Social engineering has become so creative and clever with the ways scammers are trying to infiltrate your world. AI and deep fakes are only going to make things worse. Over the past 30 years, fighting viruses and malware has only increased with no end in sight. Today’s guest is Roger Grimes. Roger is a Data-Driven Defense Evangelist for KnowBe4. He is a 34-year computer security expert and an author of 14 books and over 1,300 articles on computer security.“Social engineering is involved in about 70-90% of all successful hacks.” - Roger Grimes Click To Tweet
- [1:06] – Roger shares his background and his drive to continue writing in the field of computer security.
- [3:17] – In his career as an accountant, Roger found himself more interested in the computer side of things.
- [7:45] – Things have gotten worse every year. Ransomware has attacked hospitals and law enforcement in addition to personal devices.
- [10:21] – In many cases, older devices are very hard to replace.
- [11:44] – Most employees of a company don’t know how devices work when it comes to security and things go without updates and patches.
- [15:10] – Some companies are getting better about making sure products are set to auto-patch.
- [16:20] – Social engineering is involved in about 70-90% of all successful hacks.
- [17:23] – Compromised credentials is another common way hackers are easily able to gain access to accounts.
- [19:38] – Social engineering is all about getting you to perform an action that is harmful to yourself or your organization.
- [19:50] – Three qualities to look for: unexpected, asking you to do something you’ve never done before, asking you to do something harmful.
- [21:12] – If something has those qualities, slow down before clicking anything within an email.
- [23:26] – Really good scammers will prepare you for the scam.
- [25:06] – It is hard to retrain yourself to think about these things during any communication.
- [27:14] – People shouldn’t get in trouble with their organization for taking precautions.
- [29:47] – Scammers prey on vulnerable populations, including the elderly.
- [32:10] – Always remember that no legitimate organization accepts payments in gift cards.
- [34:10] – The best we can do right now is educate people to help prevent successful scammers. There’s no stopping it.
- [36:04] – Try to use a MFA that is phishing resistant.
- [38:55] – Roger shares the experience of his fingerprints being stolen.
- [41:20] – Security questions are surprisingly guessable in a lot of situations. Your password might not be guessable, but the security questions aren’t always secure.
- [44:31] – Roger shares some data about patches and what is important to remember.
- [48:31] – Roger sets a time every few months where he sits down and changes every single one of his passwords.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Roger Grimes on LinkedIn
Roger, thank you so much for coming on the podcast today.
I'm so glad to be here.
Can you give myself and the audience a little bit of background about who you are and what you do?
I'm Roger Grimes. I'm the data-driven defense evangelist for KnowBe4. We're the world's leading company in trying to fight social engineering. We do simulated phishing and that sort of stuff. I've been doing computer security—it's hard to believe except for these gray hairs—for 35 years now since 1987, so I've been doing it for a long time.
I just finished my 14th book on computer security. I write one or two articles a week and I have for 25 years, so 1300-1400 computer articles or something like that. I'm very much, in my professional life, all about computer security and trying to stop hackers and malware.
Awesome. Was that a field that you wanted to get in, or was it just your employer telling you, “Hey, we need someone to do this,” and they selected you?
I tell you what, in 1987, I was going to college. I hooked up with the late John McAfee on pre-internet and what was called the FidoNet, and I was disassembling DOS viruses for him. Early on, even in my computer career, I was very much into fighting hackers, malware, and that sort of stuff.
When I went to college, I actually went to college as pre-med, but ended up with an accounting degree. I went to work for an accounting firm and ultimately passed the CPA exam and became an accountant. But I was a horrible accountant. I don't know how I passed the CPA exam. It was the hardest exam I've ever taken in my life.
I don't know how I passed it somewhere. Somewhere there's some guy thinking he should have passed that didn't, and we switched up results, but I really was horrible. When I got to actually working as an accountant, I was just the worst accountant. Let me say, it wasn't like they just gave you a 1040s to do or easy audits.
The stuff they handed me, I'd never even heard about in my life. I was in over my head. They were not giving me any instruction. I was drowning. In nine months, I had not done anything. The partners said they wanted to have a meeting with me the next day. I knew that it wasn't good. I said, “The partners only call you in because you've done something really well, or they're going to fire you.”
The whole next morning, I was really dreading this partner meeting. All of a sudden, the phone rang. One of the partners that was supposed to be in that meeting was on the phone, and he said that he accidentally deleted a computer file that one of the customers needed. There was a $5 million bank loan riding on that file. They can’t get it back.
They'd actually written me up over the nine months many times because I kept doing computers. I would stop doing accounting work and I would do Novell Network work, if you remember back in the days of networking. Anytime there's a computer thing going on, I was just getting into it.
I go to save this file. They celebrate. They literally champagne. I go home with a buzz on my breath. My wife's like, “Why are you drunk?” I was like, “I got a file back today, I was the hero.” I was like, “You know what? I've picked the wrong career. In the accounting world, I can't do anything right. In the computer world, I'm being celebrated.”
