Staying safe online requires you to be an active participant. You need to do your own research and not rely entirely on other people’s tools, some of which are intended to actually take advantage of you. Today’s guest is Patrick McNamara. Patrick holds a bachelor’s degree in cybersecurity from University of Maryland Global along with multiple certifications. He operates the cyber awareness site DIYSecurityTips.com and is currently a cybersecurity engineer for a software company.“Literally anything can be breached.” - Patrick McNamara Click To Tweet
- [0:52] – Patrick shares his background and current role in cybersecurity.
- [3:09] – Chris and Patrick discuss the changes in cybersecurity in education in just a few years.
- [7:18] – When it comes to working in the industry, there are a lot of misunderstandings and inflexible definitions of what cybersecurity is.
- [9:35] – Volunteer as much as you can.
- [10:48] – A great place to start for your own online security is with passwords.
- [13:17] – Literally anything can be breached. A password manager can at least mitigate risk.
- [15:40] – Is it safe to connect to public wifi?
- [17:56] – Using your cell phone’s hotspot is a lot safer than using public wifi. VPNs are also fantastic to invest in.
- [20:42] – VPNs that are free could be dangerous as well. How are they making money if they are offering the service for free?
- [21:33] – Pay attention to the developer before downloading any app on your phone or mobile device.
- [23:16] – Check the permissions for the apps you download. For example, a calculator app doesn’t need access to your contacts and pictures.
- [25:01] – Anything that is new and exciting, malware developers will be on it very quickly.
- [27:40] – Understand how crypto works before investing in it.
- [28:52] – Patrick believes that it is possible to be completely anonymous online but there are a lot of very difficult steps to follow to do so.
- [32:13] – Privacy is easier to maintain than anonymity.
- [34:41] – There’s special malware for every type of attack. Patrick shares some scenarios on different types of attacks.
- [35:57] – VPNs cannot protect you from social engineering.
- [37:21] – Some malware is downloaded through files online on a site that was recently breached.
- [39:01] – Chris shares an experience in supply chain crypto mining that happened unintentionally. You never know.
- [40:34] – You should at least know how to back up your data.
- [44:13] – Patrick shares about his website and how to learn more about online safety.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
Patrick, thank you so much for coming on the Easy Prey Podcast today.
It's great to be here. Thank you.
Can you give myself and the audience a little bit of background about who you are and what you do? Your origin story?
My name is Patrick McNamara. I'm a senior cybersecurity engineer for a global software company. I started a degree program in cybersecurity, hoping to have that as a fallback career because I wanted to be a law enforcement officer.
As I was going through my degree, I went through the ethical hacking course. During that course, I made the decision that that's what I wanted to do for a living because it was just so intriguing.
I love to play around with the tools. I also like the ethical background of it, too, because you're playing the hacker, but you're doing it for good. You're doing it with a very strict set of guidelines. There are legal protections. No one gets hurt. It pays pretty well, too, and every day is different.
Once I finished my degree, I worked my way through the ranks. My first IT job was at a naval base. It was an engineering position, which I was not qualified for, but I knew someone. I got plenty of hardware, software, and network troubleshooting experience under my belt. From there, I moved on to security administration for about a year-and-a-half, and then from there into my current position.
Awesome. I'm just curious about how much formal education in cybersecurity. How many years?
I have a four-year bachelor's degree, and then about four months of a graduate degree plus certifications.
Got you. I'll ask some educational background questions, because I know a lot of the listeners are interested in how to get into cybersecurity jobs. Are there a lot more courses now than when you first took them?
Absolutely. When I was going through, it was in 2016, and the only schools that were offering cybersecurity degrees were a handful of online schools, one of them being the one that I went to, and then a few traditional brick-and-mortar schools in the country. It was still a relatively new educational field.
Now, I look back on my degree, the same one I got, and it's different. Some of the courses are the same, but they've added so many new courses. And they're still behind in terms of what I'm seeing today at my current job in the cyber landscape.
