Tag Archive for: Cybersecurity

ChatGPT: What is Generative AI & Why Does it Matter? (As Explained by a Bot)

ChatGPT Expert Sileo

ChatGPT is a Type of Generative AI (and this post is an example)

(The best way to understand ChatGPT and Generative AI is to show what it can do. So, everything below this line was written by ChatGPT based on the prompt “Write an article about Generative AI and ChatGPT that explains what it is and how it can be used for good or evil”. I added the subtitles and a sentence on the cybersecurity implications of ChatGPT (using RED text) that we are already witnessing. Other than that, everything was written by a bot. – John )

Artificial Intelligence (AI) is a rapidly growing field that has the potential to revolutionize the way businesses operate. From automating repetitive tasks to making complex decisions, AI is already being used in various industries to improve efficiency, reduce costs, and enhance the customer experience. However, one area of AI that has gained particular attention in recent years is Generative AI. This technology, which allows AI systems to create new content, has the potential to change the way businesses work in ways that we can’t yet fully anticipate.

One of the most significant changes that generative AI will bring to businesses is the ability to automate the creation of content. For example, a generative AI system can be trained to write news articles, create social media posts, or even compose music. This will save businesses time and money while also allowing them to create more content than ever before.

An Example of Generative AI

ChatGPT is an example of generative AI applied to content creation and is a type of language model developed by OpenAI. It is based on a technology called “transformer” which allows it to understand and generate human language. Essentially, ChatGPT is a program that can understand and respond to natural language text input, it can answer questions, summarize information, generate text and even complete a text given some initial context.

For example, if you ask ChatGPT to write a news article on a specific topic, it can use the information it has learned from a large dataset of text and write an article on that topic. Similarly, it can answer a question that you might ask, such as “What is the capital of France?” or “What is the definition of AI?”. Additionally, it can generate text such as poetry, song lyrics, story, and so on.

It is used in various applications such as chatbots, virtual assistants, automated content generation, language translation, and more. It can be fine-tuned for specific tasks by training it on a smaller dataset of text that is related to that task.

It is a powerful tool for natural language processing, it is capable of understanding and generating human-like text and can be useful in various industries. However, like any AI technology, it has its limitations and it’s important to keep in mind that it’s not always going to produce perfect results.

Other Uses of Generative AI

In addition to creating content, generative AI also has the potential to improve the decision-making process. This is because it can analyze large amounts of data and identify patterns that humans may not be able to see. For example, a generative AI system can be used to predict future market trends, identify potential fraud, or even recommend personalized products to customers.

The Risks of ChatGPT and Generative AI

However, with any new technology comes risk. One of the main risks of generative AI is the potential for it to produce fake or biased content. For example, a generative AI system that is trained on biased data could produce content that is racist, sexist, or just plain inaccurate. This could lead to serious damage to a company’s reputation and credibility.

Another risk of generative AI is the potential for it to be used for malicious purposes. For example, a generative AI system could be used to create deepfake videos or fake news articles that spread misinformation and cause chaos. This could have serious consequences, not just for businesses but for society as a whole. It can also create phishing emails for cybercriminals who don’t speak English, can write malicious software code for malware, ransomware and other tools used by cybercriminals, and it can do it all for free and in a matter of minutes.

In conclusion, Generative AI is a powerful technology that has the potential to change the way businesses work in many ways. However, as with any new technology, it also poses risks that need to be carefully considered. Businesses should be aware of these risks and work to mitigate them in order to fully harness the power of Generative AI.

___________________________

Cybersecurity Expert John Sileo’s newest keynote speech, Hacking A.I. – Cybersecurity in the Age of Artificial Intelligence, explores the changing landscape of technology and cyber threats due to tectonic shifts fostered by ChatGPT, Generative AI, cloud computing, deep fakes, and adaptive ransomware. For every good use of technology, there is a corresponding evil intention exploited by cybercriminals, corporate spies and rogue nation-states. Your awareness, response and resilience has become even more vital to your organization’s performance and reputation. John is offering a limited number of 24 Hacking A.I. keynotes this year due to advanced bookings of his other keynote speeches. Bring him in for this business-oriented, non-technical, cutting-edge cybersecurity update by calling us directly on 303.777.3221 or filling out our Contact Us form.

Top 5 Cybersecurity Keynote Speakers for Your Event

cybersecurity keynote speaker John Sileo on stage

Cybersecurity Keynote Speakers are in High Demand

Cybersecurity is a critical issue for businesses and organizations of all sizes and industries and it is more important than ever to stay informed and educated on the latest threats and best practices for protecting sensitive information. One of the best ways to do this is by attending conferences and events where top cybersecurity experts share their knowledge and insights.

