Site icon Easy Prey Podcast

Remote Worker Cybersecurity Risks with Dr. Eric Cole

Easy Prey

“Make sure to update your operating system and security on your computer.” - Dr. Eric Cole Click To Tweet

With over ten million cyber-attacks reported daily, we have to be equipped with the knowledge, information, and software to protect ourselves and our families. With the outbreak of the Coronavirus, there was a sudden shift of employees working at home and this has become even more of a problem. Since time wasn’t available for most businesses to create a well-thought-out plan, that opens the door for even more cyberattacks. 

In this episode, Dr. Eric Cole and I talk about specific ways to make cyberspace a safe place to live and work. We talk about how to lock down your wireless access point, specific ways you need to update your computer, and most importantly how can you prevent these attacks. 

World-Renowned Cybersecurity Expert with more than 30 years of network security experience, Dr. Eric Cole is a distinguished cybersecurity expert and keynote speaker who helps organizations curtail the risk of cyber threats. Many of the foundational principles of this course and training in cybersecurity were developed by Dr. Cole. He has worked with a variety of clients ranging from Fortune 50 companies to top international banks, to the CIA, for which he was a professional hacker.

While he started his career on the offense, he is now fully dedicated to understanding the adversary so he can provide cost-effective solutions that actually work. As a pioneer in the area of cybersecurity, he has been inducted into the Infosec hall of Fame, awarded the Cyber Wingman Award from the US Air Force, received multiple accommodations from the CIA and was part of the commission on cybersecurity for President Obama. He has been the featured speaker at many security events and also has been interviewed by several chief media outlets such as CNN, CBS News, FOX News and 60 Minutes.

“If you are not paying for the product, you are the product.” - Chris Parker Click To Tweet

Show Notes:

“Prevention is ideal, detection is a must.” -Dr. Eric Cole Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

 

We’re recording this in late March in the US. We’ve gone from a small percentage of the population working from home to suddenly a very large percentage of the population working from home. We’ve seen internet service providers struggling to keep up with the bandwidth of everybody streaming Netflix and YouTube in addition to all of the people that are now working from home for their employers.

I know when these things are planned for, company’s employees can be good about taking cyber security into play and looking at “What I have set up; what do I not have set up?” But when this happens all of a sudden, and there’s a mass migration to being online, what are some of the things that companies and employees need to be doing to make sure they’re protecting themselves and their companies from cyber security risks?

That’s a great question because, like you said, when most businesses are making decisions, rolling out new services, they step back and say, “Okay, what’s the functionality? What’s the benefit? What are the security risks? And can we live with those security risks? How can we mitigate those?” However, with everything that’s happened so quickly, that second question is gone. It’s pretty much survival mode. “How can we get our employees up and running as quickly as possible?” Functionality wins, who cares about security? That becomes very, very dangerous because of a couple of factors.

One is people assume that their home network is secure and protected. Many people were never meant to run their business off of their home network. The first recommendation is I take a couple minutes—if not, hire a kid or a neighbor kid because they’re smarter about technology than you anyway. They’ll take $50, it’d be quick, and lock down your wireless access point. Make sure that it’s up-to-date, most people patch their computers, they don’t patch their access points. They have passwords like “abcd,” and now people are going to jump on that. They don’t have the encryption in place. Spend the five or 10 minutes making sure that you’re locking down, protecting, securing that.

Next, remember that when you’re in the office and you’re checking email, surfing the web and doing all those things, you’re behind typically five or six different levels of security that are protecting you that people completely forget about. You now go home and all that’s gone. It’s pretty much you and the internet. Couple factors. Make sure you’re upgrading that operating system at home. I know a lot of people are working from home and they still have Windows 7. I have one person with XP. Make sure you’re up-to-date. It’s not perfect, but get the latest endpoint security product. Make sure you put that on your system and update it.

This one is a little controversial, but I will stand by it with the data. My company has looked at 387 malware attacks that have come out with corona that are all looking like corona emails and information and updates. People are emotional. 100% all run on Windows operating systems. We have not seen any phishing or any malware attempts that run on iPhones, that run on Macs, that run on other platforms.