In July, I finished my second master's course, and this information is outdated already. Not all of it, but some of it. I got ahead in the course. I had to correct the professor a few times because he was contradicting himself. I had to do an executive summary of a threat assessment. Obviously, you have to dumb it down. You have to speak in simple terms to management, CIOs, and CISOs. That's what I gave him, and it wasn't good enough. It wasn't technical enough.
Regardless, that's really what you need. If you're getting into this field, you need to have a defined goal of what position do you want to see yourself in at the end of that goal, because your education, your training, and your labs, all of that is going to play a huge part, and it's going to be different for each job.
A lot of people waste their time. They'll learn forensics. They'll spend a year learning forensics, but their job might be a GRC role, a penetration testing role, or a cloud engineer role. Forensics is good to know, but there's not a whole lot of overlap. You have to define your goals to not waste your time.
I think your Civil War history classes are not going to change, but the cybersecurity landscape seems to change at a ridiculously fast pace that you can't even have a book published before it's out of date.
Our organizations, I know we talked before we started recording about SANS because of what they do and how they do it. Is the coursework that SANS produces generally more timely?
It does take a while to complete like an individual course. I want to say three to four months, but those courses get updated quite often. The instructors that teach them all have their own security businesses, they're in the industry, and they are teaching. They're teaching students the most current information all in a nice, expensive but high-quality package.
I myself have the GCIH certification and the GSEC. There are things that I learned in those courses that I never knew from any of the other labs or resources I found, so you are definitely going to get your money's worth.
There are options out there. They recently just came out with a tuition payment plan feature, which is beneficial for me, because I want to try to get the Infrastructure Penetration Testing Certification next year. It's expensive. It's several thousand dollars. That will be very helpful. But you don't have to get a GIAC cert to be marketable at all. There are other certifications you can get.
Is it one of those fields that it's hard-to-fill positions, not because you can't find qualified people, but because there just aren't enough people out there?
I would say it's both. There are a lot of places that have very unrealistic hiring expectations. Yes, there is a severe shortage of qualified professionals, but who's determining what a qualified professional is? Is it an entry-level person with five years of experience, and you're going to pay them $70,000 a year? That's ridiculous.
No wonder there are no positions getting filled, because these hiring managers and companies, their guidelines are so strict and they're not flexible, you're missing out on a lot of quality workers out there.
From the companies that you've worked for—we didn't talk about this beforehand, but I'll ask it anyway—do you find that you get a lot of on-the-job training in the sense that, “OK, we have a department goal that we're trying to do this, so everyone needs to figure out how to do it”?
Yes. Oftentimes, it's beneficial to take a lower paying job than what you would prefer, but have the experience and the opportunity to even get into the field.
With my last job, I started out at $85,000 a year, which is low for a senior security administrator at that. But I got so much experience that I would not trade that job for anything because I learned how to document, how to manage incidents, teamwork, conflict resolution, OSINT, threat intel, EDR, XDR, SIEM, all these security tools, and respond to actual incidents. My resume was about two pages long just for that job. I had to trim it down because it was too much.
That's good that there's the ability to get a lot of on-the-job experience and a lot of on-the-job training out there.
Yeah. What I would encourage listeners to do if they're in that position is, if you do end up getting a job like that with not-so-high pay but a good experience, volunteer for as much as you can. Go out there. Be a go-getter. If there's no documentation made for troubleshooting, go write it up. Put screenshots in there, put commands in there. Ask your boss if you can start an incident response team and lead tabletops. There's a lot you can do.
Success is not going to come to you. You need to go the extra mile and put in the extra work, especially during your first job, because you want to be able to move around to different positions, different companies, and stuff.Success is not going to come to you. You need to go the extra mile and put in the extra work, especially during your first job, because you want to be able to move around to different positions, different companies, and stuff.… Click To Tweet
That's awesome. That's great input. Let's change gears a little bit and talk about individual people's privacy, anonymity, and general cybersecurity, best practices for individuals, what they should be doing, and what they should be watching out for.
If you have a home user, what's your advice after your years working in cybersecurity? It would probably keep people up at night if they thought about everything, but where would you start with, “Here's stuff that you should be doing that you're probably not doing”?
