What to Know About Cybersecurity at Home
Tyler Podcast Episode 9, Transcript
Our Tyler Technologies podcast explores a wide range of complex, timely, and important issues facing communities and the public sector. Expect approachable tech talk mixed with insights from subject matter experts and a bit of fun. Host and Content Marketing Director Jeff Harrell – and other guest hosts – highlights the people, places, and technology making a difference. Give us listen today and subscribe.
Episode Summary:
Many of us are working from home. What threats does that create? What do I need to watch out for? Social Engineer and Tyler subject matter expert Max Greene gives us some very practical insights to help us be safer at home.
Transcript:
Max Greene: It really comes down to mindfulness, right? We touched on distraction and the ability to take the beat, slow down, not clicking on every COVID email that comes in. Thinking about what we're about to click on, hovering over links. Something is about to send you to espn.com because you just won free Patriots tickets. Take the extra second, hover over that link. And is it really sending you to espn.com?
Jeff Harrell: From Tyler Technologies, it's the Tyler Tech Podcast where we tackle issues facing communities today in a way that's both engaging and entertaining. I'm your host, Jeff Harrell, director of content marketing for Tyler, and today we are looking at a problem most of us are facing working from home. Specifically, are we safe from cyber threats here at home? What should we be aware of to protect us? And are there new threats during this time of social distancing and virtual offices?
Jeff Harrell: Well, to address these questions, we've got one of our internal subject matter experts joining me today. Max Greene is a social engineer and cyber awareness trainer here at Tyler and he has some great information to help us stay cyber aware while we work from home. Here's my interview with Max Greene.
Jeff Harrell: Well, Max, I know you have done some very interesting things to look for some cybersecurity vulnerabilities. Describe some of those.
Max Greene: I certainly have, Jeff. I've done everything from walking into a hospital dressed as a nurse in scrubs to walking into a financial institution as an exterminator, or walking around government buildings as a very well known vendor in the phone industry. And walking into data centers or trying to gain access to workstations. As we try to look at vulnerabilities, not simply through a cyber perspective, but through the human element. So I've absolutely found myself in some interesting predicaments.
Working From Home vs. Office
Jeff Harrell: And I know lots of government and school employees are now working from home. What's the biggest difference that you've seen working from home versus working from the office?
Max Greene: I would say that the biggest difference is really just the accountability on the user now. There's a lot of confusion and a lack of understanding that they don't have their safeguards that they had when they were in their organizations. So that's absolutely a struggle. And then put on top of that, the just general distractions of the new normal. People are having to reorganize their entire workday and they have spouses and kids and roommates. So all the more distraction and all the more difficulty to kind of be using the regular mindful use that we would hope our employees are utilizing in terms of not clicking on things. But then of course you also just have the overflow of information from COVID. Cyber criminals are taking advantage of that. Lots of stresses there, just not having those safeguards that we have in our normal institutions and people aren't conscious enough necessarily to be utilizing a VPN. And then they're jumping on things like Zoom or maybe things that aren't necessarily secure. And we're kind of all navigating what that looks like now for the first time.
Jeff Harrell: And is distraction maybe one of the things that cyber criminals look for? I would imagine that would be something that kind of gets them excited is when you're distracted and out of your normal kind of routine.
Max Greene: Yeah, absolutely. I mean COVID in general and then all summer has been "Christmas" in July for the cyber criminals. You know, they have been able to pull off aggressive, take advantage of the unemployment. And we've seen crazy unemployment fraud throughout all states, as well as just spamming people with everything from how to get discounted toilet paper to how to get extra money in your stimulus check. Coming at it from all angles and absolutely taking advantage. It's really interesting because they've said that phishing has gone up about 90% or 60% rather, and that was as of March, but we haven't seen any ransomware cases. So they're just waiting for people to go back and plug back into their networks once they get back to their institutions.