I literally went in the next day, gave them my notice, and said, “I'm in the wrong career.” I'm not a very spiritual guy, but they literally fired me. They're like, “You've not done anything for nine months, and you come in here, you give us notice, and you quit on us?” They were actually excited. They were possibly going to maybe let me do computer consulting for them, to come up with, but I went in and quit.
They actually called a security officer that walked me back to my desk, and I had to put my pictures, personal books in there, and everything. The phone rang. It was a lady that worked for a local computer firm that was calling for a reference for a secretary that had left our firm. I somehow made her laugh. She's like, “Hey, can you do computers? Can you teach computers and stuff?” I'm like, “Yeah.” I walked out of that job to another job making more money and never looked back.
That's awesome. It's amazing how things sometimes just work out in the right way.
And the same. Even before I was getting paid, I was doing computer virus consulting for Bank of America. I was fighting hackers. I'd actually read an early book. You can find it on the Internet, maybe, called Flu Shot by Ross Greenberg. He had written this book about fighting malware and fighting hackers. I read that book, and Clifford Stoll's book on honeypots and stuff like that. It just lit my imagination up.
From the very beginning, what I wanted to do was fight hackers and malware. The vast majority of my career has been that, although I've been a network technician, a network manager, VP of IT. I've done everything I think you could do in IT. I was always neglecting those jobs to do computer security, always, even if I was VP of IT.
I ended up in Newsweek magazine in March of 1992 fighting the Michelangelo virus. I remember my boss going, “Hey, you manage our networks here; why are you in the Newsweek for fighting viruses?” Because that's really what I was doing. About 20 years ago, I was able to switch and do it full time and all that stuff, never looked back.
Was this in the day and the age when moonlighting and having a second job was a no-no?
Yeah. I remember my boss looking at me when Newsweek came to take a picture of me and everything. They had all these camera guys and lighting guys holding. She was like, “What the hell is going on? What's that guy doing?” Because I wasn't sharing. I was trying to hide, but there's only so much you can hide at the time.
I remember even telling my wife. I said, “Listen, I'm going to quit being a computer guy and just solely focus on fighting viruses, malware, and all that stuff.” I remember her going, “Are you sure?” Because it's 1992-1993, and it wasn't sure that hacking was going to be this huge thing. As a matter of fact, McAfee's antivirus started to defeat the viruses. We're starting to arrest some hackers.
I remember thinking, “Well, I think there are going to be more computers in the future. Overall, even if there are less hackers and malware, there's going to be more damage. I should do it.” Now I laugh. Me and my wife laugh like I was worried about, would there be enough hackers and malware in the future? Certainly, it was an unneeded worry.
Yeah, definitely the opposite problem now. Way too many hackers, way too many viruses, way too many security incidents.
Yeah. I could have never imagined how bad it would be today. Every year, people ask you, “Do you think it's going to get better or worse next year?” For 35 years, I can only tell you, it's gotten worse every year. You're like, “How can it? Ransomware is taking over entire cities, closing down hospitals, attacking law enforcement. How could it get worse?” I can only tell you that somehow, it does. If there are any signs that we're coming close to resolving the problem, I just don't see them.Every year, people ask you, “Do you think it's going to get better or worse next year?” For 35 years, I can only tell you, it's gotten worse every year. -Roger Grimes Click To Tweet
It'd be one thing if every computer out there connected to everything was brand new, but I can't tell you how many Windows 95 boxes I've found in closets of companies where someone was told, “I don't know what that machine does, but I was told never to turn it off.”
A lot of times, today, people will go, “Why can't the telephone company stop all of the spam and all of the SMS smishing scams?” We've actually come up with technology that would do a good job in preventing phone-based scams, but something like two-thirds of the telephone industry doesn't have equipment that can actually implement that technology.
I tell people, if you've ever been in a telephone company, you'll find a lot of wood in their computer room. There are things from 80 years ago that are still running and making that telephone company happen. It isn't state of the art like you see in the movies. It's stuff that's been there for a long time. It hasn't broken, and they're not fixing it and not replacing it.
Isn't there anything to replace it with? Or is the replacement just, “Well, we've got this $40 piece of equipment from 80 years ago. We can either replace it with another $40 piece of equipment, but if we want to update it, it's going to cost us a million dollars.”
That's it. Usually, a lot of time, the manufacturer has gone out of business and that box is still sitting there. I used to work for Microsoft for 10-11 years. This was probably about five years ago, but I actually once troubleshooted a customer whose Windows 3.0, Windows 3.11, Windows for Workgroups, wasn't connecting to Server 2016, it just wouldn't work. They had called Microsoft. They're paying a million dollars to get all of these boxes working with the latest stuff.
A lot of times, they have the solution; it works for them. There is either no replacement, or the replacement is super, super expensive, or the old solution is so integrated with everything else that to replace it, kills all this other functionality they have with all these other systems.We've actually come up with technology that would do a good job in preventing phone-based scams, but something like two-thirds of the telephone industry doesn't have equipment that can actually implement that technology. -Roger… Click To Tweet
You're right. That's a pretty common thread in most organizations. Everybody has some old technology that they would love to replace, but it's been integrated for so long, it's very difficult to do.