As a meeting professional, you have the opportunity to bring these experts to your own events and educate your audiences on the importance of cybersecurity. But not all cybersecurity keynote speakers command an audience in the same way, whether it be with expertise or entertainment. From the entertaining (Sileo), to the academic (Schneier), to the cutting edge (Krebs), to the human psychology (Barker), these are some of the top cybersecurity keynote speakers  that will have attendees talking about your event long after the lights go down:

  1. John Sileo (The Storyteller): John is a leading expert in the field of cybersecurity and data privacy, with two decades of experience stemming from having lost his multi-million dollar internet company to cybercrime. He helps organizations understand the latest threats to their sensitive and highly-profitable information and teaches the strategies they can implement to protect it. He combines real-world examples and personal anecdotes with the latest research and best practices, making his presentations both informative and engaging. John is known for his extensive interaction with the audience, including live hacking an audience-member’s smartphone to illustrate how easily cybercriminals can get into your banking, investment and work accounts through your phone. John has presented at hundreds of conferences, corporate events and government agencies, earning rave reviews from audiences of all sizes and backgrounds. His happy clients include the Pentagon, Amazon, and associations representing virtually every industry.
  2. Brian Krebs (The Reporter): Brian is an investigative journalist and the founder of KrebsOnSecurity, one of the most widely-read cybersecurity news websites. He has deep expertise in the areas of cybercrime and data breaches, and is a sought-after speaker on the topic for his first-class reporting on many of the technical aspects of cybercrime. Brian has written for publications such as The Washington Post and Wired, and has appeared on numerous television and radio programs. As a keynote speaker, Brian brings a wealth of cutting edge breach incidents that he uncovers or is alerted to.
  3. Bruce Schneier (The Technologist): Bruce is a renowned security technologist, author, and public speaker. He is the author of several books on cybersecurity, including “Data and Goliath” and “Applied Cryptography.” Bruce is a regular commentator on security issues in the media, a highly respected thought-leader in the cybersecurity community and a public-interest technologist, working at the intersection of security, technology and people. As a cybersecurity speaker, he is very comfortable diving into the more technical aspects of the topic.
  4. Kevin Mitnick (The Hacker): Kevin is a former hacker turned cybersecurity consultant, author and speaker. He is one of the most well-known figures in the cybersecurity world and his story is the subject of several books and films. Kevin’s presentations draw on his unique perspective and experiences to provide audiences with valuable insights into the world of hacking and cybercrime.
  5. Dr. Jessica Barker (The Psychologist): Jessica is a cyber-psychologist and the co-founder of Cygenta, a cybersecurity consulting firm. She is a highly sought-after speaker on the topic of human behavior and cybersecurity and has presented at conferences and events around the world. Jessica’s presentations focus on the psychological and social aspects of cybersecurity and how to create a culture of security within an organization.

These are some of the top cybersecurity keynote speakers in the industry and you can count on them being booked out months, if not years in advance. John Sileo stands out for remarkable story of losing everything to cybercrime and his ability to deliver complex concepts in a humorous way using his wealth of knowledge and experience in the field. He is a dynamic and engaging speaker who interacts constantly with your audience to make cybersecurity accessible and memorable. Visit his website at Sileo.com where you can find more information and schedule a speaking engagement.

Prepping for Russian Cyberattacks

be prepared for russian cyberattacks

This post is a summary of a full interview about Russian Cyberattacks that John conducted with Bottomline Publications.

As Russian cyberattacks increase, a bit of prep isn’t paranoid

The world is a bit on edge, wouldn’t you say? With geopolitical tension escalating and Russian recruitment of members from REvil, a criminal computer-hacking organization, it’s a good time to buckle down and be very intentional about how we are protecting what matters most – data and otherwise. Preparing for a Russian cyberattack is not about being afraid or panicking that cyber doomsday is around the corner. It is about having systems and backups in place that will make your life safer, easier, and more in your control if an attack should occur. And it protects you even if it doesn’t occur. Those who prep, survive. And because our physical worlds are so influenced by our digital worlds, you can’t plan one without the other.

Here is a quick summary of 11 ways to protect both the physical and digital realms of your day-to-day life:

Infrastructure

  • Stock up: non-perishable foods, medications, water (1 gallon per person per day), a windup radio, portable power station, and other emergency supplies.
  • Gas up: Keep your tank filled.

Finances

  • Cash out: Keep two weeks worth of money in $5-10 bills. Russia could shut down ATMs or credit card processors.
  • Print ‘em: Opt into paper statements to have bank account information handy.

Cyber Threats to Cloud Data

  • Back up: Use a 3-2-1 plan to backup essentials (photos, passwords, emails, documents, financial info). Keep THREE copies of the data in TWO different formats with ONE in the cloud.
  • Check back: Make sure to have a consistent backup schedule and check that it’s working.

Cyber Attacks On Your Network

  • Don’t click: Pause before clicking on any links in emails. This break will allow you to investigate and possibly avoid ransomware attacks, phishing scams, and other Russian cyberattacks.
  • Patch Software: Turn on automatic updates for all operating systems, anti-virus software and apps.
  • Two-factor Authentication: Turn on two-step logins for all financial, health and wealth websites as well as email.
  • Protect the elderly/young: Seniors and kids are easy targets. Setup remote access to their devices, use parental controls where applicable and make sure they know not to click on suspicious email links.

Communication Backup Plan

  • Plan it: In the event of a communication outage, make sure you have a predesignated meeting place to gather at after a scheduled number of hours.
  • Print it: Print out (or memorize!) phone numbers, street addresses, and other important information stored on your phone.
  • Know it: Make sure you know how to manually operate your garage door, thermostat, and other household appliances that would normally use the internet.

Believe me, I get it. No one wants to think about the chilling possibilities of Russian cyberattacks that cause disrupted gas pipelines, locked ATMs, or dead cell phones. But as the Russian aggression stumbles and sputters, Putin and his generals will reach for any tool of power in their desperation. It’s not a time to be paranoid, but prepared.

