Episode Transcript
[00:00:00] You're listening to protect it all, where Aaron Crow expands the conversation beyond just ot delving into the interconnected worlds of it and OT cybersecurity.
[00:00:11] Get ready for essential strategies and insights.
[00:00:15] Here's your host, Aaron Crow. Hey, welcome to protected all podcast. I'm your host Aaron Crow.
[00:00:24] This time is, this is Cybersecurity Awareness Month, October here in the states, and wanted to do a couple of episodes focusing on that. I know that folks that listen are going to be varying different experience around cybersecurity, but we all need cybersecurity and cybersecurity for work in enterprise and OT and critical infrastructure is different than maybe what you do at home. So being a father, having three kids that use technology, a wife that is not in the cybersecurity space, in laws and parents and grandparents and all that type of stuff, right. It's. I get a lot of questions on how do I, how do I secure my stuff, right? How do I make sure I'm doing things safely? So wanted to really focus on that. So this, this being cybersecurity awareness month, I figured it'd be, be great. So this one is going to just focus on cyber hygiene, covering practical steps to protect yourself in this digital world where we use our technology and for everything from, from phones and email and banking and, and purchasing things online, you name it. Right? So let's, let's dive into that. What, what is cyber hygiene?
[00:01:41] Cyber hygiene, like personal hygiene? Right. It's, it's doing routine things to make sure that you're maintaining health in your cyberspace, right? So maintaining your devices, accounts, passwords, making sure that your, your systems are patched and updated, that you're not using, you know, insecure platforms, whether that be your browser, your phone is updated, your laptop or computer, whether it's a Mac or a Windows or Linux is updated, you know, and those things are constant. Like, you're constantly having to look at those things. Every year, cyber attacks become more and more frequent. You see them in the news. They're more and more sophisticated. And sophisticated does not mean that it's always a nation state or really sophisticated attacker, but the attack itself is getting more sophisticated. Some of that is going to be because AI is going to lead to the complexity and sophistication being increased, whereas the knowledge of the attacker can be less because they can just copy and paste. They can very easily take an attack created by somebody else and pivot that in.
[00:02:59] As they become more and more, you see more and more of them, small mistakes like weak passwords, ignoring software updates, they really open the door to being attacked, being vulnerable, identity theft, financial loss, being locked out of your Twitter account. One of my customers is a celebrity, and right after releasing an album, they had a Twitter. Their Twitter account got hacked and overtaken and they got it back. But the problem is that happens. It happens with everyone. Whether you're a celebrity or you're just a normal person, your account can and will be taken over if you use the same password across all of your devices.
[00:03:45] Passwords are hard, but they're also really easy to manage. You can have password vaults and we'll dive into that as the next kind of topic we're going to talk through. But according to a recent study, human error is involved in 90% of cyber attacks.
[00:04:01] Good cyber hygiene helps reduce those. So most attacks are because of people making mistakes. You click on the phishing email, use the same password at multiple places, you give somebody your account, login and credentials, that kind of thing, right? So all those things are problems and they will impact your.
[00:04:18] Your cyber hygiene.
[00:04:20] So essential cyber hygiene practices use strong and unique passwords.
[00:04:26] That's hard, right? You have to remember it. How am I going to remember a strong and unique password for every device? I've got literally thousands of accounts and passwords from email and all the different things, so it's really hard. What is a strong password? Strong password.
[00:04:48] It's avoid using the same password across different accounts. It's using complex, random characters, it's using uppercase and lowercase, it's numbers, it's special characters. It's making sure it's long, long being relative.
[00:05:05] Every account that you create, there are some password requirements and you have to fit within them. So maybe they can only be a max of 15 characters, or maybe they can be 25.
[00:05:15] It's really hard to remember a 25 character unique password. It's impossible to remember unless you have idetic memory, which I do not. So how do you manage that? And that's using a password manager. There's a lot of free ones out there. I'm not going to name names of them, but go look up search password manager.
[00:05:36] Depending on your platform, Chrome has one built in.
[00:05:41] Even Apple now has a password vault built into their iOS and their macOS.
