Cybersecurity for Your Home or Virtual Office

There is something great to be learned about cybersecurity from this pandemic. Preparing for a crisis before it happens is far less expensive than recovering after it happens. The U.S. saved several billions of dollars cutting corners on pandemic preparation, and it’s now estimated that coronavirus will cost the world more than $300 Trillion when the economy is factored in – not to mention the death toll.

Smart preparation beats recovery every time. The same is true for cybersecurity where optimism grows out of preparation. Proper cyber hygiene, just like washing your hands for a full 20 seconds, is both mildly inconvenient and wildly effective. And we need it more than ever, because cybercriminals are taking advantage of the chaos. Going remote increases the exposure of company data exponentially, especially because we had so little time to prepare.

This outline focuses primarily on solopreneurs and small businesses as I have held out some of the more technically detailed information on how larger enterprises can further protect their remote workforce. In this time when so much is outside of our control there’s actually a great deal within our control when it comes to cyber security.

7 Cybersecurity Threats in Your Remote Workplace

I’ve put together the 7 threats that I feel, from having observed thousands of organizations with remote workers, are the FIRST you should address. This is not an exhaustive list, but a great place to start.

Threat #1 – Zoom Videoconferencing – Rapid adoption has meant little security

  1. I received a call from a client who told me two things had happened 1) They discovered that a competitor was lurking on a video BOD meeting and 2) When they discovered it, the user screen-shared porn, called “Zoom bombing”. Had this been a call between business and client, it would have been devastating.
  2. It is imperative that you consider the privacy and security implications of Zoom before you use it for sensitive or critical meetings: https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf
  3. This article from the NY Attorney General about Zoom privacy practices has good information https://www.nytimes.com/2020/03/30/technology/new-york-attorney-general-zoom-privacy.html
  4. To learn to use Zoom, please visit Mike Domitrz’s recorded webinar on the topic: https://www.youtube.com/watch?v=aVKbnQJrrjg&feature=youtu.be

Threat #2 – You and Your Kids – People, not technology, introduce the greatest risk into your systems

  1. Coronavirus scams started the day the epidemic was announced, let’s focus on…
  2. Phishing emails are a hackers best friend. Consent to download crimeware or upload logins
  3. These scams follow the headlines, especially a crisis (can be by text, phone or SM adv)
  4. Solutions:
    • Recognize the coronavirus scams
    • Click Hygiene – pause for 20 seconds before you click – Too good to be true, too bad to be real, too dramatic to be worth your time, then ignore it
    • The Hover Technique – expectations vs. reality
    • 3rd-Party Spam Filters (corporate tip – block it at the Gateway)
    • Train your kids, as anyone on your network can download malware and spread it elsewhere

Threat #3 – Cyber Blackmail – Cheapest tool hacker has is to lockup data & demand a ransom

  1. Ransomware – byproduct of phishing
  2. Worms its way to other devices – Home offices, kids click habits are biggest culprit
  3. 3-2-1 Backup Plan – iDrive https://www.pcmag.com/reviews/idrive

Threat #4 – Game of Knowns – 95% of vulnerabilities are known

  1. Outdated & Unpatched Operating Systems and software (Windows 7 Question – Bruce)
  2. No centralized firewall to protect whole network (not just yours) DSL Router
  3. Unprotected WiFi – Change Default PW, WPA2+, SSID Masking, MAC-specific addresng
  4. Unencrypted computers, laptops and mobile devices (BitLocker & File Vault) LIABILITY
  5. Wide open Remote AcSileo Cybersecurity Keynote Speakercess Protocol
  6. Unprotected, wide-open WiFi
  7. SOLUTION: have an IT professional configure all of the above for you – working @ home, spend the money to prevent it up front. You can learn all of this, but devil in details.

Threat #5 – Cloud Hacking – We’ve pivoted to cloud computing and ignored the storm of cybercrime

  1. Setup 2-Step Logins (2 Factor Authentication)
  2. Enable a VPN
  3. Use a Password Manager Like Keeper, Dashlane or LastPass (https://www.pcmag.com/picks/the-best-password-managers)
  4. Dropbox is NOT a secure enough platform for PII or sensitive data
  5. Bad Communication – We email, transfer & store sensitive docs in plain sight
  6. Don’t email documents with sensitive info unless they are encrypted. PDF/Winzip/TrueCrypt (Use the portal with your financial provider)
  7. Messaging: Signal; Apple Messages (Not What’sApp, Facebook Messenger or Droid)

Threat #6 – Stupid Smartphones – The supercomputers in our pockets are a security afterthought

  1. Walk through EVERY Privacy and Security Setting on your smartphone. Period. If you don’t understand the setting, Google it.