_________________________

John Sileo shares his story of losing everything to cybercrime because of a lack of preparation with keynote audiences around the world. He specializes in the human element of cybersecurity and makes cybersecurity engaging, so that it sticks. Contact us at 303.777.3222 to see how John would customize for your event.

Did Apple Passkey Just Kill Traditional Passwords?

And Will Passkeys Permanently Marry You to Apple?

Humans are weak and so are our passwords. We make easily memorizable (read: guessable) passwords that accidentally invite cybercriminals and identity thieves into our homes, offices and bank accounts like a neighbor for afternoon tea. The solution? Remove humans from the tea party.

Enter Apple. At the company’s annual WWDC developer conference, Apple proposed a new form of authentication that may put passwords entirely out of business. But are we truly ready to retire those decades-old, reuse-for-everything-but-the-kitchen-sink passwords?

Many tech giants are making the move away from passwords and towards passkeys. Why? Because our passwords stink. While a password is a series of numbers, letters, and symbols typed in by a user to unlock an account, a passkey is a form of biometric authentication that is stored in the physical device. Instead of typing “123456” into any given account (which happens to be the most common password for many years running, along with, you guessed it, “password”), Apple proposes a finger/face ID that would automatically sign you into your accounts by unlocking your device. Should you lose or break that phone, passkeys are backed up to the iCloud Keychain and synced across devices. Not to mention, the keys will allow us to sign into websites with end-to-end encryption, further deterring hackers from reaching any valuable data.

How Passkeys Are Like Nuclear Launch Codes

Passkeys can be compared to the “two man rule”, which is the extra layer of protection behind the launching of nuclear missiles. This rule basically requires that two (or more) people each have a key that operates only when paired simultaneously with the other key. In order for anyone to push the missile-launching red button, each key holder needs their physical key to unlock it. This creates a buffer between mistakes (no spilled coffees starting nuclear war, phew!), emotional overreaction, and hacking. Cybercriminals are much less likely to hack both ends of the passkey–both the user end on the device and the company end on the website. By removing weak passwords on the user end, and weakly protected databases of passwords on the website end, hacking is less likely to exploit the human element.

The introduction of passkeys to replace passwords has us wondering–what are the unintended consequences of this new and shiny solution? We must remember that hackers are the masters of unintended consequences. While we cannot be sure of these downfalls, we know that the good guy’s solution is the bad guy’s shiny new opportunity. For example, passkeys will unintentionally increase the marketplace for stolen credentialized devices (working smartphones along with their working passcode). This may introduce a greater physical threat of violence as cybercriminals target the parts of the equation held by us consumers.

Another thing to keep in mind is the myriad of ways in which we are in Apple’s pocket by keeping their products in ours. Apple is very intentionally leveraging security to keep us roped into their products. In fact, they have made security and privacy one of their key competitive differentiators.

So is it worth it? Are we willing to be beholden to Apple products for better security? That is for you to decide as we head into a new password-less era. Like with most new technology, it’s often better to pause, observe, and wait for the unintended consequences to pan out. While it would be easy to throw our hands up, smile at the face ID, and get to our Netflix show without touching a keyboard, we have to know what measures are in place to protect our most valuable capital. And we won’t really know that until cybercriminals have a crack at it.

Pros of Apple Passkey

  1. Efficient and easy to use (no more memorizing guessable passwords!)
  2. Less fallable than human knowledge/memory
  3. Social engineering is taken out of the equation
  4. Security is no longer reliant on that password that you created ten years ago and have copy/pasted since
  5. Stored on the device and therefore more resistant to data breaches
  6. End-to-end encryption (that even Apple supposedly can’t view)

Cons of Apple Passkey

  1. Increases the marketplace for stolen credentialized devices
  2. Increased dependency on the phone and upon Apple
  3. Unknown how passkeys would work for non-apple users

Things to keep in mind about all technological advances

  1. Big promises will always have unintended consequences
  2. In general, it’s better to wait and see when it comes to new technological advances, especially in organizations, where rolling out a new technology can create massive headaches.
  3. Biometrics are not the end-all solution even if it is safer. How companies store and protect that data matters too.

_________________________

John Sileo shares his story of losing everything to cybercrime with keynote audiences around the world. He specializes in the human element of cybersecurity and how technological changes like the death of passwords can derail an entire organization. Contact us at 303.777.3222 to see how John would customize for your event.

SolarWinds Hack: What Vladimir Putin Wants Every Business To Ignore

Summary of the SolarWinds Hack

Russian hackers inserted malicious code into a ubiquitous piece of network-management software (SolarWinds and other companies) used by a majority of governmental agencies, Fortune 500 companies and many cloud providers. The software potentially gives Russia an all-access pass into the data of breached organizations and their customers.

Immediate Steps to Protect Your Network

I would recommend having a conversation with your IT provider or security team about the following items, as much for future attacks as for the SolarWinds hack:

  • After reading through this summary, take a deeper dive into this WSJ white-paper: The SolarWinds Hack – What Businesses Need to Know
  • For small businesses, it is important that you check with any cloud software providers to make sure they have resolved any problems with affected software.
  • Patch all instances of SolarWinds network management software and all network management, security and operational software in your environment.
  • Make sure your security team keeps up with the latest fixes for the Sunspot virus.
  • Configure your network assets to be as isolated as possible so that your most confidential data caches are separate from less confidential data.
  • Review the security settings of every category of user on the system to tighten user-level access.
  • Make sure employees know the proper procedures for connecting remotely to your network. Verify that they aren’t using a free personal VPN to connect.
  • If you utilize Microsoft products, keep up to date with their Investigation Updates.
  • If there is a chance you have been affected, have a full security audit done of your network.

