Episode: 263 |
Gary Chan:
IT Security:


Gary Chan

IT Security

Show Notes

Hacking attempts have spiked upwards during the coronavirus epidemic as more employees work from home.

Gary Chan is an information security consultant and shares 12 actions that independent consultants can take to enhance their information security profile.

Visit www.alfizo.com/unleashed to download the list of actions we discuss on the show.

One weekly email with bonus materials and summaries of each new episode:

Will Bachman 00:01
Welcome to Unleashed the show that explores how to thrive as an independent professional Unleashed is produced by Umbrex, which connects you with the world’s top independent management consultants. And I’m your host Will Bachman. And I’m so excited to be here with my guest, Gary Chan, who’s an information security consultant. And we’re going to talk all about information security. Gary, tell me a little bit about hacking attempts and phishing attempts over the, during the coronavirus pandemic, any change?

Hey, Well, good afternoon. Well, the pleasure to be on the show. And to your question. Yes, hacking has definitely had an increase over the past couple of months. Just to give you a few numbers, you know, I work with a number of different organizations. And depending upon who I ask, they tell me there’s a six times to a nine time increase in the number of phishing attempts in March of 2020 versus prior month. That’s like a huge number. And in terms of the number of new fake COVID-19 sites per day, there are 1000s that are popping up on a daily basis. So much so that the registrar’s now are basically trying to they’re blocking people from even registering URLs with Coronavirus in it, until they have an opportunity to check and talk with the person. Because there’s just been such a huge uptake.

Will Bachman 01:32
And, and then what sort of is is happening? Let’s talk about the phishing schemes, is it the people are working from home? So the hackers figure that they might be more susceptible to click on links? Or what give us some specific some examples?

Sure. So I think there are a couple of questions in your question. One was, you know, why is it that people are doing this, and the second is what they sort of look like. So I’ll try to cover both of those. In terms of the issues, it’s definitely a lot easier to breach home defenses that it is to breach corporate defenses. So with the number of people working from home, that’s actually a boon for hackers. Also, people are using the internet more while they’re working from home. And so basically, the more they use it, the more opportunities there are for hackers. Also, corporate security teams are less effective while working at home. Some may have had their budgets reduced, so they might not have the same security tools. And some may be furloughed. There also an intentional reduction in security to meet performance requirements. So a lot of companies will estimate the number of people who work from home on a regular basis, which would be some small, usually single digit percentage of their company workforce. And when it basically multiplies by tenfold, they all of a sudden don’t have enough servers, they don’t have enough of, you know, security tools, not enough licenses, all of these things become a problem. And so what they do is they intentionally drop the security in order for people to continue to have fast performance, to be able to log in from home. And also, law enforcement is pretty strained right now. So in some parts of the country, as you’ve probably read in the news, there are a lot of law enforcement officers are out sick. And on top of that, even the ones that are not sick. I mean, right now they’re just busy doing other things. So basically, your cost value analysis for the hacker has, you know, completely changed, the value of hacking stays the same. But the cost is now much lower, because it’s a lot easier to breach those home defenses. Companies are sort of dropping their security, and they’re not going to be as likely to be caught by law enforcement because they’re not paying attention to it. So essentially, that means the bad guys have now increased their investment, they’re buying more tools. They’re doing more hacking, and they’re more people that have come out of the woodwork because it’s now you know, worth it for them. So all of these things really culminates in a large amount of change in COVID-19 in favor of the hackers. In terms of the sales emails that you mentioned, you know, they come out from the who, from the CDC, Well, not really from them, but pretending to be from them. And those are pretty common ones.