Threat #7 – The “Squirrel” After this Class – Action distraction is the primary cause of breach

  1. Even when people have a checklist of what to do, the often don’t take action until after the breach, after the pandemic.

This is a broad outline of a starter course in protecting your virtual office. To customize a virtual webinar like this one to your organization, contact John directly on the number below.


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank and an award-winning author, keynote speaker, and expert on technology, cybersecurity and tech/life balance. John specializes in making security engaging so that it sticks. Contact him directly on 303.777.3221

 

 

Coronavirus Cyberscam Alert: Protect Your Digital Health and Safety During a Pandemic.

Hey, this is a bit of a solemn and serious video today. First of all, my heart goes out to all of those communities, families, people that are battling with Coronavirus. Just like our physical health, we have to also pay attention to our digital, or cyber health, and how we watch out for all of the disinformation that is out there. Listen, cybercriminals will always exploit the headlines. They will always take advantage of our fears and our ignorance, whether it’s for product sales, whether it’s just to make us panic or whatever the motivation. My daughter, the reason that prompted this, was a feeling of, as a dad, my daughter texted me and said, “Hey, there’s a student, I have just seen that a student is being pulled out of class, out of their dorm by people in hazmat suits.”

Well, of course, that was a social media post. It made its way all the way around the campus and was absolutely false. So I want to just let you know some of the schemes and scams that we have seen, make you aware of them so that you’re listening and that you act differently. First of all, there is just massive disinformation out there right now. There are hoaxes, there are rumors, and you need to be extra skeptical at the moment. One example, there are government advisories out there that aren’t actually being issued by governments. They are false, they are fake, they have nothing to do, for whatever reason, people are putting those out there. There are bogus home remedies of how you can solve the Coronavirus, which there’s no vaccine yet and probably won’t be for 12 to 18 months. Of course, there are home remedies like washing your hands that are legitimate.

There are products meant to defraud you, pills that you can buy, masks that don’t actually work. You have to be really careful that what you’re buying is actually legitimate. And on top of that, there’s price gouging. So masks that are going for hundreds of dollars on Amazon that you don’t probably actually need, hand sanitizer that has run out at your local store. Think before you spend all of the money on this because there are many other answers. There are a ton of fraudulent emails that scam you into clicking on Covid-19 type alerts, an alert in your hometown from your school system, a remote work policy from your work. It may not actually be your work. False test results we have seen. Covid test results. Of course, you probably haven’t been tested, but you’re tempted to click on those links. We’ve seen a bunch of videos, social media, blog posts, fake articles that spread disinformation, a lot of it about voting and the voting that we’re going through right now and polling places, politics, and so forth.

So watch all of that. This is essentially the weaponization of information. It happens all the time. It happens in the corporate world, it happens in the government, and now it’s happening around the health system because it’s in the news. So just like good hygiene, physical hygiene, washing your hands, there are cyber hygiene tips that will help you protect yourself. Number one, if you don’t recognize an email or a text, if you weren’t expecting it, don’t click on it. Don’t respond to it. It’s probably not legitimate. If you can’t verify that it’s from your work, from your kid’s school, from the government, do not believe it until you verify it. Same advice for social media. Articles, videos. Don’t believe it until you verify with a source that you trust, that you go to over and over again. Do that before you take the action that they’re talking about because most of these right now is not legitimate.

So sources like the CDC, the World Health Organization, your local news if you trust it, or the paper that you trust. Finally, if you have questions, ask an expert. Don’t count on what you see in the media necessarily, what you see on the internet, especially on the internet, as being totally legitimate until you verify. The point is, just like with cybercrime, those who think before they react with this Covid and vice versa, those who think about their digital settings and what they’re doing online and email and text and on those devices, those are the ones who prepare in advance for that, that avoid the worst outcomes. Listen, thanks so much. Sorry, it’s such a serious topic, but it’s really important that you protect both your physical health and your digital health. Thanks so much and stay safe.

Are Hackers Targeting Your Association? Here’s How to Stop Them.

Chinese Hackers Targeting Your Association

Are hackers targeting your association?

The recent revelation that Chinese hackers penetrated the internal computer network of the National Association of Manufacturers (NAM) last summer should be a clarion call to all associations: They are coming for you. 