Jeff Harrell: Yep, absolutely. And we talked a little bit about cyber criminals. I think when we think of those people I for one picture someone wearing a hoodie, they're drinking Red Bull, eating Cheetos in mom's basement. But that's not reality, is it?
Max Greene: No, not really. I think that everyone kind of has that idea of that classic eighties movie star, typing faster than the other guy and hacking the CIA or the FBI, if you give him enough money and candy. That can absolutely be a one-off. Sure, there's people that have those skills, but really we're dealing with full-on corporations that are well funded by Nation-States. You know, what we think of as third world countries that have very talented IT professionals churning out malwares as a service and ransomwares as a service. And they have HR departments and CEOs and CFOs and the best customer service you've ever heard of.
Common Cyber Criminal Tactics
Jeff Harrell: Wow. That's incredible. And what are some of the more common tactics that you're seeing today used by cyber criminals that we should all be aware of?
Max Greene: Well, I would say, by far, just social engineering tactics. We're all really familiar with phishing as we've kind of gotten hammered over the head with it. Other types of social engineering are utilizing phone spoofing and calling in as trusted organizations, or we were seeing a huge uptick in SMS text message fraud. I know that I get these daily. A lot of the times from the IRS telling me that I'm under arrest or that I am Amazon's favorite customer and they want to give me $300. That's probably the most popular thing we're seeing.
Jeff Harrell: And are there things that they're doing now to take advantage of the Coronavirus and the quarantine and the nature of kind of what's happening in society right now?
Max Greene: Absolutely. We've really seen a shift by almost every cyber criminal out there taking advantage of this. There's been tons of reports of fake CDC websites, or World Health Organization websites, misinformation. One of the really popular things was a DocuSign scam early on, going out to employees for updated information on their healthcare. So really any avenue they could take, that COVID kind of opened up the door to, they absolutely have.
Cyber Aware at Home
Jeff Harrell: Now let's get super practical. I'm working from home. A lot of us are now working from home. What are just some of your basic tips for staying cyber aware while we are working from home?
Max Greene: In terms of staying cyber aware, it really comes down to mindfulness, right? We touched on distraction and the ability to take the beat, slow down, not clicking on every COVID email that comes in. Thinking about what we're about to click on, hovering over links. Something is about to send you to espn.com because you just won free Patriots tickets. Take the extra second, hover over that link. And is it really sending you to espn.com? So those types of things are crucial, but even if you get like an account-based email telling you that your Netflix has been expired. Knowing to not click on any of those and visiting your actual account, as opposed to trusting that email.
Jeff Harrell: And, cause I'm in your world as much, when you say hover over the link, what exactly does that mean? So I get an email, it's got a link and it's asking me to click on something. I literally just hover over? What does that do? What does that tell me?
Max Greene: So if you take your mouse and you hover over that link and again, not clicking on the link, in the left hand corner, I believe, of your screen it will tell you the URL that it's actually going to direct you to. It should also pop up kind of right underneath your mouse. In this way, well just in general, not only the cyber criminals but everyone does kind of shorten their hyperlinks or will have a "click here" just for ease of use. And so cyber criminals is taking advantage of that by making it look like you are going to a site that you trust. Example being bankofamerica.com. But if you're to hover over, you're actually going to a site in Malaysia and you can't pronounce it.
Jeff Harrell: Gotcha. So you want to look at that address, see if it's legit.
Max Greene: Yes. And another really great tip in that case is utilizing the "forward slash two dots back" rule. And if you look at the URL that it's claiming you're going to, and you find the first forward slash in the address and you go two dots back. That's going to tell you where you're actually going, despite it having keywords of things that you might recognize in that long clunky address.
Jeff Harrell: So if we receive an email that's got a link or got an attachment, should we click on it? I feel like I'm a little bit nervous to even click on things these days knowing how much cyber mischief is out there. What's kind of your rule of thumb in terms of actually clicking on a link or opening an attachment?