Details of the SolarWinds Hack

During the worst possible time – a contentious presidential transition and a global pandemic – dozens of federal government agencies, among them the Defense, Treasury and Commerce, were breached by a cyber espionage campaign launched by the Russian foreign-intelligence service (SVR). The SVR is also linked to hacks on government agencies during the Obama Administration.

Senator Angus King said Putin “doesn’t have the resources to compete with us using conventional weapons, but he can hire about 8,000 hackers for the price of one jet fighter.”

In addition to internal communications being stolen, the operation exposed hundreds of thousands of government and corporate networks to potential risk. The hackers infiltrated the systems through a malicious software update introduced in a product from SolarWinds Inc., a U.S. network-management company. This allowed unsuspecting customers of their software to download a corrupted version of the software with a hidden back door allowing hackers to access their networks from “inside the house”. SolarWinds has more than 300,000 customers world-wide, including 425 of the U.S. Fortune 500 companies. Some of those customers include: the Secret Service, the Defense Department, the Federal Reserve, Microsoft, Lockheed Martin Corp, PricewaterhouseCoopers LLP, and the National Security Agency. (Note: more recently, it has been discovered that SolarWinds wasn’t the only primary software infected.)

A Solar Winds spokesperson said the company knew of a vulnerability related to updates of its Orion technology management software and that the hack was the result of a highly sophisticated, targeted and manual supply chain attack by a nation state. Like the FireEye breach, this was not a broad attack of many systems at once, but a stealthy, patiently-conducted campaign that required “meticulous planning and manual interaction.”

SolarWinds Hack was a Supply Chain Attack

These supply-chain attacks reflect a trend by hackers in which they search for a vulnerability in a common product or service used widely by multiple companies. Once breached, it spreads widely across the internet and across dozens or even hundreds of companies before the compromises are detected. Many companies have increased their level of cyber-protections, but they do not scrutinize the software that their suppliers provide. This is a concern because corporations typically have dozens of software suppliers. For example, in the banking industry, the average number of direct software suppliers is 83. In IT services, it’s 55.

To understand the severity and national-security concerns of this breach, think of this as a “10 on a scale of one to 10”. The Cybersecurity and Infrastructure Agency ordered the immediate shut down of use of SolarWinds Orion products. Chris Krebs, the top cybersecurity official at the Department of Homeland Security until his recent firing by Trump, stressed any Orion users should assume they have been compromised. Other investigators say that merely uninstalling SolarWinds will not solve the threat and that recovery will be an uphill battle unlike any we have ever seen. While the hackers may not have gained complete control of all companies, all experts agree that it will take years to know for certain which networks the Russians control and which ones they just occupy and to be assured that foreign control has been negated. Because they will be watching whatever moves we make—from the inside.


John Sileo is a cybersecurity expert, privacy advocate, award-winning author and media personality as seen on 60 Minutes, Anderson Cooper and Fox & Friends. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado.

Zoom Security in 7 Steps (Video + Graphic)

Since this video was recorded, Zoom has issued several security updates. Learn more at the Zoom Security web page and don’t forget to update to the latest version!

Zoom Security Transcript:

Hey, everybody. It’s good to see you back again. Today we’re going to talk about seven steps you can take to lock down your Zoom Security. At this point I have heard from clients everything from seeing naked people showing up in their webinars, incredibly embarrassing, bad for the brand. I’ve seen hacked Zoom accounts. I have seen whiteboards and presentations that have been shared with racial epithets, with everything terrible under the sun.

So, I thought I’d give you some ways to lock your Zoom video conference down. Here we go. I’m just going to show you right on the screen so that you can set these up either as we go or right afterwards. First of all, you’ll notice on the zoom interfaces, which I’m showing you here, that there is now a security tab. It allows you to lock your meeting, so that once you have everybody in that you want and you don’t want a Zoom bomber, somebody who comes in not wearing clothes or shares their screen, you can lock the meeting, so that nobody else can get in. Super important that you use that right there, so I’m going to lock my meeting. Nobody else at this point can get in.

Secondly, you can have a waiting room so that nobody can talk to each other until you come in. This is great for teachers or if you don’t want people discussing anything before the meeting starts before you as the controller of the meeting beginning it. This one’s super important and I’m going to show you how to set these up as your defaults in the second part here, but sharing your screen, this allows the participants to share their screen. We don’t want that on unless you really want them to share because this is how they share everything from the whiteboard where they write … What I’ve seen is is nasty racial epithets on it, or they share their PowerPoint presentation with stuff that you don’t want to see.

So, we do not want them to share the screen by default. Again, we’ll set that up in a minute, but you can turn it on and off here. You can turn chat on and off and renaming themselves. This means that if you kick somebody out, they can rename themselves and come back. So we’re going to take a look at how to change all of those things in your default settings. That’s what’s so important here. So let’s go to the default settings.