A great place to start is with passwords. Everyone has passwords for accounts. Everyone has a cell phone, not everyone has a computer. Depending on what industry you're in, you might have hundreds of accounts. There is no way that you are memorizing all your passwords. If you're memorizing all your passwords, it is a single password, or it's an iteration of that single password.
Nobody ever does that.
Right. And if they're not remembering them, they probably have an unencrypted text file on their computer. To that end, I would recommend a password manager. I personally use 1Password. They're a great password manager.
The way it works is you put in the website, you select a username and a password, and it'll generate a very strong password. You can set the character length. It's probably eight to 24 characters. You can mix it up, you can put symbols, upper or lowercase, numbers. You can access it on your phone, you can access it on your desktop, Mac, Linux, Windows, and Android. That's what I have. It makes your life so much easier.
I've definitely run across a few times where my standard password preference is overqualified. It's like 24 characters, uppercase, lowercase, five symbols, and it's like, “No, no, no. We don't want a password that long,” or, “We can't accept these specific symbols that you've put in your password.” Like, come on.
Yeah. You can put secure notes in there, identities, addresses, anything like that. Anything can be breached. LastPass has been breached six or seven times in the past several years. That's why I switched over from LastPass to 1Password.
You're never really truly safe. But if you can diminish or mitigate some of the risks of a brute-force attack or a password-guessing attack on your account, password manager is the best way to do it. It really is. If you even want to go the extra mile, have a backup password manager in case your original gets compromised. I would say for passwords, that is the best option for you. Don't save passwords in your browsers, because browsers are inherently insecure.Don't save passwords in your browsers, because browsers are inherently insecure. -Patrick McNamara Click To Tweet
Yep, that's a good one. One of the things that I've done is I've made sure my wife knows the master password to my password manager. If I'm ever incapacitated, she has access to the passwords to get into bank accounts, and she has access to get important things. She doesn't have to find an 8×10 folder of 8000 pages long full of passwords that are crossed out and replaced after every six months.
That was my life a while back: a big notepad with my passwords on it.
Yep. I know some people that that's how they do passwords. They have a password book sitting at their desk at home where they write their passwords in. I might joke and tease them about it. But honestly, it's reasonably safe. If your computer gets compromised, they don't have access to the password book sitting on your desk.
If the thief that comes into your house decides to steal your password book, you've got problems. That's just a slightly different issue, but I would rather have someone have a password book sitting on their desk than reusing that same password and adding 1, 2, 3, or 4 after the end of it.
I can't tell you how many people have contacted me about, “Oh, my God. Someone got into my Facebook account. Can you help me get my Facebook account back?” It's like, “OK, before we even address that, are you using the same password anywhere else?” They're like, “Oh, yeah. It's my email password.” “No.” “Oh, it's almost the same as my bank password.” No, don't ever do that.
We've got password management. What addition into password manager should we be dealing with?
I would like to touch on the connecting to public Wi-Fi issue. You go to your Starbucks, you go to your Holiday Inn, and you have free Wi-Fi. Most of the time, there's no authentication. You just have to click a disclaimer saying you're not going to hack anybody, essentially, and then you’ve got free Wi-Fi. If there are bad guys that will create fake access points with certain tools, they will mask their access point, and they'll name it exactly what the hotel's Wi-Fi is named.
When an unsuspecting user will connect to what they think is the hotel Wi-Fi, they're actually connecting to the attack machine. The attack machine is connected to the hotel Wi-Fi, so they have a connection. But essentially, the victim's traffic will flow to and from the attack machine before hitting Yahoo, Facebook, or whatever.
The point is, credentials, files, identities are going to the attacker first. It doesn't matter if it's HTTPS or encrypted connection. If you connect to a rogue access point, you are connected to the attacker's machine. Now this person can even control your own machine. Not just capture traffic, they can take your machine over through an open port, outdated service, or something.