Let me say, sometimes the ransomware attacks, they're like, “OK, my company's completely down. We have to rebuild everything. Now we finally get the chance to get rid of this old system and rebuild Active Directory like it should have been built 20 years ago,” or whatever it might be.
Or the power goes out, the machine dies, and now we have to replace it because we can't function without it. It's so interesting that there are so many of those legacy systems floating around out there, and television would have you think that everyone has a server room with lots of little flashy lights on it with the latest hardware in it. That's not always the case.
Not only that, but the technology is still sometimes so complicated and not easy to do. If you go to any store, the store owners mostly don't know how the cashing stuff works, the cash registers. They don't know how billing, they don't know how their website works. They're relying upon consultants and the consultants in and out of business. The next thing you know is you have this unpatched cash register that hasn't been patched in eight years.
We put a patch out in Microsoft. Half the people patched within the first month, another 25% would patch in the next year. Depending on the patch, 13%-25% would never patch ever.
You have to remember, Microsoft's had automatic patching turned on for decades. It just happens that people get machines, functionality, and all of a sudden the auto-patching gets turned off to troubleshoot something. If you get to turn it back on, or somebody needs to reboot a box, no one's ever logged into that machine to see that it just needs a reboot.
There's a lot of old stuff out there. It's funny. If you listen on the Internet, and you try to do scans for vulnerabilities and stuff like that, and listen out for what's trying to scan you, there's a lot of stuff like Code Red that's from 2001. That means that websites that got compromised in 2001 not only have not been fixed, but they're still trying to infect other people.
Is the Melissa virus still out there?
Yeah. It's funny. It used to be out there a lot, but we still see remnants of it. It used to be for decades. It came up a lot, but it died. Probably about five years ago, there was a big downturn. The same thing with Code Red and stuff. They used to be huge, and now they're a smaller proportion. It's just amazing that it's still out there. If you're unpatched, you could possibly still be exploited.
When this thing that's 30 years old crawling, that's roaming the Internet 30 years later trying to find that one vulnerable machine.
Technology is tough. You and I are probably among the more technology-savvy people around computers and doing things, but I can't tell you if my cable modem is patched. My cable company is not telling me to patch it. I can't log into it, or I don't have the password to it. I'd have to call them. I'm like, I'm hoping they patch it.
I'm sure they don't.
I have a Wi-Fi router. I own my Wi-Fi router. I patch it once or twice a year. I'm probably saying 99% of people with Wi-Fi routers aren't patching it.
They probably don't even know the admin password to get into it, let alone know that they should be patching it.
I can just see the, what's the IP address, and I'm having to show them how to do an IP config. It's just a laborious process. They're like, “What's the login name?” You're like, “Try admin.”
And then try admin as the password.
Yeah, something like that. It's sad that we don't have technology that doesn't just automatically update every time it's needed. Even with the technology that has it, it still fails 1%-2% of the time, even in the auto-patching.
For some reason, there's a firewall block, or somebody's blocking this, or it just doesn't. You get a corrupted WMIC (Windows Management Instrumentation) Database, and all of a sudden that patch doesn't apply for some reason. Technology is technology. It’s complex and complicated. I wish that technology did more to help users be less involved and self-resolve.
I feel like some companies are getting better about that in terms of, “OK, we're going to make our devices auto-patch,” but they only support them for four or five years. They've decided, “Hey, my product life cycle is five years. I think most units are going to fail within five years.” But there are still a million people out there with a DOCSIS 1.0 cable modem router combination that's 15 years old, and they're not going to replace it until their internet stops working.
That's very right.
So 35 years in this industry, What are the big lessons that you've learned that are still applicable or that are now applicable that people need to be doing?The way that hackers and malware attack you has not changed over the 35 years. Number one is social engineering. Usually through an email, but it can be through a website or something. Social engineering is involved in about… Click To Tweet
The way that hackers and malware attack you has not changed over the 35 years. Number one is social engineering. Usually through an email, but it can be through a website or something. Social engineering is involved in about 70%-90% of all successful attacks.
Wow. I didn't realize it was so high.
Huge, yeah. Number two is unpatched software firmware that, according to Mandiant, these days is about 33% of infiltrations involving unpatched software firmware. Over the 35 years I've tracked it, it ranges between 20%-40%. Right now, Mandiant says it's 33%, at least on commercial entities. I assume it's higher in residential, but those two causes.
Social engineering and unpatched software account for almost all of the compromises, I mean 90%-99%. It's been that way since the beginning of computers. You keep expecting it to change, but it doesn't.Social engineering and unpatched software account for almost all of the compromises, I mean 90%-99%. It's been that way since the beginning of computers. You keep expecting it to change, but it doesn't. -Roger Grimes Click To Tweet
There have been some things that have interrupted that, like computer viruses. When they got macro viruses and things in 1995, they came in and had an uptick. But even to get a virus, you have to be socially engineered into accepting it, running the email worm, or whatever it might be until it goes off.
The number three spot changes over time, but these days it's compromised login credentials, and it's the fact that most people have maybe three or four passwords that they share over every website they log into. One of those websites gets compromised, so their credentials get out there and compromised so that hackers can reuse it.