Max Greene: Well, I think this really comes down to your job role, for starters, but also asking those basic questions that you really should always in terms of: "Am I expecting this? Did I initiate this? Is this a typical email I would receive?". You're not one to commonly get attachments and the body of the email looks sketchy then absolutely not. But if that is your job function and it lines up and it's timely, then sure. But as you said these are really stressful times. So the additional thing to do would be to reach out to the sender, if you really weren't sure, and confirm that this was sent to you in a legitimate fashion.
Jeff Harrell: And text messaging is not immune to this either, is it?
Max Greene: It's absolutely not. And it's again, really gotten very rampant. I think it's going to surpass traditional phishing as we know it in email, if it hasn't already. Now we're seeing these emails even go out in large chunks, which is allowing the cyber criminals to... And by large chunks I mean in grouping. So, you might get a text message that five other numbers you don't recognize received. So really they're spamming out millions of numbers in every way that they can.
Jeff Harrell: And what are some things to keep in mind with text messaging? And can you block numbers? What are some of the maybe simple tips there to help people when they're either getting text messages or they may fear getting text messages that are criminal in nature?
Max Greene: In general. So, unfortunately you can't stop it all together. There have been attempts by the government to block this all together, but the cyber criminals just get new numbers and can spam it out. So, really, the move is once you've received a message like this and it's clearly false, you can definitely block that. I think a lot of people fall into the trap of getting what they think is in text message from their financial institution. And there is fraud protection in that way. And so people are very reactive to that. But again, it's similar to email phishing. Not just trusting that text message and that link telling you're going to an account, but actually calling your institution or visiting your online banking once you receive an alert like that.
Jeff Harrell: And what about phone spoofing? Is there things you can do? I know that's probably gone... I don't know if that's gone down. I feel like that was a pretty common approach. I feel like I get less phone calls, but I'm sure it's an approach that still gets used today. What are some things we can do to avoid being spoofed on the phone?
Max Greene: I think we are probably seeing less phone calls just because us as a society don't want to answer the phone as much. However, it's definitely still a very common tactic. It's something that I deploy on a regular basis and with a surprising amount of success still in terms of testing. Unfortunately, you cannot really block spoof numbers either because what a spoof number is doing is utilizing the legitimacy of a real number. That said that can be incredibly dangerous. The caller ID was inherently invented so that we could trust the phone and we could trust who was actually on the other line and the cyber criminals use spoofing as a way to take that power back and use it against us.
Max Greene: I know, personally, I've even received calls spoofing my own number and I'm worried this is my back to the future moment. And I'm warning myself about 2020, but tell yourself you're going to leave a message. Don't answer those calls. But, again, the best thing to do if you're uncertain and it doesn't feel right is simply ask to call them back. "Can I give you a call back? What's your extension?" Because a cyber criminal doesn't own that spoof number. They can make it display on your phone as that number, when you call that number back, you're going to reach that actual organization or that actual person they're hoping to pose as.
Jeff Harrell: Is it just a good practice to, if you don't recognize the number, just to let it go to voicemail? Is that a good practice or is that being a little bit overly cautious?
Max Greene: Personally? I absolutely will do that. You can even set your phone to not even have a number ring if your phone doesn't recognize the number. In this way... I think the general rule of thumb for most people is, if it's important, they'll leave a voicemail. That's said if you are supposed to be on lookout for a call, maybe we don't need to go to that level, but absolutely that's one way to mitigate risk.
Jeff Harrell: And do you have any examples on where people maybe tricked you into giving some information that was actually helpful for them to do a little bit of spoofing?