The suspected Chinese hackers ramped up their efforts to steal information in the days surrounding a meeting between NAM President Jay Timmons and President Trump this past summer. While we don’t know what data was stolen, the incident took place during intense trade negotiations, as US and Chinese government officials began to hash out details of a potential deal.

The primary motivating factor behind the hacking of trade associations is simple: INFLUENCE. The fact that NAM is an influential group that’s helped shape Trump’s trade policy made them an attractive target for the Chinese, who undoubtedly leveraged inside information to gain an upper hand in the talks. 

While the NAM hack is notable for its ties to the executive branch and high-stakes negotiations, the fact is that associations of all sizes and political influence are potential targets of hackers such as nation-states, foreign businesses or individual cybercriminals. In other words, you don’t need to have political or lobbying connections to be an attractive hacking target. Your member list, industry-specific intellectual property, employee data, digital connections to influencers, and banking and financial information are all just as attractive to cybercriminals and cyberextortionists as your political relationships. 

Over the past decade, numerous associations have been hacked: In May, the National Association of Realtors reported on a number of hacks of state associations and advised their members to beef up cybersecurity. Earlier hacks include (ironically) the Intelligence and National Security Alliance, the Fraternal Order of Police and the US Chamber of Commerce.

It’s not a matter of if your association will be hacked, but when

The World Economic Forum’s 2019 Global Risks Report ranked cyberattacks as the number one risk in North America. And with good reason. Data breaches alone are predicted to cost $5 trillion globally by 2024; in just the first nine months of this year, 7.9 billion records were exposed in North America. Associations haven’t traditionally been a large part of those statistics, which is exactly what makes them ripe for future picking. Lack of direct threats tends to breed complacency and lack of proactive protections.

Protecting your association from hackers and cybercriminals

As an industry association, in addition to advocating for your members, you have two vital responsibilities:

  1. Protecting your member data, financial details and intellectual property from cybercrime 
  2. Educating your members about protecting their organizations against those same evil forces

Here are the first steps you can take to fulfill both responsibilities:

  • Commission an External Cyber Penetration Test to expose your specific and known vulnerabilities
  • Educate your internal employees to detect and deter social engineering tactics like phishing, ransomware and deepfake videos
  • Prepare a data breach response plan in case you are successfully attacked. This should include a list of executive responsibilities, a public relations strategy, legal response and methods of communicating with the breach response team (remember, your email and texts and mobile devices can be compromised in a breach)
  • Educate your association members about cybersecurity best practices at your next annual event

Your reputation as an association depends on many factors. One of the most overlooked of those is the reputational damage done by a cyber breach incident, especially if member data is compromised. Take steps to manage your risk and defend your data — before it’s too late. 


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a privacy and cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker, and expert on technology, cybersecurity and tech/life balance. John specializes in making security engaging for association and corporate audiences. Contact him directly on 303.777.3221. 

 

 

Small Business Cybersecurity: 5 Steps to Stop Cybercrime 

Cyber Security Tips to protect your business - John Sileo

Small Business Cybersecurity Gone Terribly Wrong 

On August 12, 2003, as I was just sitting down to a tea party with my daughters and their stuffed animals, the doorbell rang. Standing there when I opened the door was a special agent from the economic crimes unit at the district attorney’s office—ready to charge me for electronically embezzling (hacking) $298,000 from my small business customers. The DA’s office had enough digital DNA to put me in jail for a decade. 

I was the victim of cybercrime, and I should have known better. You see, earlier that year my personal identity was stolen by cybercriminals out of my trash and sold to a woman in Florida. This woman purchased a home, committed a number of crimes, drained my bank accounts and filed for bankruptcy—all in my name. I learned all of this one day at the bank, right before I was escorted out by security guards.

The experience of losing my money, time and dignity motivated me to protect my personal information assets with a vengeance. Unfortunately, I didn’t apply my newfound cyber vigilance to my small business, which is how I ended up losing it. 

Like a lot of small business owners, it never occurred to me that my $2 million company would be targeted by cyber criminals. I figured we weren’t worth the effort, especially compared to large multinational companies like Target, Marriott, Google and Facebook. My naivete cost me my family’s business and two years fighting to stay out of jail. 