Will Bachman 04:40
What some, so what are some ways to defend yourselves and you’ve come up with a really nice page here with with these 12 different tips. Let’s go through those of how can we as independent consultants protect both ourselves as well as our client or in the client data that we’re entrusted with

Sure, I’ll sort of list out 12 items and, and we can talk about any of these in more depth. So with the understanding that with this audience, everybody’s pretty much an individual, I threw out the really sensitive tools and just sort of focused in on what I would consider to be a pretty good baseline. And here they are, the first backup your files. The second is know your legal obligations. The third is take a security awareness training. The fourth is to have email security. The fifth is to follow good authentication practices. The sixth is to use anti malware software. The seventh is to use secure Wi Fi. The eighth is to update and patch your software. That includes your operating system. The ninth is to use secure mobile devices, the 10th is to use encryption 11, is to secure assets on the internet, and the 12 is to purchase cyber insurance.

Will Bachman 06:09
Okay, so let’s go through each one of these a little bit. So great list. And if you visit, Tell, tell us tell us the URL and include this link in the show notes. Gary’s put together just a link where you can go and actually grab this page, what’s the link that people should go to?

Sure, they can go to our fido.com forward slash Unleashed. So I’ll fizeau is spelled a lfizo.com. forward slash Unleashed.

Will Bachman 06:42
Okay, and right there at that page, which Gary set up just for us. For listeners of the show, you can grab this information security basics for independent consultants, two pager with a nice summary page, and then some detailed detail. So you don’t need to write these down, go to that link. So let’s talk through this a little bit. So backup your data. So why is it important? And how do you recommend people do it?

Sure, well, backing up the data is very important, because you never know what will happen. Aside from maybe you made a mistake, and you accidentally deleted it of some file that’s important to you to having ransomware, which will essentially encrypt your data so that you can’t get to it, it’s really important to have a separate backup, and have that you know, separate from your PC. So there are a lot of different services online that you can upload to, you may even have a subscription that comes with whatever it is that you have, I think a lot of people use, like office 365, or Google G Suite. And they come with OneDrive and Google Drive respectively. So you can, you know, upload some of your files there. But there are a number of different places that you could do that. And I would suggest keeping at least six months worth of history, because what will happen is if you do unfortunately get ransomware and encrypts your file, if you don’t have a history, and it only keeps the most recent file, then unfortunately, your backup that you have is also going to be encrypted. So that’s a very key item is to just make sure that you have version history in whatever solution that you choose. And, and keep those backups regularly. So that you can recover from you know, pretty much anything really.

Will Bachman 08:37
And if someone let’s say is using like Dropbox, or box.net, you know, if they’re putting all their files in, let’s say Dropbox, or box net, or those and everything’s getting synced to the cloud, or those solutions, meet your requirements or their issues with those.

As long as they keep history, and I think that they do, then it does meet the root, it does meet what I would suggest.

Will Bachman 09:03
Okay, so and what what is your perspective on keeping like a physical backup on the maybe an external hard drive? what’s what’s your take on that?

So I would suggest that you do that as well. I know that a lot of people don’t, they like using the cloud, because it’s, you know, it really is a lot easier. Yeah, really as many backup as you can, and whether you keep in it, the better, right? So if you have two different services that you backup to, that’s better than just doing one. One of the real benefits of having physical hard drives, like I actually do that as well. backup to a separate physical device and then disconnected from the PC is because now, you know, even if you get malware, you know it’s really not going to affect your backup. You know, the ransomware is some of the more sophisticated ones, and especially if you’re the unfortunate target of a nation state hopefully none of us are home, then what they’ll do is they’ll typically look for your backups and destroy them before they sort of give you your ransomware screen to tell you that your stuff has been compromised. So if you have it on a separate machine, or rather a separate hard drive that protects you from that, but I would say as an independent consultant, it may not, you’re less likely to run into that scenario. And you’re much more likely to run into that scenario, if you are a bigger business where the hackers are intentionally trying to arm you.

Will Bachman 10:38
Okay, so definitely back up on the cloud. Alright, let’s see, know your legal obligations, say a little bit about that. And we’re not giving legal advice here. But you know, maybe give us some hint of what some of our legal obligations are?