I would say if you use a hotel Wi-Fi, use a virtual private network application. Essentially, what this does is it creates a secure encrypted tunnel from your device to a secure server, whoever the VPN is owned by, Nord or ExpressVPN. There are a bunch of VPNs out there.I would say if you use a hotel Wi-Fi, use a virtual private network application. Essentially, what this does is it creates a secure encrypted tunnel from your device to a secure server, whoever the VPN is owned by, Nord or… Click To Tweet
Your traffic does not reach the destinations until it has passed through those secure tunnels. Even if a bad guy were to sniff out your traffic, they would not see where you're going to, what websites or applications you're going to.
Honestly, if you could just use your cellular signal as a hotspot or completely separate from the hotel Wi-Fi, that's ideal just because it does remove a security risk to that point. You can use VPNs out in public. You can use it on your home Wi-Fi. You can connect it to your router or firewall. I would say invest in a good VPN. Don't get a free one.
Let's talk about it. Why would you not want a free VPN? I had lots of people say, “Well, why should I pay for a VPN if there are a bunch of free ones out there?”
Ask yourself, how important is your bank password? How important are the websites that you're going to or the conversations you're going to? A free VPN, yeah, it's free. They might advertise encrypted connections, but there are disclaimers you have to check off.
There's stuff going on in the background. You don't know if they're sending your logs and traffic to a nation-state that is using your information for malicious purposes. There are a lot of lesser known free VPNs found on bootleg app stores that are just riddled with malware. They could take your device over. You really shouldn't.
One indicator is to try to research, does this company get audited? Does this company have security audits done on their VPN service itself? NordVPN, ExpressVPN, Freedome, Mullvad, they all have audits. They'll have attackers and other specialists go in, and they'll try to get into the logs. They'll try to intercept traffic. I guess if it's a successful audit, then they're locked down pretty good.
I would do your research. This isn't something I would go cheap on. VPNs aren't that expensive. I pay maybe $2.50 a month for mine, and that's for multiple devices.
The way I look at it is that having run my own websites and having my own hardware and colocation facilities, hardware and high-speed internet connections with lots of bandwidth are not free. That costs companies lots of money, so they have to be making money somewhere to offset that cost.
There are definitely some VPNs out there that will offer a, well, “You can get 100 megabytes a month for free,” and then you have to pay for it. They're using it as a way to advertise their paid service. But someone who's offering a completely free service, you have to wonder, “Well, how are they making their money?” They’ve got to be paying the bills somehow.
If they're not charging you for the service, then is it malware that they're putting on your system? Is it like you said, selling user data to other people? There's something else going on that you're not aware of.
Another thing that you should watch out for is, like I said before, almost everyone has a smartphone. When you're going to download an app, a lot of people just go to the app and click install, or they search for a PDF scanner app, and they'll download it. But what you really need to pay attention to is the developer to start with.When you're going to download an app, a lot of people just go to the app and click install, or they search for a PDF scanner app, and they'll download it. But what you really need to pay attention to is the developer to start with.… Click To Tweet
With the App Store in Apple and the Google Play Store, there is a section that says developer contact or developer information. Sometimes it's on the bottom of the page, sometimes it's towards the top. You expand that out. Sometimes you'll see an email and an address. Other times, you'll just see an email.
What you need to do is take the app company name and go research it. Where's this place headquartered? If it's headquartered in the communist Republic of China, likely, they are going to steal your data, and they are going to store it on their servers, sell it, build a profile on you, whatever. Who knows what they're going to do?
I personally always opt for well-known apps. If it's headquartered in the US, I go and look at their site, make sure it's legit, look at reviews. If it's headquartered overseas like in Europe, I'll do the same thing. That right there is a big thing to watch out for.
The other thing is the permissions. That's one that goes over a lot of people's heads. The permissions are basically what an app is going to require from your device to run, function, or give the best user experience. A calculator app does not need access to your contacts, to your camera, to your mic.
This is just one example. You go to the permissions for the calculator app. If it's just asking for hard drive use or network access, and if it's an app that may have ads, which is how they make money sometimes, that seems OK. But if it's asking for contacts, pictures, text messages, a list this long, don't download that.
Yeah. I don't understand why my calculator needs to know my mother's maiden name. That seems odd.