What I’m telling people is a short-term fix, not long-term, because the attackers can adapt. But I recommend that when you’re doing that first pass through email, if you're going to be clicking on links, opening up attachments, anything on corona, anything emotional, use an iPhone, Android, or iPad. Just don’t use Windows for doing that web surfing, that email. Right now, you’re emotional, you’re not going to be thinking straight. Take the operating system that’s being targeted out of way. That’s one of those unconventional ones.

The third one that I recommend is companies are quickly moving to the cloud and they love free! Why should I pay $79-$100 when I can get Google Docs for free, I can get Dropbox for free? Stay away from it. If you’re running your business, you need to pay for the commercial service because free isn’t free. Free, they have access to your data, they are monitoring, they are using it for marketing. It’s a higher risk to your business. Spend the money, it’s not a lot of extra money and go with the commercial-based services.

Let’s go back to the wireless and dig in a little more detail if you want.

Because I know lots of people, when you say, “Make sure your router is up-to-date,” what does that really mean? Most people go out to their big-box electronic store. Ten years ago, they bought the cheapest router they could. They threw it in there and set it and forgot it. What does updating your router really mean?

A couple of things. One is, it’s a computer, just like your laptop, just like any other computer. There are vulnerabilities that have been discovered over the last couple of years and they just came out with a new one for Linksys which is what a lot of people use. There’s another vulnerability. Now the good news is, Linksys came out with a patch, but you have to actually apply it. What that means is updating your router is going to your computer, opening up your browser and most likely you’re either going to enter in 10.10.10.1 or 192.168.1.1. You can just Google it online. Just look at what your home router is. If it’s Linksys, it’s Netgear, whatever the model is. Just say, “How do I update my Netgear, my Linksys?” Put in the model number and it’ll pop right up. It’ll show you how to do it. It’s really easy. You would just connect with your browser and then you click the update button. Same thing if you don’t have encryption turned on, you just click on encryption, you click on change your password.

Let’s be real generous. Let’s say you’re a slow learner. It’s going to take you five minutes to research. It’ll probably take you two, I’ll be conservative. Five minutes to research it, two minutes to update and do the changes. In less than 10 minutes, you’re now in a much better position and much safer than you were 10 minutes prior. One of the things that I always remind people of when it comes to cyber security—I know you know this—you’re going to pay the piper. You either pay now or pay later. My question is, do you want to spend 10 minutes now, patching, locking down, and updating your router or do you want to wait for 2-3 months when your data’s stolen, your identity is stolen, and then you have to spend 300 hours trying to clean and fix everything? It’s really your choice: 10 minutes now, 300 hours later.

It’s pretty crazy. I’ve helped out a few people over the years. “Hey, I’m having some problems. Can you check my home network?” And I’ve gone over to a friend’s house and the router’s, like, 10 years old. I’m like, “Oh, you need to replace this thing.” They’re like, “Oh, but it still works.” I’m like, “Well, the problem is while Linksys or D-Link or whoever it was, were providing patches for it, some of these companies will stop supporting routers after five years or so. You really need to make sure that if there are patches available, that they’re patches from the recent time frame, not that the last patch from 2012 or something like that.” That should be a red flag.

If it’s something where your current router is something you might see at the museum, you probably want to upgrade it.

Yup. One of the pieces of advice I always give people is make sure that you have your password that you type in when you connect up to your WiFi, or when your friend comes over to connect to your WiFi, is to make sure that that password is different than the administrative password on your router. There are some tools out there that’ll help you crack passwords to join a network. The last thing you want is the person then to be able to get on your router and start changing the settings without you knowing about it.

Exactly. I do want to inject one thing here, because it changes people’s perspectives. Most people are thinking, “Somebody’s stealing my data.” I hear all the time, “Listen, my kids are just using it for school. I’m just doing basic surfing. I don’t care if somebody sees my data.”

Let me give a different twist to it. We’ve seen this attack last year, but in the last 3-4 weeks, we’ve seen it increase, which is cyber framing. I’m home, I want to commit crimes, I want to do pornography or things like that. What do I do? I connect to my neighbor’s wireless access point and I use that to do all that criminal activity. Now, if law enforcement or others start tracking down or monitoring, it’s tied to you and not the real criminal. Unless you live on a 100 acre compound, where anywhere you look, you can see your lands, if you see anybody you can shoot them. But most of us, where we live in smaller plots, or apartments, or condos, or big cities like New York with the lockdown, I predict this is going to be a huge, huge problem where these cyber criminals are just sitting back, laughing because they can just pick whatever access point they want and use that to commit the crime and almost zero risk to them.