Sure, I think it really depends. Or, rather, it does depend a lot on the type of data that you’re collecting. So if you’re collecting, you know, patient healthcare data, if you have, you know, credit card numbers, if you have social security numbers of people, oftentimes you might have it for if you had, you know, employees, or maybe contractors and things like that, these are all important things, that you need to keep safe, and that you have a legal obligation to, you know, store securely. So without going into a lot of details, you know, because as you mentioned, we’re not here to give legal advice. The idea is that you have to know what type of data that you’re collecting, and then know what legal obligations you have, which will often be based on both your jurisdictions like where you’re living, whether it’s by the country or by state, as well as the type of information that you specifically have. So, very common things to consider are HIPAA for health care, PCI DSS if you do anything with credit cards, NIST 801 71, if you sell to the federal government, you also have a lot of privacy, regulations and laws. So like the California consumer Privacy Act, if you are in California, if you’re a financial institution, there are a number of things that, you know, New York State, for example, has some very specific ones for financial institutions. So it really, there’s just so many out there. Once you know, kind of the jurisdiction, that that you’re that applies to you, as well as the type of data you have, you can then look up which laws and regulations apply to you. And then separate from that. The only other element is if your customer has specifically asked you to meet a particular requirement, that is something that you would also have to do. Okay,

Will Bachman 12:53
great. Take awareness training. Tell me a little about that. And you have a link there on the page. We’ll talk about awareness training.

Sure. So I think it’s important for all of us to have a baseline understanding of security, especially since most of most of us get breached because of things that we do. You know, it’s not necessarily because they, you know, they found our machine. And they’re just, you know, hammering away at a vulnerability on it more likely, is they just sent out a mass email, they see who clicked, who gave up their username and password, these are all sort of low table stakes that we can all sort of address through training. So we can take some, you know, phishing, awareness training, and understand, you know, some of the things that might happen over email, or, you know, any of a number of the things, whether they be scam, or going to a banking website that looks like is a banking website, but really isn’t. So you can take some of these videos that you can find them on YouTube, I also have included in here a link, there free videos, you can, it’s a freemium, but really, the videos or that you need are really all free. They’re made by a partner of mine, and you can watch them, they’re about a minute long, you can watch five or 10 of them. And then they also have, they’re also some that are specific to certain regulations. So if you have some interest in learning a little bit more about security, I would highly encourage you to look at some of these videos that are online.

Will Bachman 14:29
Okay, so number four is have email security. What? Tell me about that one a little bit?

Sure. Well, a lot of people get fished. And actually there are a lot of really fun statistics about it. So for example, the department that is most often successfully fished in an organization is the HR department because they get so many resumes and word form, and they open those and they have malicious macros and dumb things like that. But really, we all get phishing emails and I’m sure we’ve, we’ve all gotten them in our mailboxes over time, if not on a weekly basis, you know, certainly on a monthly basis. And so there are a lot of tools out there that can help us basically weed out all of these bad emails. And they usually come as part of your secure as part of your email package. But I mentioned it specifically. Because there if you use the sort of a free ikey, depending upon the service, whether or not it’s free, they sometimes come with their own email security tool. And if you don’t have those, it’s really something you should consider purchasing. I know that office 365 and G Suite already come with a lot of spam and anti phishing tools that are built in. So if you have that you’re probably good to go. But if you’re using a service that you’re getting very cheaply, from somewhere else, you may or may not have that, so it’s just worth looking into, because they can really help you a lot. You know, because we don’t always catch those phishing emails on our own.

Will Bachman 16:11
So a lot of listeners of the show, I think, you know, use one of those two G. But what would an example of if you, you know, if you’re using some other service, what what would an example of the email security service be like that you would get? Like, what would, where would you go to get that?

Sure, you would probably just need to talk with your email service provider, they may offer it as an additional add on, there are a lot of different tools like for the gateway is from for dinette. Microsoft has, I think it’s called iron port, there are just so many of them out there. But you wouldn’t necessarily purchase one of those specifically for you. Because those things are usually across, you know, all of the email accounts for an entire sort of email system. So you would have to go to your email provider and simply ask them, Hey, do you offer this? And they would tell you whichever one that they’ve partnered with, because usually they would only install one they wouldn’t have, they wouldn’t be able to give you a selection, then you probably wouldn’t be able to sign up on your own and, you know, pointed over to there, if that makes sense. So that that’s you just have to work with your provider.