Max Greene: Right. So I think where you're referring to there is ... There's really no such thing as innocuous information. And when we say that it's this idea of if the cyber criminal is utilizing phone spoofing, then they're likely not going to just make one call to an organization. They're going to build a profile. They're going to put the puzzle pieces together. So when calling in, even if the person on the other line is onto your scam, if you will, human nature kind of stops us from wanting to be fooled and even more want to let that person that's trying to fool us know that they have not gotten this. But that often leads to giving out information. So the example being, I call in or a cyber criminal rather calls in and says, "Hi, we're calling to help you with your Internet Explorer issue.". And you're like, "We don't use Internet Explorer. We use Safari." Click. That cyber criminal now has that piece of information and can curtail their pretext to whatever you've given them.
Max Greene: Obviously financial institutions and lots of different things kind of try to combat this by utilizing a multi-factor code that they'll request to send to you, which is something that I wish we had touched upon earlier in terms of kind of those simple things to remain secure and simple tips. Cause multi-factor can really be the game changer. You can utilize this and everything from your email, your social media accounts, all of your financial accounts, credit cards, online banking. And what multi-factor is is after you type in your credentials to get onto any of these sensitive sites, it then prompts you to receive a text message code. What this does is it allows them to really confirm that you are the user that is trying to gain entry. But also, should a cyber criminal gain access to any of these platforms. They still need to receive that code. It's really just another layer, another wall that they need to get over. And so they're A: more likely to move on, and B: you're alerted instantly when you receive a multifactor code, unprompted, that someone is trying to gain access to your accounts.
Max Greene: That said, there's definitely some new customer scams that the cyber criminals will utilize, and they'll actually be on the phone with your institution and do it the same time. Because they have prompt, they have tried to gain access to your account. It has prompted the multifactor code and then they'll call, claiming fraud, as your financial institution and ask you to give them that code. And that's why you received it. So definitely something to be weary of as well.
"It really comes down to mindfulness."
Max Greene
Veteran Social Engineer of Tyler Techonologies
Multi-Factor Authentication
Jeff Harrell: Is multi-factor something that your IT group sets up or something that you can set up? How does that typically work?
Max Greene: So, it really depends on the platform. If this is for internal use, then it is something that your IT group needs to set up. Like if it's for your email, for the network. But there are definitely many platforms in which you can do it yourself, absolutely, across any platform that'll allow you to. Because again, we have to really think about the cyber criminals as opportunistic at their core. Think about a crowded parking lot for a big event, whether it be a football game or a concert. What you're not going to see as the average criminal doing the smash and grab to steal your car stereo and your Ray-Bans. No, they're going to walk around and look for the open unlocked door. And so this is really the combatant to that of, you have made sure not only your door is locked, but your car alarm is on.
Jeff Harrell: I'll be back with my interview with Max Greene in just a moment. If you'd like more information on being cyber aware, did you know we've got lots of great additional content in our resource center? From on-demand webinars to client success stories. We've got lots of great content, I think you'll find really valuable. Just go to tylertech.com and click on "resources" at the top of the page. You can then search or filter to quickly find the content you're looking for. Now back to my interview with Max Greene.
Mistakes With Passwords
Jeff Harrell: You mentioned passwords earlier. I know that can be a sense of frustration for people. I feel like I can't remember my passwords. I got a password for everything, so I don't think you want to let your frustration leave you exposed. What are some of the biggest mistakes people make with passwords?
Max Greene: The biggest mistake and the thing that we see really across the board in institutions, is the utilization of season and year. Everyone is really prone to that. So, right now "summer 2020" is probably thousands and thousands of people's password for many, many things. Especially when they're prompted to change their password every 90 days. Because it fits that Windows convention. It's seen as a complex password. Or they simply are using "password" or "password" with dollar signs, which isn't really making it any more complex or they're using their pets name or their children's name. So that's kind of the traps people fall into.
Jeff Harrell: So, is there any advice you would have in terms of how to keep passwords safe and how to keep track of all your passwords?
Max Greene: One thing I would suggest is looking into a password manager. A Dashlane or a LastPass or a Keeper. These are all examples. I don't have any one specific endorsement for any, but it's definitely better than making all of your passwords simple or making everything one password, because then all the cyber criminal needs is that one password and they have access to everything. But I would say that a password manager is invaluable and everyone should have one.