That’s definitely also one of those risks that if a router can be compromised, it doesn’t have to be your next door neighbor jumping on your router. It could potentially be someone halfway around the world who is connecting up through the insecurity in your router and now it’s industrial espionage, whatever government hacking they’re doing. It could even be worse as well.

Yes.

I know you also talked about free cloud services. Is there any other drilling down into that that people should care about when it comes to either free software in general or specifically free cloud services?

It just comes back to me—I think free is the worst word in the English dictionary. I always joke, I’m like, “I hate the F word. I think the F word is the worst.” Everyone’s thinking of a different F word and I’m like, “Of course I’m thinking of free.” What people don’t realize is free is not free. Think about it. How in the world can Google be a multi-billion dollar company on free services? How can these companies get away with free services and make tons of money? It’s because it’s not free. They’re using your data, they’re accessing your data.

What I always tell folks is, “Don’t take my word for it. Go in and just post similar messages. Go to Google Docs or go to Dropbox and pick a topic.” I don’t know why I did this with my friend yesterday, because he didn’t believe me. We started typing in high blood pressure, my cholesterol is really high, all of this stuff. We posted maybe 10 messages over a 60-minute period.

Two hours later, I get a text from him, and let’s just say there were some interesting words in there where he was like, “Eric, all of a sudden now when I’m checking my email, when I’m surfing the web, everything is about blood pressure medicine.” He was like, “It really is being tracked that quick and that fast!” If you don’t want to take our word for it, prove it. They are using your data and as soon as you go commercial. They don’t do that anymore.

They’re going to make their money either by you paying or them selling your data. Which do you want? In my personal opinion, whether it’s apps on the phone, whether it’s social media, anything, if it’s not a commercial version that I’m paying for, I don’t use it.

Yup. I originally heard this with respect to Facebook. It’s that story of, “If you’re not paying for the product, you are the product.”

There you go. I love that. That is awesome.

It’s a great quote, because it helps you realize that these platforms cost significant amounts of money to use. If they’re not charging you for it, they’re making their money somewhere else. That really has to be a huge red flag for you. How else could they be making money off of me using their service if it’s not coming directly out of my pocket?

Exactly. You got it.

Just from running whatismyipaddress.com, I see a lot of people saying, “I want to use a free VPN.” Whatever this company is, they offer this free VPN service that allows me to have privacy and security.” I was like, VPNs require servers, and data centers, and network engineers. They have to be making money somehow from you. Is your data really secure? Your surfing habits, are they really private when you’re using that platform? They might look that way, but they probably aren’t if they’re offering you a free service.

I always tell people because I know we’re always rushed for functionality, but step back and just ask the question you have. Use some common sense on saying, “Okay, if this is really free and they are staying in business, clearly, there has to be some exposure points they’re not telling me about.”

Unless they’re a charity.

Yeah, exactly.

But then again, you know where the money is coming from. People are donating into that charity to keep them in business. When it comes to a corporation, if they’re not a charity, where is it coming from?

Exactly, yup.

You also talked about two-factor authentication. I think most people are familiar with SMS or text message two-factor authentication where you log in your bank website and they send you a text message and you have to enter that code back in in order to be able to access the site. Are there more secure methods of two-factor or multi-factor authentication?

They take a few extra minutes to set up, but you can actually install applications from free applications. They have small business first just like RSA tokens and others that you set up on your device or phone, your computer that you’re using, and then it will automatically generate and then you can automatically paste it. Once it’s set up, it’s a quicker, easier solution. But it requires a little more work and a little more energy. But the thing that I always emphasize is with two-factor authentication, the company will never, ever ask for that two-factor. We have seen scams now. I’m dealing with an expert witness case where somebody lost $10 million on Bitcoin because they got a message from the provider saying, “Hey, we need to test your account. We just sent you a one-time password. Can you let us know what it is so we can verify your identity?” And they did it and then they used that to be able to access the person’s account. The scariest thing with that is, because technically, the person gave the credentials and the person allowed them in, you’re actually liable and not the bank. Most people don’t realize that.