Will Bachman 17:23
Yeah. So that’s separate than like the Norton Antivirus that you have on your computer, then to set Correct, correct,

yeah, you’d want to catch it on the server side, not so much what you’ve described as installing on the, on the PC or on the device, although that is helpful, they’re usually a lot less effective, because they don’t have a lot of the extra features. They may not be live, there are a lot of additional things that go on behind the back in the background that the cloud tools, and things that are built in this data centers have that you won’t have to install it on your own PC.

Will Bachman 17:59
Follow good authentication procedures. What does that mean?

Sure. So the most important element of it is really having multi factor authentication. So that’s when you get not only your password, but you also have like another token, that sometimes is like an SMS that sent to your phone. Or maybe you’re using something like Google Authenticator or Microsoft authenticator. That gives you this rotating code that you can enter into the website. So I definitely recommend multi factor authentication, because a lot of times hackers only have access to like your username and your password. And then having that extra step sort of pushes you down the list of priorities, because these guys are just looking for the low hanging fruit. So if you’ve got multi factor authentication, yes, it’s possible to hack you if I really wanted to, for example, but it’s far less likely, I’m just going to go, you know, as the bad guy, if I were the bad guy, to just go to the next guy who didn’t have that turned on. So I would say multi factor authentication is, is really number one. And then I also mentioned, you know, single sign on solutions, because a lot of people write down their passwords. And you know, honestly, I can’t remember, you know, my passwords for 1000 different websites, especially if I’m supposed to have a different password for every single one. So there are things like password vault, and as well as single sign on type of tools. So I listed one, it’s called ASCO, essentially, you log into that with multi, multi factor authentication, but then it can store your username and passwords for everything else, and actually log you in directly if you want it to so that actually reduces a step. And the reason that I like that is really because people are lazy. You know, I’m lazy, you know, too and you know The easier that we make it for people to be able to log into account, the more likely they’re going to use the tool. Password vaults are fantastic. But then sometimes, depending on the tool, you have to copy and paste that, you know, so to speak, copy and paste that username and password into the other websites. So, you know, that adds an additional step, which means that people might not use it. So that’s why I sort of stress Single Sign On, because that seems to have a much better adoption rate.

Will Bachman 20:30
Yeah, I just did an episode a few episodes ago about LastPass. And password managers. And I’m not sure if you’re, if we’re talking about the same thing, but but LastPass will allow you to, you sign into that. And at least if you’re using the Chrome on the browser, you have this plug in thing, and then it will sign into your websites for you. And it also will, if you have a new site that you’re signing up, it’ll generate one of those strong passwords with capital on lowercase and numbers and symbols and then store it for you automatically.

That’s fantastic. LastPass is a very popular one as well.

Will Bachman 21:06
Yeah. Okay, use anti malware software. So are there any ones in particular that you recommend?

There are ton of anti malware software out there, you can I think you even mentioned one like Norton earlier. So there are built into Windows. And now Mac, there’s already a built in anti malware, if you want. You know, there’s a lot of research out there that you can actually find, that will talk about the pros and cons of different ones. I personally like to also purchase some other ones, I use silence myself, which is a anti, which is uses artificial intelligence to sort of predict and identify malware. I like that one. But really there there are quite a large number of them have that is a very popular one as well, McAfee. And what I would suggest is, if you have a subscription to internet at your home, which I think all of us probably do. The ISP or the internet service provider typically offers you a free antivirus software as part of your package. So if you go to their website, they will basically give you like 10 free licenses or however many your subscription gives you. And I would say just using that is probably good enough, especially as an independent consultant. If you were a bigger business, I would probably say that it would make sense to invest in some higher grade ones. But really, for home use, I think whatever the internet service provider offers, or whatever you purchase from Best Buy is probably probably sufficient.