The fact is, cyber criminals are increasingly going after small and midsize businesses (SMBs) precisely because they are easier targets than larger organizations. According to the Ponemon Institute’s most recent Global State of Cybersecurity in Small and Medium-Sized Businesses report, 76 percent of  small and midsize businesses experienced a cyber attack in the past 12 months. The same report found that only 28 percent of companies characterize their ability to mitigate threats, vulnerabilities and attacks as “highly effective.” 

Not all hacking results in criminal charges being filed against the victim, as in my case, but that doesn’t mean there aren’t significant costs involved. According to last year’s Ponemon Institute study, companies spent an average of $1.43 million due to damage or theft of IT assets. On top of that, the disruption to their normal operations cost companies $1.56 million on average. 

In other words, your organization’s chances are greater than 50/50 that it will suffer a serious cyber attack in the next year or so and that the attack will have a significant negative impact on profitability. The good news is that you can eliminate much of the risk with a reasonable budget and some good leadership.

5 Small Business Cybersecurity Strategies

In my experience, good entrepreneurs begin with the following steps:

Identify All data is not created equal. Bring together the key players in your business and identify the specific pieces of data, if lost or stolen, that would make a significant impact on your operation, reputation and profitability. This could be everything from customer credit card, bank account or Social Security numbers to valuable intellectual property.

Evaluate Understand your business’ current cyber security readiness. During this step, I recommend bringing in an external security firm to conduct a systems penetration test. A good Pen Test will give you a heatmap of your greatest weaknesses as well as a prioritized attack plan. Have a separate IT provider implement the remediation plan, if possible, to provide an objective check on the security firm’s work. 

Assign Engage stakeholders from across your organization, not just those within IT. Assign a detail-oriented, tech-savvy leader other than yourself (if feasible) to oversee the analysis and implementation of your cyber strategy. Other players essential to this conversation are your lawyer and your accountant/auditor, who can help you build a breach response plan for when data is compromised. In today’s digital economy, theft and loss are part of business as usual and they should be planned for—like any other risk to your organization.

Measure Just as with any other business function, cyber security needs to be measured. Your security or IT provider should be able to suggest simple metrics—number of blocked hacking attempts (in your firewall), failed phishing attacks, days without a breach, etcetera—with which to keep a pulse on your data defense. 

Repeat Each one of these steps should be re-evaluated and updated on a regular basis. I recommend taking a look at your security during your slowest season annually. Strong cyber security thrives in the details, and the details in this realm change every year. 

The bottom line is that SMBs can no longer ignore the very real threat of cyber crime, including crime perpetrated by an insider (in 2018, 34 percent of data breaches involved internal actors and 2 percent involved partners). I learned both of these lessons the hard way. It takes an average of 73 days for organizations to contain an insider-related incident; my case dragged on for two years, during which I spent every day fighting to keep myself out of jail. 

In the end, I found out the cyber criminal was my business partner. A man I loved and trusted like a brother stole and used my banking login credentials to embezzle from our clients; he used my identity to commit his cyber crimes. He exploited my trust and then he cut the rope and let me take the fall. 

And I should have known better. So if you think your company is too small to be targeted or you’re too smart to be victimized, think again. 


About Cyber security Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author and Hall of Fame Speaker who specializes in providing security-awareness training to small businesses as well as large organizations. He has shared his experiences on “60 Minutes,” “Anderson Cooper” — and even while cooking meatballs with Rachael Ray. John earned a BS with honors in political science from Harvard University. 

 

Data Integrity Attacks: How Cybercriminals Manipulate Rather Than Steal Your Info

john-sileo-data-integrity

You’re rushed to the hospital after a serious car accident. Doing her job, the admitting physician verifies your blood type prior to giving you a life-saving transfusion. But no one knows the hospital’s medical records have been hacked — but not stolen. In this case, your records have been changed, reflecting a blood type that if transfused, would likely kill or seriously harm you. Welcome to the age of data manipulation.

Manipulating data is the latest trend in cybercrime, and it’s on the rise. The most recent study by Ponemon Institute and Accenture warned that attacking data integrity is the “next frontier.” To understand how we got to this point, we need to take a look at the evolution of cybercrime over the past two decades and how hackers seek a variety of hacking outcomes.

An approximate cybercrime timeline

Early on, cybercriminals were mostly looking to restrict access to your data availability, using malware to launch Denial of Service attacks, where legitimate users are kept from accessing a network, information or devices. Their motivation was twofold: to test their hacking tools for larger campaigns and to disrupt business operations of predetermined targets. 

Next, hackers expanded their exploits to steal data out of large databases — such as the Equifax breach that compromised the personal information of 143 million Americans — and sell it for a profit on the dark web. The cybercriminals’ primary motivation was good old fashioned greed. 