Everybody should try to fight social engineering the best you can. Patch your software and your firmware the best you can. You want to be using phishing-resistant multi-factor authentication to protect valuable data and systems. Use a password manager to create long, complex passwords that are different for every website and service where you can't use multi-factor authentication.Everybody should try to fight social engineering the best you can. Patch your software and your firmware the best you can. You want to be using phishing-resistant multi-factor authentication to protect valuable data and systems.… Click To Tweet
These four things I just said, don't get socially engineered—easier said than done—patch your software and firmware, use phishing-resistant multi-factor authentication when you can, and use a password manager to handle your passwords where you can. If everybody did that, cybercrime would be significantly less.Use a password manager to create long, complex passwords that are different for every website and service where you can't use multi-factor authentication. -Roger Grimes Click To Tweet
With respect to social engineering, what are the one or two things that people could do to significantly reduce their chance of being socially engineered or to realize, “Oh, wait. Something's happening here”? If it's 70%-90%, what's the low-hanging fruit that people should be doing?
What you have to understand is most social engineering has two or three things involved. You need to retrain yourself and everybody else's mentality to go, if these three things are present, I need to slow down and research this using an alternative method before I do it.
Social engineering is all about getting you to perform an action that is harmful to yourself or your organization's self-interest. Providing your password, that's about 50% of the cases. If you use phishing-resistant MFA, that doesn't work, or downloading a Trojan horse program, or providing your Social Security number, something like that. They're going to try to get you to run some code or provide some information.Social engineering is all about getting you to perform an action that is harmful to yourself or your organization's self-interest. -Roger Grimes Click To Tweet
Three factors I tell people to look out for, if you receive a message, no matter how you receive it, whether it's email, SMS, a phone call, in person, if anyone or anything has these three traits, realize that it's a high risk of possibly being a scam.
(1) It arrives unexpectedly. You just weren't expecting it. Maybe it just showed up in your inbox, on your phone, or the phone call came in unexpectedly. (2) It's asking you to do something you've never done before for the receiver. (3) If performing it could harm your self-interest if it's a malicious request.
If it has those three things, it arrives unexpectedly, asking you to do something you've never done before, and could harm you, stop and research outside of that message. Don't click on the link in the email. Call the person directly, call the company directly on a known good phone number, and go to the known good URL.
Literally, most of social engineering would be put down. Let me say, it's hard to do. Did it arrive unexpectedly? Is it asking me to do something you haven't done before for the sender? Could it harm me or my company's interest if I perform it? Then you say, “OK, I’ve got to slow down.”
There are, many times, requests from your boss that meet all three. That's just a fact of life, but you need to get in the mentality like, “Oh, let me slow down. This is something different.” Or, “My cable company contacted me and wants me to do something to get a discount.”
I had my cable company call me a couple of weeks ago. They said, “Roger, we're going to upgrade you to a much faster gigabit speed, and you don't have to pay for it. All we need is your login information to start the process.” I went, “I'm not going to give you that.”
I said, “You tell me my PIN number and my password; I'll tell you whether you're right or not, but I'm not going to tell you.” They said, “Well, we can't even get into your account unless we have your PIN number. It's a protection mechanism the cable company has to stop the person on the other end of the phone from getting into an unauthorized account, doing something, which does happen.”
I went, “Can I call the cable company's nationally known phone number and get to you directly?” They said, “No.” They were a call center and said, “You cannot get to us.” I'm like, “Well, I guess I'm not taking the discount, because I'm not giving you my login.” You don't know who someone calling you is. Even though I lost out on my gigabit upgrade speed, I'm not giving my login credentials to some stranger over a phone. Sorry. You’ve just got to say it's high risk, and I'm not going to do it.
The unexpected makes sense, and being asked to do something that you haven't done before for that particular entity makes sense. I understand doing it will cause harm, but to me, that's the one that's the hardest thing for people to discern if it's something that they're totally not familiar with. If someone claims to be calling from my cable company saying, “Hey, we need to reset your modem,” what harm could resetting my modem do?
That's a good point. As a matter of fact, most of the time when I give this speech, I only say two things. Did it arrive unexpectedly, or are they asking you to do something you've never done before? Enough. You could even say, did it arrive unexpectedly?
There are some social engineering scams that do what's called pretexting. They'll try to set you up for the scam. They'll send you another email or a call. The really good scammers will prepare you for the scam. Suppose I'm trying to get you to send money to the wrong bank account.There are some social engineering scams that do what's called pretexting. They'll try to set you up for the scam. They'll send you another email or a call. The really good scammers will prepare you for the scam. -Roger Grimes Click To Tweet
I've heard of the scams where they'll call or send an email to the accounts payable person and go, “Hey, we just got a new boss here. He's a jerk, and he's bringing his new system in that he used at the last place, and he's upgrading us to his new bank, so I just want to let you know. The next couple of weeks, I'm going to be sending you new bank account information, because this guy thinks he knows what he's doing.”
They don't ask for any money or anything. They've just set the seed, and then they come back in a couple of weeks going, “Hey, here's that account information I told you was coming.” It really is highly likely to be successful, that scam.