While I’m a big fan of two-factor, I always emphasize to folks, no matter what somebody says or does, never give away that second factor. What I actually prefer over two-factor authentication is account monitoring. A lot of these banks, services, and e-commerce have a lot of good security built in. That’s the good news. The bad news is, it’s turned off by default. You have to go in and you have to turn it on. Now, most people are focused on two-factor authentication, but I’m all about prevention. It’s ideal. Protection is a must.

If somebody really wants to get into your account, even with two-factor, they will. What I prefer to do is have account notification. If somebody is logging into your account or even attempting to log in from a different IP address, you get a text notification. If somebody tries to do an EFT (Electronic Fund Transfer) out of your bank, you get a notification. If somebody tries to make a purchase and sends it to a new address that you’ve never used before, you get a text notification.

That little bit of visibility can stop most of the cybercrime. Because what a lot of people don’t realize, especially with fraudulent bank activity, is the secret number’s 24 hours. If you catch it within 24 hours, it’s usually reversible. But if you wait three, our four, or five days, or even the end of the month and you do it, that money is long gone. If you had liability, because it wasn’t protected or you gave it away, you can actually be out that money. While authentication and prevention’s in court, turn on the notification, get that visibility. If something weird or strange is going on with your account, you know about it immediately and can take action.

Yup. I remember reading a story, a fairly sophisticated scam, where the scammer would call the victim and say, “Hey, I’m calling from whatever bank. It looks like someone is trying to set up a wire transfer in your account. We just want to verify that it’s not you.” They forge the caller ID so it looks like the call is coming from the bank. They don’t ask for any personal information. Then, what happens is they actually forge SMS messages. They send out an SMS message that looks like you’re getting a message from the bank. They were able to get into the account and craft text messages at the same time, so it looks like they’re actually helping you and they’re saying, “You get a text message.” And that person on the phone says, “Just respond ‘yes’ to that text message.”

They’re in the account and they have now set up a new outbound transfer. You saying “yes” has confirmed that, yes, you’re authorizing it. They’re coaching you, you think that you’re actually increasing your security, they’re siphoning away your money while you’re on the phone talking to them. It’s crazy. If someone calls you, don’t trust them.

That’s what I always tell folks is never answer incoming calls. If my bank leaves me a message or my bank says there’s an issue, the first thing I’m going to do is go into the app on my phone, and the second thing is I’m going to call the bank. I would recommend if you get a call from your bank where they’re saying that, say, “Hey, you know something? I’m going to call you right back.” If they’re like, “Okay, call us right back, that’s fine.” You know it’s probably okay. But if they’re like, “Oh no, you can’t call us back because I’m going to be busy,” and they start making excuses, your antenna should go up and say, “Houston, we’ve got a problem.”

Yeah. Along the same lines, for people who are working from home, I assume there’s going to be a lot more scams targeting businesses. We know that Barbara Corcoran, luckily in that 24-hour window, lost and recovered almost $400,000 because someone faked an email from her assistant to her accountant saying, “Hey, we need to transfer this money for this new real estate deal that we’re doing.” Because the work-from-home accountant wasn’t paying attention, it was a fake email address. They started to file off the money and at some point, the accountant CC’d the real assistant and the real assistant was like, “We didn’t authorize this.”

Working from home, we have to be careful if someone is calling us or texting us, claiming to be your boss. Are they really your boss?

That’s one of those things where you always, always add a ban verification. My three requirements is if you get an email that has an emotional response, where you get a little emotional, it has an urgency and something feels a little off or unusual, pick up the phone and verify it. It’s worth that extra two minutes because we’ll see the number of scams via email just go exponentially through the roof because you can’t walk next door to the person’s office and ask them in a physical office.

Working from home, we just need to take a deep breath. Anything that strikes us as urgent—emotional, like you said—say, “Okay, is this really from who it claims to be from? How can I verify it by means other than how they contacted me?”

What I joke about with people, especially people working at home, is paranoia is your friend. I used the old line we used at the CIA, “Trust no one, admit nothing, and make counter accusations.” Just get a little more paranoid and assume that any email or any communication is probably evil, and if you operate on that sense, you’ll actually be protected during this work-from-home epidemic.