Exactly. Why is my phone running so slow? You'll notice, if you hook your device up to a proxy, you'll see all these outgoing internet connections going to this country, this country, this country. That's where your information is going.
I would say, but it's also important to know that's also part of the regular function. I get lots of people who contact me. “Oh, my gosh. My phone is connecting to this IP address. What's this Amazon AWS thing? Oh, my gosh, they're attacking my computer.” There are lots of legitimate connections going on, but if you do that, you'll see a lot of stuff that you don't understand and that can be dangerous in and of itself.
Particularly, I think the most recent one that I think of is when ChatGPT became popular. Everybody started putting out fake ChatGPT apps. Anything that's brand new and, “Ooh, what's this new shiny thing?” The malware developers will jump on that like it's nobody's business. You really have to be careful on hot and new things.
Yes. With technology, it's big and also with current world events. If there's a disaster or a pandemic happening, you better believe that there are going to be social engineers out there that are going to send you a special email titled, “Dear, Chris. We have received a claim from your insurance company. Please click here.” When you click it, your system's owned, or you're forced into giving credentials out. It's clever, it really is.
The criminals are not individual people sitting in their basements anymore. This is organized crime with millions or billions of dollars in funding to do what they do. It's crazy.
What are your thoughts on how to protect people from crypto scams, or knowing if some app that they're downloading is a real crypto trading platform or just a fake site making it look like you have money?
You have to do your research. There's really only a small handful of fully legitimate and safer crypto stock exchanges and trading. I would be very wary about downloading any of them on your phone unless you have researched the company in a full-on computer browser, where you can actually see where they're located. “Is this really the website address of this company, or is it a spoof domain with just one character changed?” It's not a good idea just to sign up for an account. You really need to know what you're looking at.You have to do your research. There's really only a small handful of fully legitimate and safer crypto stock exchanges and trading. -Patrick McNamara Click To Tweet
I would not download any crypto apps that are not mainstream or that you get from a third-party app store that is not Apple play, not Google Play, not Samsung, something like Aptoide. There are a few Asian app stores that are riddled with apps just full of malware. so I'd be very careful on what app stores you use.
Understand how crypto works before you start investing in it. I've tried it. Each cryptocurrency is for a different project. Understanding that just takes hours. Paying someone to do it for you might be a better option that understands all that better. I'm certainly not comfortable doing it myself.
To me, as soon as someone says crypto, my red flags go up. It's like, “Oh, OK. No, I'm not going to visit your new crypto platform, even if you say I'm going to get a hundred times return on my investment.” Buyer beware when it comes to crypto. Yeah, definitely, definitely, definitely, definitely do your research.
Questions about tying in with a VPN, privacy, and anonymity. Can you ever really truly be anonymous online?
I believe you can, but the amount of work that you have to put into this, you're going to have to go through multiple steps. You'd have to get someone to buy a few preloaded cash cards, a few gift cards, a bunch of prepaid cell phones and SIM cards, because if you go into the store yourself and buy this, you have lost anonymity because now you're on camera. That's the first step, and that's hard to do on its own. Who you're going to trust with $500 to bring you all this gear? Would you like a tip? That's the first thing.
And you hope that they're not willing to disclose who gave them the money.
Exactly. Any device you touch, if you're going to use it for this purpose, you can't have anything connected to you. You have to go full-on sock puppet. None of your personal credit cards, none of your passwords or usernames, nothing that remotely sounds like one of your usernames or passwords. Honestly, I wouldn't do anything like that at your house or near your house. You'd have to go somewhere and conduct your anonymous non-illegal business.
Even then, you'd have to install a special operating system on your device or run it just through a USB drive like Tails or something. That's an operating system that's Linux-based, that's tailored towards anonymity and privacy. It has a whole bunch of built-in tools. It has an anonymous email. Email is complicated. There are trackers all over email, and don't even get me started.
There are a lot of steps, and it can get expensive, too. You’ve got to ask yourself, “Why am I trying to be anonymous? Is it worth the cost and the hassle?” For a traveling person, it might not be as bad. But for someone that works from home, depending on what you're doing. I know a lot of whistleblowers will use a lot of different anonymous measures to whistleblow. In other countries, they have to be anonymous, or else they're going to get executed or something. That's for anonymous.