The easiest way to set up your defaults for Zoom security is when you start scheduling the meeting, you do it in that interface. So let’s say that we were going to schedule a new meeting here in our software. You bring the software up, the first thing you need to know is you want to generate a meeting ID automatically. You don’t to use your personal meeting ID because once that ID is out, once people know it, it’s on social media or whatever, anybody can join that personal meeting ID. I rarely use this feature unless it’s just for a quick meeting. You’ll also want to start requiring a password on every one of these. This is what keeps your video conference encrypted, it’s what keeps unwanted people out because they don’t have the password. So, we would go ahead and schedule that. I’m not going to do it at this point because I’m on a meeting right now.

And you’ll notice up here in the corner that there is a settings button. That’s where we want to go to set our defaults. When you do that, it brings up a bunch of choices. I’m not going to go through settings that don’t have to do with security or privacy. I’m going to just talk about the ones that have to do with privacy. So down here in the profile section, if you click on view advanced features, that will bring you up. I’m going to close that out now, that will bring you into the settings portion of your online account. And this is where we change all of the default settings. Now understand, Zoom is doing a lot of work to increase security, to have better encryption, which right now is weak and to lock down security. But until then you’re going to have to really pay attention to these default settings.

I turned my host video off from the start because I want to make sure that I know when I’m on that screen and being recorded. I turn it on when I am ready. Okay. Down here, use personal meeting ID when scheduling a meeting. Again, I turn this off by default. I do it for an instant meeting as well. I don’t like to use that generic address. Once it’s out there, anybody can Zoom bomb, they can join, just knowing that address. This is a really important one. Only authenticated users can join the meetings. There’s different ways that you can define down here what an authenticated user is. It could be somebody who has the right email address, it could be somebody based on the fact that they have a Zoom account or not. So this is an important one for security. And the same goes for joining from a web client, you want to make sure that they are an authenticated user, that they have a legitimate Zoom account, not just joining from the outside.

Right here, require a password when scheduling new meetings or instant meetings. That should be turned on by default. You will be using a password. That makes it more encrypted and that keeps unwanted users out. I also require passwords when joining by phone because it’s the same thing. You don’t want somebody calling in on a generic number and being able to disrupt your meeting. This one here, requiring cryption for third party endpoints. This is good unless you’re using YouTube to do live broadcasting. If you try and turn that on and you’re broadcasting to YouTube in a live stream, it will not work because YouTube does not work with that form of of encryption. So, if you’re not live broadcasting to Facebook or YouTube or other, you can turn that on, which improves your Zoom security.

Okay, file transfer. I turn that off unless I’m in a meeting where I’m definitely going to transfer documents because if somebody gets on that is not meant to be there, a cyber criminal or a hacker, they can transfer malware using that file transfer capability. So in general, I keep that turned off and I turn it on when I need to transfer a file. This one’s really important. Screen-sharing, who can share? I turn it on because I want to share my screen, but I also note that I’m the only one that can share the screen, not all of the participants. And then in the individual meeting or webinar, I can say, Hey, this particular user can share their screen.” I control that access. This is where Zoom bombing happens, people when screen-sharing is left open, they share photos, videos, presentations that you definitely do not want to be seeing.

So you want to control that. So you turn on screen sharing, but you turn it on for the host only. You can also disable desktop and screen sharing for users. One more tool that lets you totally lock it down. I, of course, do allow some sharing of that so I don’t completely disable it. You don’t probably want to share annotation or whiteboard or remote control of the system. You can do that again on an individual basis when you need it, but setting that as the default allows anybody that’s in your meeting or your conference to share the whiteboard or the annotating services.

This is good here, identify guest participants in the meeting. So, if you didn’t invite somebody but they’re on, they will appear in a separate participant list, so that you know that you’ve got people that you weren’t expecting there. You can either leave them on or you can cut them off.

Let’s go back up to the top real quickly and I want to show you here in the recording section as opposed to the meeting section a couple of best practices. You can give participants the permission to record locally. This is a good privacy setting. You don’t necessarily want everybody to be able to record locally, so I give that out on a very limited basis and understand anytime you record something it will be shared. So, if you’ve got a private board of directors meeting, if you’re discussing intellectual property, if you’re having a conversation or video of any time, you probably do not want that to be recorded. One other thing is I like to record on the local computer, not in the cloud. This takes away some of the ability for Zoom to be able to scan and share or advertise based on the content of your meetings.

Believe it or not, when you sign their data use policy, you are giving them the right to scan what you leave in the cloud. So, I always use a modern enough computer that I can save it right to my hard drive. And finally, the recording disclaimer, this asks participants for their consent when recording. This is a best practice. People need to know that they’re being recorded.

One last thing that I want to go through is what happens if somebody is Zoom bombing, somebody comes into your conference unwanted. I recommend always having a cohost. If you’re doing a webinar or an important meeting, somebody who can watch over, for example, the participant list. So that if somebody came up here that you didn’t want, you could simply click on them. Because I’m the cohost, you can’t do this, but you could click on more, you could have that person forced out of the meeting, to leave the meeting.

It’s a great way if somebody’s causing trouble, but it’s hard to do when you’re actually the one giving the webinar like I am right now to both monitor that, monitor the chat. That’s why I always recommend that you have a cohost along.