[00:05:47] But I recommend getting a third party. That way it can transfer between non Apple devices. Even if you are in an Apple ecosystem, it's something that is you have to remember the password to the vault. It is encrypted. You can have multi factor authentication, which we'll also get into next. But these are all things that will help. The thing that people don't think about is some of the passwords, like password to your email.
[00:06:12] If you look at your banking, your Facebook, your, all those things, they all use the fallback method to gain access to those accounts, will have that email. So if somebody gets access to your email, they can reset your password on your banking on all these different things. And they're the ones that are going to respond to that pat, that authentication. So your. Your email password is super critical to maintain control of. The way that you maintain control of those things are a, setting up multi factor, and b, having a unique password and making sure that you lock that down and you're monitoring that. So Google and others do a really good job of you're logging in from a unique or a place we've never seen or a browser we've never seen. Is this really you? And making sure that you're validating those so strong passwords leads to enabling multi factor authentication.
[00:07:10] What is multifactor? A password is something that you know and multi factor that. That is something that you have.
[00:07:18] If you go back to the definition right, it's. It's, you know, I've got a. I don't have it around with me. It's in my bag, but I've got a Yubikey. Yubikey is a physical token that you can. You can have. That you can plug in. It also has NFC that you can use to click. And it is a unique encrypted key that with the password and this key, then I can authenticate that I physically have the thing that I'm supposed to have. So if somebody got my email, for instance, they don't have my key, they would have to have my email and my password and this key. So it's another thing. Like, you see biometrics, a lot of your phone, it's using your face, which I don't love. I actually preferred the fingerprint back in the day, but that's a whole other conversation. So, like my Mac, I have the fingerprint. But again, even biometrics can be. Can be faked with pretty simple capabilities, but it's still better. None of these things are supposed to be perfect. A lot of these things are just supposed to be. Make it a little bit harder, right? So when you get that notification from Google, you're having to put in that thing. You should also get it. So you're saying, hey, what's going on? Making sure you're turning on MFA multi factor authentication on all your important accounts, banking, email, social media like you should have all of those so that if something happens or somebody's trying to get in, they'll be. And guessing a password is not that hard.
[00:08:47] With products out there, it's very easy. And you can put your email in. There's a lot of systems which I'll put some in the link on the show notes that you can put your email in and see if it's been part of a breach. And if it has, then more than likely that password is. And if you use that password anywhere else, then that other account is very easy to be hacked. Because what these hackers do is they, they do the same search and they see your email is used at all these different places and there was an attack at this one. So they grabbed that password and they tried it every place else. They try every bank, they try every email system, all that kind of stuff, right? It's very easy to do.
[00:09:26] Tip three is keeping your software up to date.
[00:09:29] Kind of talked about that in the beginning, but it's super simple. Making sure you're turning on software updates, that you're updating those things very frequently. You're looking to automatically do those things. The key thing I'll show into that is, or talk to is making sure that you have backups.
[00:09:47] Patches are great. They're needed because they, they fix vulnerabilities that were unknown. Like as a software provider, whether it's Mac, Apple, Windows, Linux, or whatever application that you're using. When they find a vulnerability, they release an update. So that update is pushed out. You see it all the time when you update your apps on your phone. Also Windows updates and again, Mac updates as well. But the problem is sometimes they break things. Apple's usually pretty good where very, very infrequently does an Apple update break my phone or cause a blue screen or reboot or issue rebooting. Whereas windows, it happens a lot. I don't want to dive into that, but there's a lot of reasons for that, and that's why Apple controls their ecosystem. So software updates often include patches for security vulnerabilities.
[00:10:42] And then by delaying those updates, you're leaving your devices exposed.
[00:10:48] In the spaces I work in, a lot of times there's really old systems that aren't patched. It's not the only attack vector that you can or only mitigation you can do to fix those things, but it definitely helps. And especially as an end user at home, you got to make sure you're updating your Wifi, your router, your devices that are connected to it. Your tvs and everything has software on it. And making those things can be vulnerabilities that people can pivot into.
[00:11:18] Tip four is be wary of phishing attacks.
