you know check the email address if it's got amazon 321 probably not legitimate all of these things which are really really really useful points let's go around the room let's do a one top tip to protect ourselves in the holiday season then we'll wrap this thing up eric do you want to go first sure i will go first i think i want to go back to something that happened to my wife and i during the holidays holiday season and this this is stepping away for cyber for just a minute and i want to follow up on something i i said you know you have to take care of your physical assets as well don't leave that laptop open don't leave your uh backpack with your wallet in it on a table while you run to the bathroom in a coffee shop or an airport um we this happened no it probably wasn't me but i'm not going to say who but it happened to us somebody apparently went in took the driver's license and and credit card uh copied them and the next thing we knew we had a bill for ten thousand dollars from a little bed and breakfast outside of london uh where they they charge three different charges on the credit card because you know we we have our limits set so that you can't charge x amount just so this can't happen and they did it three times the bed and breakfast you know to their to their horror accepted it and when i called my bank and said we this wasn't us we weren't in london you know the fraud alert the um the scammers got away with the money they got stuck with the bill i actually called the bed and breakfast to ask how it happened the scammers had sold the uh information to a fake travel agency who arranged a um a country uh you know um evening out and a breakfast and a tour of the countryside all inclusive for some travelers um who who went and stayed the bed and breakfast had nothing to do with it thought they were dealing with a legit uh travel agency but they were dealing with a someone who stole credit cards and then used them to set this all up charged it all to the bed and breakfast who got who ended up getting stuck with the costs and couldn't afford it so you have to be extremely careful about where you leave your stuff that it's not just the cyber spies and criminals out there it is uh the real criminals uh you know they're all real criminals but the the physical criminals who who would love to get their hands on it they certainly still exist especially james i think you brought up an excellent point um about responsibility right i have a responsibility when i turn the ignition on in my car and take that out into a public street into a public freeway we teach classes around defensive driving right we i know that um when i was teaching my son to drive i certainly imparted that uh there's a lot of threats intrinsic to your safety and health uh and life and you got to take that seriously right so so telling our kids things like don't text um so i think a lot of the uh prescriptive things that we're telling people are fairly simple right uh you know setting up a vpn fairly simple i think most people can walk through that mfa i've certainly got my mother-in-law who's 80 years old attached to mfa it's great she has less questions about when she buys a consumer device and brings it into the house so i do think defensive driving for technology is needed but again i'm going to go back to install a vpn now i won't recommend any one particular one go do some research consumer reports has a a good five-star rating for those but pick one and uh protect your network traffic at least yeah and a lot of the companies that you might be using for your cyber security a lot of the big companies will give you a free one yeah it's great pointer great point karen so i would say uh the number one thing i hear from people is who would want my data who would want to target me you know i'm just nobody so why would that happen and i will tell you a really short story when i was in grad school i was finishing my master's thesis my husband had taken the children uh to the grandparents for the weekend and i went across the street to borrow the neighbor's printer so that i could transcribe all of my files and get them printed for my thesis because it was finally finished and the computer where i had done all of the work was still running back in my house and as i was in the yard across the street i heard the door be broken in on my house like this crash i didn't realize at the time what it was but it was thieves had breast busted down the door and cleaned out every electronic including my running computer and taken it with them with which had my master's thesis on it i know it's going to have that backed up i had the only known copy of it was on this drive this floppy drive that i was taking across the street to get printed okay i still graduated but what i want to tell you is make a backup go to costco or go to your local discount store wherever you need to go order it online and get one of those like one terabyte drives that you can plug into your computer and get a backup of everything it's going to help you in case you get hit with ransomware yeah keep that back up offline so that it won't get contaminated and just use your periodic backups to to update it but yeah a backup is going to be invaluable to you because you never know when you're going to get hit and and believe me it's indiscriminate nobody's going after just certain sets of people they're going after any opportunity and whether it's a physical home break-in or whether it's a digital break-in you're as likely as the next person to be a target so do what you can and also make sure you go out to amazon you can get a copy of my amazing itty bitty book on personal data protection and it's free if you get the kindle version so download that and use the tips in there to help you i'm gonna uh i'm gonna wrap it up with this one and definitely download that book by the way i did it earlier just before the stream and that's my holiday reading material um first one personal experience today lock your device if you don't lock your device set it to lock automatic two minutes five minutes whatever it is the amount of people are traveling leave their device device on the table go to the restroom get your device to lock automatically super cool tip that's the first one um if you can don't use your debit card on your line use a credit card a little bit safer in that perspective if you can always think that debit card pay the bills from there salary goes into their credit card probably doesn't have your salary coming out there little things that you can do just to uh so that's probably my top trip don't use your debit card this christmas if possible i appreciate it not everyone can but if possible don't use a debit card try to use credit card maybe get some points as well if he spends it's even better there's a bonus in that sense um but i think that's also another one that's uh there look we've taken up 52 minutes of people's mornings afternoons evenings this has been awesome thank you everyone around the world as always for for joining these sessions rick you absolutely did a smashing session last time this has been awesome we've got one more session coming up on the vmware carbon black linkedin if you don't follow the vmware card black linkedin search it vmware card in black follow the linkedin follow the twitter channel as well you'll hear from eric from myself and rick from karen of course from tom kellerman as well and howlers and also other people on those channels if you want to get security tips security information the conversations that we're having with the uh with csos there's some awesome information and also i'm going to take this this tag as well there's some great keynotes from all of these people on this screen um so just on youtube with some really cool information remember to download karen's book remember to order eric's book for christmas as well i need you to release a book next year that's the next one i'm the only one i'm slacking no and me and me um but with that it's been an absolute pleasure hosting this been absolutely awesome thank you everyone for providing your insightful tips this super useful tip super simple tips mfa vpn don't use a debit card lock your screen um but with that wherever you are good evening good afternoon good morning take care everyone take care see you soon have a great christmas have a great day

Info

Channel: VMware

Views: 185

Rating: undefined out of 5

Keywords:

Id: C5vzPkMLXos

Channel Id: undefined

Length: 53min 33sec (3213 seconds)

Published: Thu Nov 18 2021