Will Bachman 22:53
Okay, so number seven, use secure Wi Fi. Does that just mean having a password protected one? Or is there something that was more complicated? Wi Fi has always seemed super complicated, harder than they should be to set up? Like, and they go in there? And I you know, I’ve never been able to figure out how to reprogram the password on it. I just use the one out of the box. But how do you make sure that you have secure Wi Fi going?

Sure. Well, I’ll start with what you mentioned, which is to have a good password, when you set up the Wi Fi and of course, this depends on your router model number, assuming you’re using a router, you’ll want to set the protocol to WPA two, so that the protocol and there’s the algorithm is really just, you know, it’s it’s determined how complex and how difficult it is for a hacker to break it. WPA two is the most secure one at this time. So set that set a good password, at least eight characters if not longer. But I think more importantly, what I was referring to, was really where you connect, right. So if you’re connecting at home, that’s, that’s, you know, probably the safest environment that you’ll be in. But if you’re travel a lot, you’ll often get Wi Fi, say at the airport, or maybe at your hotel. And it’s very convenient. And also, it’s just especially, and also useful to be able to connect to you know, free Wi Fi right? When you’re there. The problem with that is that anybody can set up a Wi Fi and publish the SSID to be the same as whatever the airport is. So whenever you’re connecting to you know, free Wi Fi Boston or free Wi Fi St Louis or you know, whatever, whatever it is at the airport, you really don’t know if you’re connecting to the official one or if you’re connecting to one that a hacker set up and you you won’t be able to tell very easily. So the problem is even if there is a password, but you’re connecting to the bad guys, sort of machine, that bad guy can see all of your stuff, right. So the password really only keeps people from being able to connect to that particular Wi Fi, it doesn’t actually protect the data on your Wi Fi. So let me explain what that means. If you’re in a hotel, or airport or wherever, and they give you a sheet of paper that says, okay, connect to this Wi Fi, here’s the password. And everybody in that building knows the password. That means that everybody in the building can see what you’re doing whenever you connect to the Wi Fi, because you all have the passwords. So, you know, that’s a bit of an oversimplification. But that is that, that that password really is just keeping you from logging on to it, it doesn’t actually protect all of your data, what protects your data is the fact that you’re using encryption, for example, between your machine and bank of america.com. For example, if that encryption, that, that help, when you’re going from the website to the website, but the password for the Wi Fi itself is completely separate, it has nothing to do with that. So if you’re connecting to Wi Fi, make sure that it is really the real Wi Fi that you’re expecting to connect to. And then also turn on your VPN. So if you have a company VPN, you know, use that, because that’ll, you know, tunnel through your company and go through your company’s security defenses. Otherwise, you know, you can purchase your own private VPN as well. So like I use Private Internet access, but there are a ton of different, you know, VPNs out there that you can use. And that will help also, you know, make sure that your data stays protected, even if you are connected to sort of the hackers, you know, Wi Fi.

Will Bachman 26:56
So if so if you’re just on a free Wi Fi, someone else who’s also on that Wi Fi could theoretically see all the keystrokes or the data that you’re uploading and downloading.

Yes, it’s I I’ll be a little bit more specific, since you asked, as anybody else that’s on the same network should be able to see like the packets that you send. So they can’t see your keystrokes right when you’re when you’re just typing on your computer that that that stays on your computer. But the moment that you sort of send any data over the internet, that gets converted into digital packets, and then they can see it right. So those packets as they get transferred. depending upon how they’re being transferred, the bad guy can see it. So I’ll give you two examples to make it a little bit clearer. If I’m going to if I’m going to a website that doesn’t have a security certificate, so like the beginning is like HTTP and not HTTPS. So you don’t see the little lock icon that’s up in the browser. If I go to a website like that, and then I type in my username and password that gets sent clear text. So as somebody else on the same network, when you click Submit, I can see that you’re going to that website, I can see whatever it is that you’re, you know, sending your username and password. And I can also see what that website sends back to you, right. So I can actually basically rerender whatever it is that you’re looking at your computer screen on my computer screen by looking at those packets. But if you’re going to a website that has HTTPS, which is a what’s called a secure website, then that those packets are encrypted. So even if I’m able to see that you’re talking to bank of america.com, I can’t see the data that’s being transmitted between you and Bank of America and from Bank of America to you. There are exceptions to that, of course, but you know, at a high level that is, that is how it works.