Jeff Harrell: I know a lot of sites will have the button where it says "click to remember me" and it'll automatically save your username and password. What about those? Are those safe? Should you use that?
Max Greene: That's always a question that gets brought up. Ideally, I would say no, as amazing as it is. And they are making strong and unique passwords, but that's also giving the assumption that no one is going to have access to your device. So it really leaves you a little bit more exposed than people would think.
Jeff Harrell: I know now, especially with COVID and working from home, we are on a ton of online meetings. You and I are meeting right now on an online meeting platform. Those are safe, right? Those can't be compromised?
Max Greene: Well, that's not entirely true. Unfortunately, we have heard so many instances of people jumping on Zooms that they shouldn't be. Having meetings, open meetings, that don't have set times or don't have passwords attached to them. And also the people that are making these adjustments and for the first time working from home and trying to set up video conferencing, haven't necessarily invested in these tools. Currently, Tyler, we use things like GoToMeeting or WebEx for instance. And those are typically used for business and have been vetted, whereas opposed to the freer tools, like Zoom, might have more vulnerabilities and people may be more at risk than they're aware of.
Home Wi-Fi
Jeff Harrell: And so a lot of us now are obviously working from home using our home Wi-Fi. Is there anything that we need to know about our home WiFi?
Max Greene: I mean, absolutely. Again, ideally you should really only be using your home wifi to then connect through your VPN client to your actual organization's network again. And by doing that, you'll have the typical safeguards that you would if we were al still in the office. That said, it's really important to have a very strong password for your at-home internet. Just making sure that's as secure as it can be. What a lot of people don't know is that on our routers that we're given by Spectrum, or whatever cable router you may use, typically are still set as for the password and username as "admin" and "admin". And so, no one ever makes those changes. No one enables their firewall options. So there is plenty you can do to make your at-home WiFi safer and lock down your environment, which I would suggest doing. Not even just in terms of working from home, but just for your daily lives, to keep your personal information safe and your financial information and your family for that matter.
Jeff Harrell: Well, we've talked about a lot of things for people that are working from home. If you had to boil it down to maybe your top four or five things to always keep in mind, just real simple things to keep in mind, what would those things be?
Max Greene: All right, boiling it down. Well, absolutely passwords. If I could just make all of them passwords, I would, I would. Passwords, passwords, passwords, and passwords. It's really the first step we can all take. But then again, initiating multi-factor really can be a difference maker, not just aimlessly, clicking on links, remembering to hover over links, remembering our "forward slash two dots back" rule. Again, anything in front of that forward slash two dots shots back, we don't need to pay attention to. Anything after, we don't need to pay attention to. And really know where we're going before we're just jetting off and clicking on links. And most importantly, just again, mindfulness, taking the extra second, reading what you're clicking on, asking yourself, "Am I expecting this? Did I initiate this? Does this make sense?". Those things would probably be my top things that I would tell people.
Jeff Harrell: Great advice, Max. If people wanted to connect with you, is there a good way for them to do that?
Max Greene: Absolutely. They can reach out to me at max.greene@tylertech.com. And we're always happy to help. We want to answer any questions that anyone has because we're all in this together.
Jeff Harrell: Awesome. Hey, Max, thanks so much for your help and your expertise. We really, really appreciate it.
Max Greene: You're welcome.
Jeff Harrell: Well, I hope you took away some really practical tidbits to help you stay cyber aware at home. I know I did. And hey, as always, thanks for joining me. We've got such great feedback on the podcast. We really appreciate that. One request I do have, podcasts like this tend to spread by word of mouth. So if you find this content helpful, please share it with others. And until next time, this is Jeff Harrell, director of content marketing with Tyler Technologies. Have a great week. We'll talk to you soon.