I tell people, those pretexting-type scams, the long game where they're setting you up, they're maybe less than 1% of 1% of scams. That's why I tell people, if it's something you haven't done before, it's an unexpected message, then you want to be highly suspicious. You're right. You have the self-interest one.
A lot of times, they have a sense of urgency. You need to do this right away or you're going to miss this discount, or you're going to be penalized, or your boss is going to be mad, or your electricity is going to be shut off. That's maybe another indicator of that sense of urgency, but I'm trying to limit it to one of the basics. Two basics are arrive unexpectedly and asking you something you've never done before.
Let me say, it's really hard to retrain yourself. It's hard for me to retrain myself to think about those two questions. I have successfully retrained myself. I can say, I'm very difficult to scam and phish, because I've retrained my brain. We need to, especially you've got AI and deepfakes coming in. Deepfakes supposedly you can fake this voice that sounds like your boss, a loved one, or whatever.
Number two with AI, the social engineering scams are not only not containing errors and language issues, but I've seen some uses where if you respond back to the scammer going, “Are you sure I'm supposed to pay this fee?” The response they give based upon AI is really realistic sounding. You can no longer be guaranteed to be able to see the normal old legacy clues of misspelling, strange requests. That's why I've limited it.
It's not a strange request, just something you've never done before for the requester. It can even be something you've done for other people. Changing account numbers is something an accounts payable person does time-to-time, but did somebody from Avon or Xerox ask you to do it? Has your boss ever asked you to go out and buy gift cards?
We had that at our company. Our secretary came up to us and said, “Hey, our common boss just asked her to go out and buy a bunch of Starbucks gift cards for speakers.” We were having a conference. “Go out and buy all these gift cards. Do you think this is realistic?”
She said she's in a business meeting all day and I can't contact her. I'm like, “No, no, no, no. That's a scam, that is for sure.” It ended up being a legitimate request. We're like, “Maybe you can help us if some of the requests didn't seem like a scam.”
The last thing we thought is we've been trained so we didn't get in trouble for ignoring the request. People need to understand that you need to teach this to people. If they follow those rules, they shouldn't get in trouble if they're delaying something. They're just hopefully being good citizens and good citizens of the organization and trying to prevent fraud.
What I want my employees to do is question things that seem to be out of the norm, even if it is a delay to the process, because I don't want them to be doing things that are buying gift cards for non-existent employees and reading me the confirmation numbers just so I know that they really bought them.
Another common scam is—I’m around Tampa, Florida, and I'm sure this is a countrywide scam—but I see it a lot on that website that's called Next Door to show you what's in your community. A lot of people get scammed. They'll get calls from someone claiming to be with the local telephone company, Tampa Electric, or something.
They'll say, “Your payment for the electricity bill didn't pass, and I want you to go to Walmart and get gift cards,” or something like that. I'm like, “Who would possibly fall for this scam?” First of all, they wouldn't be doing it if it wasn't successful. If the scammers weren't making money, they wouldn't do it.
I did a survey. About 10% of people were falling for the scam. What I was surprised about was it was doctors, lawyers, police people. I got to ask him, “Why did you do it?” All of them felt like it was a strange request. One guy said, “Well, I was going to pick up my mother. She just got out of cancer treatment, and I didn't want electricity to be off in my home. She's convalescing with us.”
Another person said, “My husband's always sending out the checks late, and I figured he'd already done it.” Each person in that 10% had this valid reason. I thought, “Oh, these hackers or these phishers are preying upon circumstances.”
What's another scam? This happens to old people all the time. They'll get a call saying, “Your grandson or granddaughter has been in an accident and they don't want to call mom and dad. Send money,” and stuff like that. They're preying upon the elderly that have that relationship, where they think that the grandkid may need bailing out, and they're reaching out to help that kid. “That kid never calls me for help. It's my chance to show him how much I love them.”
Any scammer that scams an elderly person, after we arrest them, an elderly person should be able to bop them on the nose once, a cruel and unusual punishment. We should have the extra incentive.
Or they should have to listen to 20 hours of the same story over and over and over. It surprises me that people do fall for the gift cards things, but I've heard the same thing that about 99% of the time, the person would have gone, “Well, that's stupid. I'm not going to do that.”
It was just that one situation where it's like, “I don't have time to deal with this. I'm running out of town. I've got to do this,” and it's just that urgency to do something else. It just seems small as my electric bill, yet there's a huge consequence if you don't do it, and the inconvenience of what they're asking for is just, fine, I just need to move on and do something else.
They're just trying to make a problem go away, I think. It's just that they just hit the person at the right circumstance. They're tired, they're emotional, they're in a hurry. It just unclicks all the things in our brain that would make us say no.
The scams, when they call, they say, “We're from Microsoft. We've detected a virus. We're going to help you.” I'm like, “Well, I work for Microsoft. I love Microsoft, but good luck finding the telephone number you would call to get help with the virus.”