All right. Summary. You need to lock your meeting. You need to have passwords. Don’t use that personal meeting ID. Have it be customized for every single one and go in and change those defaults. Read through them. If you don’t understand something, Zoom walks through it on their site, they have videos on it makes it much easier to go through and customize those settings. Start by locking everything down, practice with it, and then back into your preferred settings. I just don’t want you getting out there and having a meeting on something that’s confidential in private that then gets out to to the public.

All right, thank you so much. I hope this helped out. Let me know what you want to see next time. Please like us. Pass us on. Share us. That’s how we let people know what we’re doing. Take care.

zoom security 10 tips

Cybersecurity for Your Home or Virtual Office

Cybersecurity Virtual Office Key Links from the Webinar:

ZOOM Sileo Security Video
Password Managers Review
Data Backup Physical/Cloud Backup 
ZOOM Security & Privacy Page

There is something great to be learned about cybersecurity from this pandemic. Preparing for a crisis before it happens is far less expensive than recovering after it happens. The U.S. saved several billions of dollars cutting corners on pandemic preparation, and it’s now estimated that coronavirus will cost the world more than $300 Trillion when the economy is factored in – not to mention the death toll.

Smart preparation beats recovery every time. The same is true for cybersecurity where optimism grows out of preparation. Proper cyber hygiene, just like washing your hands for a full 20 seconds, is both mildly inconvenient and wildly effective. And we need it more than ever, because cybercriminals are taking advantage of the chaos. Going remote increases the exposure of company data exponentially, especially because we had so little time to prepare.

This outline focuses primarily on solopreneurs and small businesses as I have held out some of the more technically detailed information on how larger enterprises can further protect their remote workforce. In this time when so much is outside of our control there’s actually a great deal within our control when it comes to cyber security.

7 Cybersecurity Threats in Your Remote Workplace

I’ve put together the 7 threats that I feel, from having observed thousands of organizations with remote workers, are the FIRST you should address. This is not an exhaustive list, but a great place to start.

Threat #1 – Zoom Videoconferencing – Rapid adoption has meant little security

  1. I received a call from a client who told me two things had happened 1) They discovered that a competitor was lurking on a video BOD meeting and 2) When they discovered it, the user screen-shared porn, called “Zoom bombing”. Had this been a call between business and client, it would have been devastating.
  2. It is imperative that you consider the privacy and security implications of Zoom before you use it for sensitive or critical meetings: https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf
  3. This article from the NY Attorney General about Zoom privacy practices has good information https://www.nytimes.com/2020/03/30/technology/new-york-attorney-general-zoom-privacy.html
  4. To learn to use Zoom, please visit Mike Domitrz’s recorded webinar on the topic: https://www.youtube.com/watch?v=aVKbnQJrrjg&feature=youtu.be

Threat #2 – You and Your Kids – People, not technology, introduce the greatest risk into your systems

  1. Coronavirus scams started the day the epidemic was announced, let’s focus on…
  2. Phishing emails are a hackers best friend. Consent to download crimeware or upload logins
  3. These scams follow the headlines, especially a crisis (can be by text, phone or SM adv)
  4. Solutions:
    • Recognize the coronavirus scams
    • Click Hygiene – pause for 20 seconds before you click – Too good to be true, too bad to be real, too dramatic to be worth your time, then ignore it
    • The Hover Technique – expectations vs. reality
    • 3rd-Party Spam Filters (corporate tip – block it at the Gateway)
    • Train your kids, as anyone on your network can download malware and spread it elsewhere

Threat #3 – Cyber Blackmail – Cheapest tool hacker has is to lockup data & demand a ransom

  1. Ransomware – byproduct of phishing
  2. Worms its way to other devices – Home offices, kids click habits are biggest culprit
  3. 3-2-1 Backup Plan – iDrive https://www.pcmag.com/reviews/idrive

Threat #4 – Game of Knowns – 95% of vulnerabilities are known

  1. Outdated & Unpatched Operating Systems and software (Windows 7 Question – Bruce)
  2. No centralized firewall to protect whole network (not just yours) DSL Router
  3. Unprotected WiFi – Change Default PW, WPA2+, SSID Masking, MAC-specific addresng
  4. Unencrypted computers, laptops and mobile devices (BitLocker & File Vault) LIABILITY
  5. Wide open Remote AcSileo Cybersecurity Keynote Speakercess Protocol
  6. Unprotected, wide-open WiFi
  7. SOLUTION: have an IT professional configure all of the above for you – working @ home, spend the money to prevent it up front. You can learn all of this, but devil in details.

Threat #5 – Cloud Hacking – We’ve pivoted to cloud computing and ignored the storm of cybercrime

  1. Setup 2-Step Logins (2 Factor Authentication)
  2. Enable a VPN
  3. Use a Password Manager Like Keeper, Dashlane or LastPass (https://www.pcmag.com/picks/the-best-password-managers)
  4. Dropbox is NOT a secure enough platform for PII or sensitive data
  5. Bad Communication – We email, transfer & store sensitive docs in plain sight
  6. Don’t email documents with sensitive info unless they are encrypted. PDF/Winzip/TrueCrypt (Use the portal with your financial provider)
  7. Messaging: Signal; Apple Messages (Not What’sApp, Facebook Messenger or Droid)

Threat #6 – Stupid Smartphones – The supercomputers in our pockets are a security afterthought

  1. Walk through EVERY Privacy and Security Setting on your smartphone. Period. If you don’t understand the setting, Google it.