It sounds like if you really want to be anonymous, there's a lot of work that you need to do. But if you want to get 90% of the way there, it's probably somewhat doable without a huge budget.
Right. Really, you have to understand the technology. You have to understand what a tracker is. What's a cookie> What does my browser tell the rest of the world about me? A lot of browsers will send your data to other websites, and then those websites have a use policy where they can send your data to other websites. It's like a revolving circle. That's why once you start, your stuff is out there, so you just have to be careful, really.
For privacy, it's a little different because there's so much work involved with anonymizing yourself. Privacy is a little easier. You can use a special browser. I use Brave browser, personally. It blocks a lot of trackers. It's built on the Chromium engine but without all the heavyweight stuff, so it's very easy on your system. It's very fast. I wouldn't use their free VPN, though, because it has one built in.
You can get a decent browser for free. VPN will help with privacy, but it won't make you anonymous, though. A very important thing to remember is a VPN has your information. They know who you are as a customer, they have your credit card, they have your address. It's not anonymous, but it is secure. It can be private if you get the right one, but that does not mitigate all risk either. We can talk about that, too.VPN will help with privacy, but it won't make you anonymous, though. A very important thing to remember is a VPN has your information. They know who you are as a customer, they have your credit card, they have your address.… Click To Tweet
Yeah, let's talk about that, because I think a lot of times people think using a VPN is this one magical tool that keeps me 100% safe online. What is it going to keep you safe from and what is it not going to keep you safe from?
It's going to protect you from people sniffing your Wi-Fi connection and latching on to one of your devices. Because if you run your VPN through your router, all devices behind that router are going to have encrypted traffic. That covers the traffic part of it, so your data is encrypted, people can't see what you're doing.
But there are physical attacks too. Someone can plug a USB drive into your computer with malware that installs spyware or something like that. There's RFID attacks, there's Bluetooth attacks, there's NFC attacks, there's AirDrop attacks. There's a special malware for each of these types of attacks, all usually have to be within proximity.
Picture the scenario: you're at a club or you're at Starbucks, and you have someone behind you. That's three or four feet. Standard Bluetooth range is, I think, 50 feet. If your Bluetooth is on and you didn't turn it off, then you might be at risk for some Bluetooth attack.
A very common attack is sending the victim a malicious file, maybe a text, or something that will get them to tap on it and open it. It will direct them to a browser, adware. It might download an app in the background that you won't see.
A VPN is not going to protect you from yourself.Social engineering and scammers giving you a call or sending you an email, VPN is not going to stop that. A phishing email is going to the email server for you to then open in your inbox. VPN doesn't protect that. -Patrick McNamara Click To Tweet
Exactly. Social engineering and scammers giving you a call or sending you an email, VPN is not going to stop that. A phishing email is going to the email server for you to then open in your inbox. VPN doesn't protect that.
That's important to know because I absolutely had people thinking the VPN is this uber-security tool that protects me from absolutely everything. It may protect you from adware, it may be able to protect you from some drive-by malware if they're aware of it and they can block it, but it won't block you from installing stuff on your own computer that you downloaded without investigating.
And viruses on physical stuff touching your computer. Oh, all sorts of goodies here.
All sorts of nice surprises. What's interesting is a newer technique that the criminals are using is called fileless malware. It's a piece of malware that's actually embedded in legitimate software that's been compromised. When you go to download, just for instance, Adobe, if Adobe was compromised recently, or that site that you are downloading it from, it could have malware in it.
When you download it, your native antivirus on your device might not pick it up, because the signature could have changed, it's too new, or it's even spoofed to make it seem like it is the legitimate program. Once you're downloading a seemingly harmless piece of software and you launch it, your system is owned, and you might start to see ads. You might start to see your browser acting funny, a whole bunch of things.
They call that a supply chain attack, if I'm not mistaken.