If you found that number on the Internet, and you had $250 in your pocket, I still don't think Microsoft would help you. That's the reality. But if you don't know that, then you just think Microsoft is this big computer organization, and maybe they were smart enough to find a virus on my Mac.
That's why we even call the training, the security awareness training where we're trying to help you fight social engineering. I've seen very smart people—doctors, lawyers, Nobel Prize physics winners—be compromised. It was almost as always because they didn't know that that was a scam.
They didn't know that, “Hey, if you're selling something, I can send you a check, but that check is bad, and the bank will still cash it, and then you're responsible for that.” If they don't hear about it, if they're not aware of it. Once you've been made aware that the electricity company will never call and ask you to go get gift cards, you're far less likely to fall for that scam.
No one accepts payment in gift cards except if you're getting a Target gift card, only Target's going to accept that gift card. No one else is going to accept a Target gift card as payment.
I think, again, really, the only way to defeat it is to have a default healthy level of skepticism, especially if they're offering you something grand. It can be tricky. A lot of people don't know if they go on Craigslist to sell something, that more than likely the first person responding to you is a scammer.
I was on Facebook today, and some old high school roommate reached out to me and wanted to be my friend. I was surprised, but I said yes. I was like, “Hey, long time no see, blah-blah-blah.” Then he started hitting me up for some big scam. “Oh, you're a scammer. I need to tell everybody her account is compromised.”
It was amazing. The scam was, oh, it's this new rebate thing where seniors get $100,000, or retired army people could get this program and get $100,000. Because I'm aware of it, I knew it was a scam. But I thought, again, the scammers wouldn't do it if it wasn't successful at some percentage of the population. That's why you need to tell people. Give them the general idea, let them know about the different types of scams.
I have people go, “Oh, one day we're going to defeat phishing and social engineering. We're going to get the right technical defenses. We'll have antivirus systems that block everything.” I've been waiting for that for 35 years, and it doesn't seem we're any closer. It seems like whatever defense we come up with, the attackers just move and pivot around.
I don't think we're ever going to stop them. It's like trying to say you're going to stop all crime. I think you can stop crime in certain areas and stuff, but I think the best you can do is reduce crime and make people aware of crime.
Today, hopefully most people lock their car doors at night. That's the best you can do. The idea that you think we're going to be able to buy the software or hardware that stops all this stuff, nope. I think we're always going to have to be educated about how to recognize what it looks like and then how to stop it.I think we're always going to have to be educated about how to recognize what it looks like and then how to stop it. -Roger Grimes Click To Tweet
I think it's about implementing reasonable security features. You're talking about enabling multi-factor authentication. Sure, SMS authentication is not the best second-factor authentication out there. I don't think anyone's going to argue that it's technically the best. But if you implement it, that account is 90% less likely to be compromised. Sure, it'd be nice if it was 99% less compromised, but if we could reduce 90% of account takeovers, that would be awesome.
I wrote a book called Hacking Multifactor Authentication; it's one of my best selling books. You can hack any MFA. You can hack anything. But using any MFA probably gets rid of 50% of phishing attacks, because 50% of phishing attacks are, “Give me your password.” If you can say, “I'm sorry, I don't have a password,” that attack is not going to work.
I will say that my big caveat is if you can try to use phishing-resistant MFA. Most MFAs are not phishing-resistant. If you get MFA that sends you the six-digit code, like Microsoft Authenticator, Google Authenticator, or you get push-based authentication where it's like, “Say yes,” those are very phishable.
I tell people, “If you have the chance, if you can make the decision—and SMS is very phishable—try to use an MFA option that is phishing-resistant like FIDO—if you've ever heard of FIDO—smart cards, or something like that.” Those are phishing-resistant.
To move from passwords to MFA of any type requires change. It requires cost. It requires training and teaching somebody how to do something different. I say to move from just regular MFA to phishing-resistant MFA really takes the same amount of effort and resources.
If you can get to the phishing-resistant stuff, but as the hackers pivot from asking for your password, they now pivot and say they ask for your MFA code. It's actually included in the phishing kits now to ask for your SMS code, your six-digit code, or whatever. If you can get the phishing-resistant MFA, that just cuts off another big swath of avenue that they can't use.
Unfortunately, most of the MFA today is phishable. Again, if you get a six-digit code or any code on your phone, if you get a push-based MFA, which is, “Hey, are you sure you want to approve,” or you get SMS-based codes, they're all very phishable. You can use it if you want, but I say try to get to the stuff that's more phishing-resistant like FIDO, if you can. That's really where we all need to be going.
Palm scans, eye retinal scans to get in your front door.
I actually give talks on biometrics all the time. Most biometrics are not nearly as accurate as they say, and you can actually phish them. You can actually phish somebody out of their retina scan, their fingerprint, or whatever. The thing is most biometrics or device authentication, like Hello, doesn't get you into an application per se on the Internet. It doesn't get you into your bank or whatever.
Most biometrics, even though they're phishable, they're used as device authentication, which is more resilient to phishing attacks. Phishing attacks work better when it's application-based. “Oh, I need you to pick up this email. I need you to log into LinkedIn.” If one day you use biometrics to protect your LinkedIn account or something, it actually is fairly phishable.