Threat #7 – The “Squirrel” After this Class – Action distraction is the primary cause of breach

  1. Even when people have a checklist of what to do, the often don’t take action until after the breach, after the pandemic.

This is a broad outline of a starter course in protecting your virtual office. To customize a virtual webinar like this one to your organization, contact John directly on the number below.


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank and an award-winning author, keynote speaker, and expert on technology, cybersecurity and tech/life balance. John specializes in making security engaging so that it sticks. Contact him directly on 303.777.3221

 

 

Coronavirus Cyberscam Alert: Protect Your Digital Health and Safety During a Pandemic.

Hey, this is a bit of a solemn and serious video today. First of all, my heart goes out to all of those communities, families, people that are battling with Coronavirus. Just like our physical health, we have to also pay attention to our digital, or cyber health, and how we watch out for all of the disinformation that is out there. Listen, cybercriminals will always exploit the headlines. They will always take advantage of our fears and our ignorance, whether it’s for product sales, whether it’s just to make us panic or whatever the motivation. My daughter, the reason that prompted this, was a feeling of, as a dad, my daughter texted me and said, “Hey, there’s a student, I have just seen that a student is being pulled out of class, out of their dorm by people in hazmat suits.”

Well, of course, that was a social media post. It made its way all the way around the campus and was absolutely false. So I want to just let you know some of the schemes and scams that we have seen, make you aware of them so that you’re listening and that you act differently. First of all, there is just massive disinformation out there right now. There are hoaxes, there are rumors, and you need to be extra skeptical at the moment. One example, there are government advisories out there that aren’t actually being issued by governments. They are false, they are fake, they have nothing to do, for whatever reason, people are putting those out there. There are bogus home remedies of how you can solve the Coronavirus, which there’s no vaccine yet and probably won’t be for 12 to 18 months. Of course, there are home remedies like washing your hands that are legitimate.

There are products meant to defraud you, pills that you can buy, masks that don’t actually work. You have to be really careful that what you’re buying is actually legitimate. And on top of that, there’s price gouging. So masks that are going for hundreds of dollars on Amazon that you don’t probably actually need, hand sanitizer that has run out at your local store. Think before you spend all of the money on this because there are many other answers. There are a ton of fraudulent emails that scam you into clicking on Covid-19 type alerts, an alert in your hometown from your school system, a remote work policy from your work. It may not actually be your work. False test results we have seen. Covid test results. Of course, you probably haven’t been tested, but you’re tempted to click on those links. We’ve seen a bunch of videos, social media, blog posts, fake articles that spread disinformation, a lot of it about voting and the voting that we’re going through right now and polling places, politics, and so forth.

So watch all of that. This is essentially the weaponization of information. It happens all the time. It happens in the corporate world, it happens in the government, and now it’s happening around the health system because it’s in the news. So just like good hygiene, physical hygiene, washing your hands, there are cyber hygiene tips that will help you protect yourself. Number one, if you don’t recognize an email or a text, if you weren’t expecting it, don’t click on it. Don’t respond to it. It’s probably not legitimate. If you can’t verify that it’s from your work, from your kid’s school, from the government, do not believe it until you verify it. Same advice for social media. Articles, videos. Don’t believe it until you verify with a source that you trust, that you go to over and over again. Do that before you take the action that they’re talking about because most of these right now is not legitimate.

So sources like the CDC, the World Health Organization, your local news if you trust it, or the paper that you trust. Finally, if you have questions, ask an expert. Don’t count on what you see in the media necessarily, what you see on the internet, especially on the internet, as being totally legitimate until you verify. The point is, just like with cybercrime, those who think before they react with this Covid and vice versa, those who think about their digital settings and what they’re doing online and email and text and on those devices, those are the ones who prepare in advance for that, that avoid the worst outcomes. Listen, thanks so much. Sorry, it’s such a serious topic, but it’s really important that you protect both your physical health and your digital health. Thanks so much and stay safe.

Telemedicine: Are Virtual Doctor Visits a Cyber & Privacy Risk?

The Trump administration has relaxed privacy requirements for telemedicine, or virtual doctor visits: medical staff treating patients over the phone and using video apps such as FaceTime, Zoom, Skype and Google Hangouts. The move raises the chances that hackers will be able to access patient’s highly sensitive medical data, using it, for example, to blackmail the patient into paying a ransom to keep the personal health information (PHI) private.

This relaxation in privacy regulations about telemedicine is necessary, as treating coronavirus patients in quick, safe, virtual ways is a more critical short-term priority than protecting the data. That may sound contradictory coming out of the keyboard of a cybersecurity expert, and that exposes a misconception about how security works.

Security is not about eliminating all risk, because there is no such thing. Security is about prioritizing risk and controlling the most important operations first. Diagnosing and treating patients affected by Covid-19 is a higher priority than keeping every last transmission private.

Put simply, the life of a patient is more important than the patient’s data. With that in mind, protecting the data during transmission and when recordings are stored on the medical practice’s servers is still important.