I started digging into it, and it's like, “Well, my server hasn't been compromised, and none of the files in my machines have been compromised.” I just started turning off third-party tool providers. One of my ad platform providers, somewhere in their supply chain, someone was able to insert cryptocurrency mining. They weren’t even aware. It wasn't even theirs. It was three or four steps down the process for some library at GitHub got compromised and had a cryptocurrency miner.
It's not even always intentional stuff when this happens. It could be purely unintentional. Adobe relies on some public library somewhere, and they got compromised. It makes you nervous about installing anything.
There's only so much you can do. Someone with a VPN, a good antivirus, and good, good security awareness and stuff, but they can still fall victim to a supply chain attack. Chances are, they probably have a bunch of software on their computer if they're that knowledgeable on tech anyway. I have a ton of programs too, but I constantly have antivirus running in the background. I know I'm not 100% safe.
To me, that's always a good place to operate from, is to not assume that you're 100% safe and to work for the position of, “OK, if I'm not safe, what does that mean if I have to wipe my computer or replace it? How do I get my stuff back? How do I get back to where I was?”
And that's a headache. If you don't back anything up, if you don't make images of your computer, I'm not telling everyone to be a Geek Squad guru, but you should at least know how to back your data up. If you want to go the extra mile, figure out how to back your system up to a safe image, because if your system gets blown away, even if it's not by malware, if too much water gets into the computer case, or if you lose your device, you don't want to lose your data.
Your hard drive might fail. That does happen.
It does happen, yup.
Any recommendations on backup?
Yes. Microsoft OneDrive has a very nice backup. OneDrive is the storage backup solution for the Microsoft suite of products. PowerPoint, Microsoft Word, Excel, OneNote, and then your hard drive is pretty much backed up, the files, not the system files or applications. The stuff is on auto backup. You can have your phone access to applications so you can see your notes and all that kind of stuff.
I really liked Backblaze because that will actually backup your full hard drives constantly and then anything connected to the device that you register. You can have one license, one device, but you can hook up your phones, your laptop, additional thumb drives, and everything is backed up. If your computer dies and you get a new computer, you just download everything as if nothing happened.
Imagine, that would be an absolutely massive download.
Oh yeah. I've never had to do it, but yeah.
While you can recover online, it might take a long time. I think a number of companies will offer for a fee, will send you all your data on a hard drive.
Yes, that's what Backblaze does. They can send you a hard drive. I think it's $200, although you know your data is worth more than that.
That's the trade-off that you make. You understand that, “OK, these are all my kid's childhood photographs” that most people would have no problems paying $200 to get all their photographs or all that stuff back.
If you want me to pay to get my 2004 tax filings back, you can have those. Those can be destroyed. I don't want those back, but I want my photos back. I want memories. I want those things that don't necessarily have a financial value in and of themselves back.
I agree. Sometimes I go back, and Google has this this-day-three-years-ago memory. A picture will pop up and I'll be like, “I forgot about that until now.” I'm so glad that I was saving my photos and stuff from years ago because I'm like, “That was a good memory. I don't want to lose that.” If anything, backup because you don't want to forget those great memories.
Absolutely. As we wrap up here, I know you have a website, diysecuritytips.com. What is on that website?
It's a user awareness website tailored for beginner to intermediate tech users. Topics covered are how to keep yourself safe online, how to download safe applications on your mobile devices, how to use a VPN, and there are also some tutorials on there for cybersecurity students who want to learn how to use certain tools. It's an all-around good user awareness website. We put articles on there semi-often. It can be kept up a little better than it is, but the information is still relevant.
Awesome, and we'll make sure to link that in the show notes. It is diysecuritytips.com. Any parting advice before we close out today?
I would just say to the listeners try to keep yourself educated on best practices. A lot of people don't know what a VPN is. A lot of people don't know that there are bad apps out there. Really, look at the site, do some research on your own, figure out how to best protect yourself. We're all going to be victims at some point if we haven't already. You want to try to do as much as you can.
What's the common cybersecurity phrase? It's either you know you've been a cybersecurity victim or you don't know, not that you haven't.
I've never heard that one before.
It's either a matter of time where you just don't know that it's happened.
Patrick, thank you so much for coming on the podcast today.
Of course. Thank you for having me.