Good to know. At some point, they're going to start replacing the cameras on the ATMs with how they do overlays on the keypads, the card slots. They're going to start doing overlays on the cameras to get the biometrics from us.
It's interesting. My fingerprints were stolen along with 5.5 million other Americans in 2015. It was a Chinese advanced persistent attack threat against the Office of Personnel Management of the United States. They stole everybody's fingerprints up to 2015 that had ever applied for a national security clearance, whether you got passed or not.
My fingerprints were taken because I had applied and got a clearance when I was working for Microsoft 15 years ago. My wife had submitted fingerprints while she worked at a shipyard when she was 15 back in the 1980s, and her fingerprints got stolen.
Again, what do you do in today's remote world when all 10 of your fingerprints—is there any application that relies upon my fingerprints, that can trust that it's really me if it's single-factor, like you go to your phone, put your fingerprint? I tell people, “If you do biometrics, we should always make it two-factor and that there has to be a personal knowledge base question.”I tell people, “If you do biometrics, we should always make it two-factor and that there has to be a personal knowledge base question.” -Roger Grimes Click To Tweet
One of the downsides of biometrics is they're not secrets most of the time. Once stolen, what are you going to do? Your Al Capone fingerprints changed? I need my fingerprints changed or something. If you're using biometrics, if you really care about security, always put it with a second knowledge base factor.
And one where they don't store the question.
What was the name of the street that you grew up on? What was your elementary school's name?
I’ve got to tell you, I'm still shocked when they're like, “What's your father's middle name? What's your mother's maiden name?” I’m like, “How is this still allowed?” Anybody with a genealogy program is going to be able to get this information.
Even in a genealogy program, you go on Facebook and there's mom. OK.
They're like, “What's your favorite veterinarian?” I always love some of the questions. “What's your favorite veterinarian?” I'm like, “Well, I didn't know people had a favorite, but it's probably going to be the vet within five miles of them.”
What's your favorite car? There are only a hundred car models ever. They come in and out of existence slowly, but they stay around for a long time. Chris, I can't guess your password at all, but if you gave me 10-20 guesses on your favorite car, I probably could figure that out.
People like Mustang, Ferrari, or something. They're not saying AMC Pacer or Gremlin. There's no way I can guess your password, but there are only a hundred cars. Corvette. I'm going to guess that maybe somebody goes F-150 or something. When you give me time, I'm going to guess it.
The same things with your first pet's name. Everybody reminisces at some point on social media about their favorite pet or their dog. It's super, super easy to figure that out.
Google did a study on these personal knowledge questions and said a hacker could guess the right answer half the time on some of the questions. It was something like 40% of the time, the real people couldn't remember the real answers. I was like, I think that means the hacker has a 10% chance of guessing your answer. It was like 16% of the time, the person's answer was in their public social media profile.
One of them I remember was, “What was your high school mascot?” That's a public record. You can look up my high school and then google the mascot. Sometimes you're shaking your head.
Apple put out an update just recently. If you got an Apple phone, you just got an update, and there is a feature that they enabled by default that somebody can come up to your iPhone, holding their iPhone, and get contact information. They enabled it by default. You're like, “What?” There are a thousand vulnerabilities that have been closed by patches based upon the vendor allowing a privacy invasion by default.
People are like, “Well, it doesn't share all your contacts. It just allows them to update their contact or your contact list.” If you had any shareable contacts, they could download them. I was like, but all those vulnerabilities started with a person thinking, “Well, there's no way this could be a […].” Literally, the history of computers has been abusing people that gave over permissive default permissions.
What's the minimum amount of access anyone ever needs? That should be the only thing they ever get.
Was it a first-year high school intern that was able to select that that feature was turned on by default? You should have to perform at least one action before I then share my contacts to allow you to inject your contact in my phone. It's enough.
Allow me to approve the transaction. It requires an approval on that transaction.
Before we wrap up, we talked about social engineering, we've beat to death MFA, third-factor authentication, and all those things. Under patching, what is the low-hanging fruit on patching that people should be doing?
The reality is that over 35 years, only 2%-4% of announced vulnerabilities have ever been used to hack anyone. The other 96%-98% are only research projects. The reality is you don't need to patch everything, you only need to patch the 2%-4% of vulnerabilities.
Last year, 25,000 vulnerabilities were announced. You only need to patch the 2%-4% that were actually used by a real-world hacker to attack a real-world target. You're like, “Well, that's great, Roger. You got a list of those?” I don’t. CISA does.
The Cybersecurity Infrastructure Security Agency, cisa.gov, led by the wonderful Jen Easterly, has a list called the Known Exploited Vulnerability Catalog. You can subscribe to that, and they'll send you a list every week or twice a week of “they're now exploiting this.”
Let me say, most of the time, I don't recognize the stuff on the list. There's a lot of firmware and third-party stuff that I just don't know where it is. Sometimes I'll see a Windows exploit, an Apple exploit, a Google exploit, or something. The nice thing is, I tell people, if you see software or firmware that you have on that list, get it patched. If it's not on that list, the reality is you don't need to patch it. That is the low-hanging fruit, the CISA's Known Exploited Vulnerability Catalog List.