  • Doctors should utilize audio/video services that provide full encryption between the patient and the medical office during all telemedicine visits
  • If the doctor’s office keeps a copy of the recording, it should be stored and backed up only on encrypted servers
  • Not all employees of the doctor’s office should have the same level of access to telemedicine recordings; all patient data should be protected with user-level access
  • Employees of the doctor’s office should be trained to repel social engineering attacks (mostly by phone and phishing email) to gain access to telemedicine recordings

Telemedicine and virtual doctor visits is just one way that the government is willing to accept increased risks during the pandemic. Many federal employees are also now working remotely, accessing sensitive data, often on personal computers that haven’t been properly protected by cybersecurity experts. This poses an even greater problem than putting patient data at risk, because nearly every government (and corporate) employee is working remotely for the foreseeable future. I will address those concerns in an upcoming post.

In the meantime, stay safe in all ways possible.


About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a privacy and cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker, and expert on technology, surveillance economy, cybersecurity and tech/life balance.

Small Business Cybersecurity: 5 Steps to Stop Cybercrime 

Cyber Security Tips to protect your business - John Sileo

Small Business Cybersecurity Gone Terribly Wrong 

On August 12, 2003, as I was just sitting down to a tea party with my daughters and their stuffed animals, the doorbell rang. Standing there when I opened the door was a special agent from the economic crimes unit at the district attorney’s office—ready to charge me for electronically embezzling (hacking) $298,000 from my small business customers. The DA’s office had enough digital DNA to put me in jail for a decade. 

I was the victim of cybercrime, and I should have known better. You see, earlier that year my personal identity was stolen by cybercriminals out of my trash and sold to a woman in Florida. This woman purchased a home, committed a number of crimes, drained my bank accounts and filed for bankruptcy—all in my name. I learned all of this one day at the bank, right before I was escorted out by security guards.

The experience of losing my money, time and dignity motivated me to protect my personal information assets with a vengeance. Unfortunately, I didn’t apply my newfound cyber vigilance to my small business, which is how I ended up losing it. 

Like a lot of small business owners, it never occurred to me that my $2 million company would be targeted by cyber criminals. I figured we weren’t worth the effort, especially compared to large multinational companies like Target, Marriott, Google and Facebook. My naivete cost me my family’s business and two years fighting to stay out of jail. 

The fact is, cyber criminals are increasingly going after small and midsize businesses (SMBs) precisely because they are easier targets than larger organizations. According to the Ponemon Institute’s most recent Global State of Cybersecurity in Small and Medium-Sized Businesses report, 76 percent of  small and midsize businesses experienced a cyber attack in the past 12 months. The same report found that only 28 percent of companies characterize their ability to mitigate threats, vulnerabilities and attacks as “highly effective.” 

Not all hacking results in criminal charges being filed against the victim, as in my case, but that doesn’t mean there aren’t significant costs involved. According to last year’s Ponemon Institute study, companies spent an average of $1.43 million due to damage or theft of IT assets. On top of that, the disruption to their normal operations cost companies $1.56 million on average. 

In other words, your organization’s chances are greater than 50/50 that it will suffer a serious cyber attack in the next year or so and that the attack will have a significant negative impact on profitability. The good news is that you can eliminate much of the risk with a reasonable budget and some good leadership.

5 Small Business Cybersecurity Strategies

In my experience, good entrepreneurs begin with the following steps:

Identify All data is not created equal. Bring together the key players in your business and identify the specific pieces of data, if lost or stolen, that would make a significant impact on your operation, reputation and profitability. This could be everything from customer credit card, bank account or Social Security numbers to valuable intellectual property.

Evaluate Understand your business’ current cyber security readiness. During this step, I recommend bringing in an external security firm to conduct a systems penetration test. A good Pen Test will give you a heatmap of your greatest weaknesses as well as a prioritized attack plan. Have a separate IT provider implement the remediation plan, if possible, to provide an objective check on the security firm’s work. 

Assign Engage stakeholders from across your organization, not just those within IT. Assign a detail-oriented, tech-savvy leader other than yourself (if feasible) to oversee the analysis and implementation of your cyber strategy. Other players essential to this conversation are your lawyer and your accountant/auditor, who can help you build a breach response plan for when data is compromised. In today’s digital economy, theft and loss are part of business as usual and they should be planned for—like any other risk to your organization.

Measure Just as with any other business function, cyber security needs to be measured. Your security or IT provider should be able to suggest simple metrics—number of blocked hacking attempts (in your firewall), failed phishing attacks, days without a breach, etcetera—with which to keep a pulse on your data defense. 

Repeat Each one of these steps should be re-evaluated and updated on a regular basis. I recommend taking a look at your security during your slowest season annually. Strong cyber security thrives in the details, and the details in this realm change every year. 

The bottom line is that SMBs can no longer ignore the very real threat of cyber crime, including crime perpetrated by an insider (in 2018, 34 percent of data breaches involved internal actors and 2 percent involved partners). I learned both of these lessons the hard way. It takes an average of 73 days for organizations to contain an insider-related incident; my case dragged on for two years, during which I spent every day fighting to keep myself out of jail. 

In the end, I found out the cyber criminal was my business partner. A man I loved and trusted like a brother stole and used my banking login credentials to embezzle from our clients; he used my identity to commit his cyber crimes. He exploited my trust and then he cut the rope and let me take the fall. 

And I should have known better. So if you think your company is too small to be targeted or you’re too smart to be victimized, think again. 


About Cyber security Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author and Hall of Fame Speaker who specializes in providing security-awareness training to small businesses as well as large organizations. He has shared his experiences on “60 Minutes,” “Anderson Cooper” — and even while cooking meatballs with Rachael Ray. John earned a BS with honors in political science from Harvard University.