[00:11:22] Phishing is when attackers trick you to give personal information, passwords, et cetera, and they're pretending to be a legit entity. They may send texts or emails. They may look like they're coming from your, your organization, your spouse, your kid, your boss, the CEO.
[00:11:40] You'll see these texts come across, you'll see emails come across and they look legit and they're getting better and better. Years ago they were really bad English and you could really tell because they didn't look real at all. But now they've gotten more and more sophisticated, so it's hard to see. So the good rule of thumb is if you didn't expect an email from someone or from an organization, don't click the link like I've seen them come in. Hey, you want a $250 gift certificate to Walmart? Just click this link to fill out your registration. I didn't sign up for anything, so why should I be getting this?
[00:12:16] It's not worth it, right? So there's all sorts of ways to prove the validity.
[00:12:22] The biggest piece is as they get more and more sophisticated and more and more realistic looking, you're going to likely. Probability says you'll probably click on one at some point. As soon as you do, you need to make sure that you take actions right. If you do click on things, you need to reach. If it's a corporate asset, you need to make sure that you're reporting that to your, your IT organization, that they can know if it, if it's your personal device, you need to make sure that you get it, you know, scrubbed. You probably need to change passwords. Like if it's malware, they could be monitoring and actually key logging everything. So there's a lot of danger that goes into that once you've clicked on those, those bad links.
[00:13:03] Tip five is securing your home network. A lot of folks don't think about it from an IT perspective or corporate perspective. You know, corporate puts products on your, on your device and the corporate network is secured by firewalls and all that. They've got teams that are monitoring and, but it's your home. A lot of people use the router that came from their provider and they just create a Wi Fi, you know, SSID, and they connect all their devices to it. Especially nowadays with all of these smart devices, from phones to your stinking coffee machine, your tvs your refrigerator, everything is connecting wifi and is Internet of things. And all of those things have vulnerabilities.
[00:13:49] In my home network, I'm probably more extreme than most are willing or able to do.
[00:13:55] I have the router that was provided by my provider, and then I have a firewall behind that so that I don't have access, that has access to nothing on my network. There's a whole nother layer that I control that they have no access to. And then I have multiple wireless networks split up. I have one for my kids, one for me and my wife, one for all ot devices. So I never put a tv on the same network as my devices, for instance.
[00:14:24] And there's a couple of reasons behind that. Some of those is not to do with security. Like the reason I have my kids separate than my, my, mine and my wife's. A lot of reasons.
[00:14:33] It's a way that I can limit Internet access. I can make sure they're restricted, you know, on certain sites. I can also turn off that network at certain times. Their friends come over all the time, so they're giving out that password. Even though I have a guest password, a guest network, there's just a lot of benefits in those things.
[00:14:53] And obviously, why I have a dedicated IoT network is because I don't want all these other devices that are more than likely going to have vulnerabilities that may or may not get patched, ever. I don't want them being able to pivot to my critical assets, like my laptop and my other devices. So having those things segmented reduces the ATT and Ck footprint. They can get into those devices potentially, but they won't be able to get to my, you know, personal information on my laptop or, you know, my network storage and things like that. So make sure you. Basic things that you can do beyond that is just changing the default password. You know, when you get a device from your at and t or T mobile or whomever provides your home Internet service, they came with the default router. It's usually printed on the back of it. Change that.
[00:15:44] Make sure you're using the most, the highest level of encryption that the Wi Fi allows. Usually like the WPA three.
[00:15:52] And then when you're traveling, and traveling doesn't mean on a plane, it just means when you're out and about.
[00:15:59] Don't connect to the Wi Fi any place if you don't need to. If you do need to make sure that you have a VPN.
[00:16:06] A VPN will help segment, kind of like I was just talking about our home network. It'll segment your device so that people can't get to it locally. So if you think about it, when you join that Wi Fi, you're on the same network with whomever else on that free network, which could be, you know, the pastor of the local church. It could also be the hacker that's taken a cybersecurity course and wants to see who. What they can do with the devices that pop up on the network. And they could own you. Right. So make sure you're really careful when you're out and about and connecting to hotel wifis or Starbucks or McDonald's or any of those types of things. Only connect when you actually need to. Like, I just got back from. From Canada and my Internet service, because it's a us plan. I have a very limited amount of data that I can use over, you know, in another country. So I was definitely connecting to Wi Fi, but I was making sure to connect with a VPN so that my data or my device was. Was secure.