Should that be like, you run a small- or medium-sized business, and you subscribe to this? I'll throw out a router. If you have a D-Link router, and they probably don't make them for that category, but let's say they have it. Anytime that you see that there's a D-Link patch, you just go out and check patches. You don't look for the specific router, or do you actually look for the specific device that might be? What's the router model number of the one in my closet? I don't know, but I know the brand.
I think it might be easier to say patch everything or turn on auto-patching. When you start worrying about version numbers and stuff, you just patch it. If it says D-Link anything, I'm just going to go patch my D-Link. If it's just got a name, close. If it's a C-Link, that reminds me that I need to check my D-Link patches.
That's almost a reasonable way to do it. That's my reminder to check and see if there actually is a patch available. I guess if you're a residential person, every time you change the batteries on your smoke detector, patch everything in your life.
Yeah. I update all my passwords once a year. I've had my password compromised 15 times. If I go to Troy Hunt's haveibeenpwned.com, 15 times my password has been compromised, never because I got socially engineered out of it, but because Facebook had a problem, Instagram had a problem, adobe.com had a problem. My doctor's medical office where they stored my x-rays got compromised. When I bought software from some software company, they got compromised.
If you have a common-type password or a password pattern, the hackers are going to learn that. The hackers have access to something like 45 billion login names and passwords today. If you've been on the Internet more than five years, probably one of your passwords is in there. I make a point to change all my passwords once a year.If you have a common-type password or a password pattern, the hackers are going to learn that. The hackers have access to something like 45 billion login names and passwords today. -Roger Grimes Click To Tweet
I literally pick a day once a year. I have to know my calendar and I go, I'm just going to go change my passwords. It's a terrible day. It will either be a day, or it takes two or three days, but I just get it done because we're in this really weird world where if you want to truly protect your bank account and that sort of stuff, you just need to do it.
I've done that. It's an absolutely horrible day of your life.
There are lots of stuff I don't want to do that I’ve got to do, and that's just one of them. I have people that tell me that their Amazon account got compromised and they hadn't changed their password in 15 years. Before I point a finger, I'm like, “Have I changed my Amazon account password?” I used to be that guy, and I'm trying to be less like that guy.
Take steps where we can. If you only have time to change five passwords, change the five most critical passwords in your life. Start with your email, that should be number one.
Again, password managers. Password managers create long, complex. If you create a password out of your head, I have friends that have machines, and if they get ahold of your password hash, can guess it up to 18 characters every time.
It usually takes them a day to a couple of days but not long. A 12-character fully random password that's truly random, unguessable, as far as you know, by any known technology today. Let a password manager do it. They create 20-character, randomized garbage.
Let me say, the first time I used a password manager, which is all the time, probably about five years ago and I hated it for three days. My life was terrible trying to learn how to do it, but now it's actually easy.
I don't even think about it.
The only password I have to remember is to get into my laptop, which now I use Windows Hello with some type of pen or something. After that, I have to log into my password manager once, and you can even use multi-factor authentication for that. After that, my password manager is just click, click, click, click, click, click. My life is so much easier. If someone tries to socially engineer me out of my password, they can't because I don't know it.
Exactly. No amount of coercion will get a password out of me that I don't know. If you're building a system that accepts passwords, please make sure that you allow long passwords, and you don't put weird restrictions on what can and can't be in the passwords.
Yeah. Sometimes it's got a wall of shame. I used to keep one, but there were some password sites that would only allow me six characters or nine characters and stuff like that. It's too bad we don't have a universally agreed-upon on what's acceptable. That would help us out.
If you watch Troy Hunt's, I guess it's no longer Twitter feed but his X feed, he periodically posts screenshots of banking institutions where it's like, “Oh, sorry. Your password must be 12 characters or less, lowercase and numeric only.” Gee, that's not going to be guessable pretty darn quick. Then I spend more time with the password manager telling the password manager what it can and can't do to create a password.
Yeah, and I used to think I was smart before password managers. I would have a root password. Let's say it was frog. I'd say frog32tw for Twitter, frog32fb for Facebook, frog32am for Amazon. I thought I was just brilliant. Different, unique passwords for every website. But then I realized on Troy Hunt's website, “Wow, all those passwords are what the hackers have. They're going to see the pattern. They'll see, oh, it's frog32, I'm going to go try Roger's Bank of America password.”
BA. “Hey, I got in.”
I learned that you need to have truly random different passwords for every site and service. Nobody wants to do that. Use a password manager instead.
Yep. Roger, if people want to find you online, where can they find you?
LinkedIn, [email protected]. I write one or two articles a week. I try to write things that are different and unique. You're not going to find me writing about AI and how AI is going to take over the world. I'm usually writing more useful articles, contrarian articles, and very actionable advice that you can use right away articles.
I love that. We'll make sure to link to your LinkedIn account in the show notes so people can find you easily. If people don't want to have to remember how to spell your name, we'll solve it for them.
Roger, thank you so much for coming on the podcast today.
Chris, thank you. Thanks everybody else for tuning in.