Simultaneously, cybercrime expanded into espionage, using malware and other methods to obtain secret files from U.S. defense contractors, including plans for the F-35 jet from Lockheed Martin. 

Then came cyberextortion, like when Sony Pictures was hacked just before it released the anti–Kim Jong-un movie, “The Interview.” At the time, the FBI said North Korea was responsible for the attack, but five years later questions about the perpetrators and motives remain, which just goes to show how hard it is to identify cybercriminals. 

On the heels of cyberextortion came disinformation and influence campaigns, like those used with Brexit and the 2016 U.S. presidential election. 

The point of this brief history lesson is to demonstrate how quickly sinister actors migrate time-tested tools of crime (fraud, extortion, disinformation, etc.) into cyberspace.

Data manipulation is mostly unique to cyberspace

The old fashioned alteration of checks, IDs and airplane tickets aside, data manipulation is a crime that grew exponentially in cyberspace. Former U.S. Cyber Command and NSA head admiral Michael Rogers said his worst-case attack scenario would involve data manipulation “on a massive scale.” 

Despite Rogers’ warning, the U.S. government continues to drag its feet on combating cybercrime, including data manipulation, which is now being discovered only after the fact by security teams. And I’m expecting that data alteration attacks will quickly become one of the most pernicious and undetectable threats for nation-states and corporations around the world. 

To expand on my previous example, it’s no longer just your blood type at risk. It’s the blood type, address and information on the family members of every soldier, spy and diplomat serving the United States. The potential to inflict great harm is enormous.  

Cybercrime is like a virus altering your DNA

Data manipulation is unique among cybercrimes because it’s not about taking the information — it’s about altering the data. The information generally never leaves the owner’s servers, so the criminal raises no red flags that something is amiss. This makes it much harder to catch, and it can be much more destructive. Think maliciously altering flight plans with air traffic controllers, altering bank account balances, or appending your criminal record with fictitious arrests. 

Think of data manipulation as a virus that invades the body and alters its fundamental DNA. The damage is done quietly, and you may never know it happened.

The integrity of our data is at stake

In 2017, a Michigan man hacked the IT system of the Washtenaw County Jail and altered the release date of a friend who was serving a sentence there. The hacker used a social engineering campaign to trick workers at the jail into downloading malware on their computers and was then able to access and change the data. Luckily, staff noticed something was amiss and used paper records to verify the sentence But the scheme cost Washtenaw more than $230,000, and the criminal got access to the personal information of over 1,600 people.

Getting a friend out of jail is one creative use of data manipulation, but there are far more nefarious uses, such as altering operating procedures on nuclear facility instruction manuals, modifying software code in driverless vehicles, and changing the temperature threshold on refrigeration equipment or power turbines. And of course, as we’ve already experienced, altering votes or voter eligibility.

The stock market is another place that’s ripe for data manipulation. As the Wall Street Journal reported last year, 85% of stock market trades happen “on autopilot — controlled by machines, models, or passive investing formulas.” Consequently, if the underlying data that feeds the algorithms is altered by hackers, it could create widespread chaos in the markets and ultimately destabilize the global economy.

The biggest threat may be to the healthcare industry, which has become a prime target in ransomware attacks, and where the effects of data manipulation can be deadly. To underscore this point, researchers in Israel created malware that can add realistic but fake malignant growths to CT or MRI scans before they’re reviewed by doctors or radiologists. Likewise, the malware can remove cancerous nodules or lesions from patients’ scans. 

In April, The Washington Post reported on the malware and revealed that a blind study conducted by researchers at Ben-Gurion University Cyber Security Research Center had devastating results. “In the case of scans with fabricated cancerous nodules, the radiologists diagnosed cancer 99 percent of the time. In cases where the malware removed real cancerous nodules from scans, the radiologists said those patients were healthy 94 percent of the time.”

When it comes to cybercrime, the best defense is a good offense

Because the defense of data integrity is in its early stages, there is very little that organizations can do to defend against manipulation once the cybercriminals have cracked into critical databases. Few organizations possess the tools to accurately detect and eliminate data manipulation, and those tools are more than a year away. 

In the meantime, your solution is to keep criminals out of your data in the first place, using the tools that I talk about in every one of my presentations. When it comes to data integrity, prevention beats recovery every time.

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker and expert on data integrity, cybersecurity and tech/life balance.