[00:17:06] Okay, so what are some good tools that can help you, you know, maintain good cyber hygiene? I talked about a few of those, but password managers is one of those lastpass keeper bit warden.
[00:17:23] Apple even has one built in. Those things store your passwords. They can generate law passwords for you. So when I. When I have a new. I've got a plugin on my chrome browser for. I use keeper. When. When I log into a website or I'm creating a new account, it. It creates the password for me and it stores it. So it's completely unique. I've never used it anywhere else. I can say the complexity that I want to be. I want it to be 25 characters long. I want to use, you know, uppercase, lowercase numbers and special characters again using whatever credential or whatever requirements the website or the site that I'm trying to do, this has. And then I don't have to remember multiple websites or multiple passwords. I can keep everything in one secure location. I've got it on my phone, so I've got the app here. The. The actual database of. With all my passwords is stored in the cloud, but I have the encryption or the decryption key, so it is encrypted and I have to provide those things. The thing to remember with that is if you lose it, they have no. No one has access to your vault, right? So you lose the key, there's no getting it. You're throwing away, and you're creating all new passwords for everything. So it's really important. I even have a keeper plan. That is a family plan. So all of my kids have their own keeper account, so all of their accounts and their email passwords and all the things for their, their credentials are stored there and I can share them. Things like Netflix and whatever other, you know, common things that we need to share. I'm not sending them in a text and raw text. I'm not sending them an email. I'm not writing down the password. I can share that with them. They open it and I can restrict how frequently they have it, or I can put it in their profile so they can see it every time they open the app. That's another way that you can share it inside and outside without having to send the password, clear text. And that's a struggle that a lot of folks have. And they don't think about how do I share credentials if I need somebody to log into something?
[00:19:28] Which really, you need to be careful, like, never share your credentials for your email, your banking, that kind of thing, you should always create an additional account for your spouse, your significant others, et cetera, instead of sharing the same account for critical systems like that, email, banking, that kind of thing. Netflix is Netflix, right? So that's completely up to you, how you want to do it. There's not a whole lot of risk there, other than just somebody having access to your Netflix account, which you can always get changed.
[00:20:00] The next is going to be antivirus and anti malware.
[00:20:04] Even the most careful users can, can get malware on your device without any knowledge of you. Downloading an application, installing something, clicking on something.
[00:20:16] Things happen, right? So having virus software on your device is super important and it's not super expensive. Like I've got, again, I've got a family plan of the product that I use, and it goes on every computer that we have, everybody's phone.
[00:20:34] It provides a VPN service. Like it's, you know, a couple hundred dollars a year to provide that for my family of five to have all of that access. So it's super important and valuable, but it's not a. It's not a silver bullet, it's not going to protect you from everything. It's not invincible, but it is, it is a. It is another protection in depth that you can help provide, I mentioned earlier. But to double down on it, another tool would be backups. Make sure that you're regularly backing up your devices, your photos, your applications, your documents.
[00:21:10] All those things can be lost if malware hits your device and they encrypt your device and you can't get it and you're not willing to pay their ransom, then you're going to lose access to your system. You can rebuild it from scratch, but you lose all of your data. Whereas if you have a backup, you're not, you don't have to pay the ransom because you. Maybe you lose a day's worth of data, like whenever the last time you took your backup. Worst case scenario, let's say that you do a full backup every week.
[00:21:38] You. You lose a week's worth of data. So be it, right? It's better than losing everything.
[00:21:44] So think about it like, back in the day, you had physical pictures. You wanted to make sure you kept some of those in a. In a safe for something. If your house burns down, this is, this is that.
[00:21:56] The other one is. It's going to be the privacy settings on your social media.
[00:22:02] And I'm not a good example for this because I have a very public social media presence intentionally, but my kids and my wife have private ones. Review your privacy settings on your social media accounts and make sure that you limit the amount of personal information that you share publicly.