Just make sure you don’t cuss out your boss via email.

Exactly, yes.

In terms of keeping your computers up-to-date, you talked about operating systems. Is there anything else that people need to keep up-to-date on their computer, specifically?

Any of the software, any operating systems, anything you’re running that has patches available for it, make sure you’re patching it. For example, the ones that everyone misses—Java, Adobe—those are support pieces that you don’t think about all the time, but also are often prime components of attack. And then of course any endpoint security or any additional protection you have in place, make sure you’re updating that also and that you’re getting the latest information on any new attacks.

Gotcha. Those are really valuable. I know there is something that runs in the back of my mind. I’ve seen a lot of posting on Facebook in the last couple of days: Zoom bombing. Where people who are not part of your company are jumping in on Zoom calls. Is there anything that you know that can protect people from that situation, self-awareness while you’re on your Zoom calls, or teleconference, or video conference, whatever you want to call it?

A couple of things. There are most of these services now because of this increased usage, you can actually set a passcode for each message. I actually have that where I have my conference bridges that I use with Zoom and Uber and everyone knows them. If you just want to have fun, you could probably dial in on any random time and potentially listen in on a call. First thing I recommend is to set the additional passcode so every time you’re doing a conference bridge, somebody has to enter that passcode.

Another thing we do is we have the log in app. On every one of my calls now, my assistant will look at who’s dialed in and she will go, “Eric, it looks like you’re on the line, I’m on the line, Bob’s on the line, and Sally’s on the line, but there’s a fifth person that we don’t know.” And then we say, “Please identify yourself.” If they don’t, then you can actually knock them off the call.

The frustrating part, and the reason why I go back to the passcode, is they can keep dialing back in, and you can keep knocking them out. It’s just this technology was never created for evil people; it was just assuming everyone was good, moral, and ethical. I would just say, have multiple lines and start setting passcodes for everything. A little bit of an inconvenience, but well worth the extra level of protection.

Particularly if you’re discussing your accounting and your secret corporate plans to take over the world. You definitely don’t want people hearing those things.

I know one of the other things that I’ve seen is a lot of people taking pictures of their home setups. The selfie, “Hey, look at me. I’m sitting at my desk.” And they’re taking pictures of their work computer screen as they’re logged into their work platforms. It’s one of those things where we also have to be careful, not just with who’s in the conference calls, but if we’re sharing our screens, what other people are seeing. You and I are doing a video conference as we record this podcast. What’s in the background that people can see? Can people see sensitive material, bank account statements, things that you don’t want them seeing or don’t want them to have access to?

Exactly. I’ll just say, answer that from a practical, just general embarrassment standpoint. Assume that all your calls now have video and get dressed in the morning. I just did a call this morning, I kid you not, it’s so timely and we’re all dialing in and I’m like, “Jeff, why would you wear leopard skin underwear?” It took him a second, he’s like, “Eric? How would you?” He’s like, “Holy crap! I have video!” I’m like, “Dude, seriously, man? Oh my God! You don’t know what I wear below the waist, but at least I have a shirt and tie on.” Assume that your video camera is on and always dress appropriately because that’s what I call the Jeff Bezos move, where you inadvertently have shown more than you like.

Definitely not something you want to have happen. Working from home, you really need to think, “I’m in my office, how would I look? How would I talk? How would I behave if my boss were sitting next to me?” If you’re doing those things, you’ll probably be safe from a lot of the issues that’ll be gotchas when you’re working from home.

If people want to learn more about what you do or any resources that you have that can help people working from home, how can they do that?

Yes. I actually wrote a cyber guide specifically for this where I go over five core areas. Three of them I mentioned. There’s two additional bonus ones that they can get. But if you go to secure-anchor.com/cyberguide, I have a free guide that you can download, share with your employees, that just gives you some more of the practical steps for protecting and securing yourself while working from home.

Awesome! We’ll make sure to link to that in the show notes. If people want to follow you on social media, how do they find you?

@drericcole, my handle from LinkedIn to Instagram, which I’m still not sure why I’m on Instagram, because that’s what my kids use, but my team says I need it. But on  Facebook and all those, it’s @drericcole.

Exit mobile version