[00:22:20] You see this a lot. Bad actors will watch your social media as you're getting on a plane. Hey, we're going to Florida, we're going to Hawaii, wherever. And they know you're not home. So many will use that as an opportunity to break into your house, to steal your car to whatever that may be. Right? So just think about that as you share things and post things. I have friends that they don't post where they're going until they get back. And then they're like, hey, we just went to Hawaii, right? And they do it when they're back. So that way they're not actually sharing their. The fact that there's nobody home at their, at their, at their place.
[00:22:59] Next is kind of the future of cyber hygiene. Not exactly future because a lot of it is here, but as, as we see in the future, more and more things. The rise of the Internet of Things. What is the Internet of Things? It's. It's the devices that have an IP address that can get on the Internet, right? Again, I talked about it before. Everything from your toaster oven to your microwave to your refrigerator, your tv, your Wi Fi, your cameras, you know, your smart thermostats, everything is now connected, right? All of those things being connected are potential vulnerability, right? So keeping those things updated as you can. Many of them don't update very frequently because, you know, maybe they don't care about them. Maybe they're from China, whatever that may be, but definitely work on segmenting those things on a separate network.
[00:23:51] AI and automation in cyber hygiene, AI based security tools are becoming more popular.
[00:23:58] They can help detect anomalies, automate updates, other things that you can do. I'm not exactly sure how beneficial that is in a, in your personal world, just because it's a stretch. AI still just not there. But the future, I see AI kind of stepping in to kind of help monitor those types of things. I envision a place where everybody has a firewall in their home. If you don't have a firewall, I highly recommend looking at one. They're not super complex or super expensive, and they get you a lot of benefit. And if you're just depending on the router that came with your home Internet service, you're putting yourself at risk, because those are the same routers that everybody with that provider has. They're probably at the same thing. And many people haven't changed their password. There may be back doors to get in. Like, there's just too many things that you can't control in those. And it's, again, it's not a super expensive mitigation to add in a firewall, a different router, different Wi Fi, etcetera. Right? So my network, I've got multiple access points, I've got a firewall, and all that is controlled by me. It's not, my Internet provider has no access to it. The router that your, your Internet provider acts provides you, they have access to it. So they can see. Should they be looking at your data, should they be pivoting? No, but they have access. And I don't like anybody having access to my environment. So all in all that, just to recap, you know, talking about the COVID we covered the basics of cyber hygiene. Using strong passwords, using MFA, updating your software, staying vigilant about emails and texts that come in, phishing attacks that come in. These small habits make a huge difference. The other thing is to teach your kids this, teach your wife this, you know, have these conversations, give examples. Like, these are things that we don't naturally understand. So as a kid, I may be, you know, I may see an email come in and just, oh, well, that's cool. Let me click on it. Right? Teaching your kids this is a good thing because maybe you're the best at it and you've never clicked on phishing email in your life, but your kids are connected to the same network that you are at home. If they click on it, then they are now the vulnerability in your environment. So their device is now rooted, it has malware, and now they're in the bad actors are in your network, and you didn't know about it, right? The kid didn't recognize that they did anything. And now your environment is impacted, right?
[00:26:24] So my challenge to everyone today is take one step, whether it's updating your password, implementing a password vault enabling MFA, specifically on your most critical assets like banking, email, that type of social media, and then also review your privacy settings on those platforms as well.
[00:26:44] Definitely share this episode if you think friends and family would benefit from some cyber hygiene knowledge. And next week we'll dive into another topic around maybe phishing scams or something else. Not exactly sure yet.
[00:26:58] Anyways, thank you for tuning in. Make sure that you follow protected all podcasts on social media.
[00:27:06] Make sure you subscribe and like and definitely look forward to reviews. Definitely read all those. Thankful for all of those. So thank you all for everyone. If you have any questions, definitely submit your cybersecurity questions. I can address them in future episodes. And if you'd like to be focused and spotlight on an episode, shoot me an email info otectedall co and love to have you guys come out on the podcast. Thanks a lot and until next time, thanks for joining us on protect it all, where we explore the crossroads of it and OT cybersecurity.
[00:27:41] Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.