Will Bachman 29:03
Okay, so, so think about getting a VPN. And if you’re an independent, maybe you get a private VPN. Just explain to me a little bit. What is a VPN? What What does that mean? How much does it roughly does it cost? And then does it slow down the Wi Fi? Like, what what is it? What does it do?

Sure. So VPN. So what happens is, it’s called a virtual private network. So let’s say that, but let’s say that I’ve got my PC at home. And, you know, whenever I’m surfing the internet, it goes out through my cable modem. And it looks like it’s coming from my house. You know, I’m in St. Louis, and it shows that it’s coming out from St. Louis. If I have a VPN, what that does is whether it’s a corporate VPN or whether it’s a private VPN that I purchased, it’ll route all of my traffic from my house to that other Replace, and then that. And then from that place that then gets routed out to the internet. So if I go to Bank of America, from my house, without VPN, it goes straight from me to Bank of America. But if I am on a VPN, it goes from me to the sort of middle guy to that VPN provider, then it goes from there to back in America. So that’s a call that virtual private network. And the reason that this helped with the situation that we were talking about earlier, is because if I’m not on a VPN, then whenever I send the packet, you know, if I’m on the free airport Wi Fi, if I send the data packet from my PC over that through the hackers machine, they can see me talk to, you know, Bank of America, or whoever it is that I’m trying to talk to, if I do the VPN, what that does is that sets up a connection, so that even though it’s routing through the hackers computer, it’ll be encrypted. So encrypt all of those packets between my computer and that sort of private VPN provider. And then that from that provider is then goes out to the internet. And so even though it’s going through the hacker, the hacker can’t see anything, because it’s, it’s guaranteeing that all my packets are encrypted. So one of the benefits of that is that you can pretend like you’re in a different country, for example. So if you are in Europe, and you want to watch Netflix in the US, you can use a private, you know, VPN, go through a server that’s in the US, and then be able to stream Netflix from that. So that that’s sort of just an additional benefit, if you will. There are drawbacks, like things are a little bit slower when you’re on a VPN. But anyway, a lot of different pros and cons, in terms of the cost that you asked about, they’re usually cost, you know, a few dollars a month. And so there are a lot that are actually much more expensive, because they do a lot more. And there are some that are free, I do not recommend using any of the ones that are free, even if they’re legitimate. The problem is that there’s so many people using them that it will be really, really slow. But more importantly, there are a lot of people offering free VPN, and really all they’re doing is they’re counting on you to connect to them. So they’re the hacker in the middle. And you’re encrypting all the traffic between you and the hacker, but you’re giving the hacker all of your data. So don’t use any of the free ones would be would be a recommendation mine. Okay.

Will Bachman 32:56
And when you use a VPN, do you kind of go to it just via a regular browser? Or is a cow Do you? Is there? Like, how do you actually get to the VPN?

Sure. So the VPN for pretty much all of them, it’s very similar. So as I mentioned, before, I use Private Internet access. If you go to that website, you can download an application, which you know, you have to pay for, but you install it on your PC. And then you turn it on, and you can specify where you want to be connecting to. And then it’ll route all of your traffic through there. So whether you’re using your email, or whether you are using your browser, or anything, as long as the VPN is on, and that’s turned on by the software that you install, then all of your traffic is encrypted, going through that VPN provider. And so any application you use on your PC that goes over the internet will will have that VPN protection, we’ll call it.

Will Bachman 34:05
So it just kind of runs in the background. So you just use Chrome or Safari or whatever, just like you normally would. And that’s just kind of running in the background. That’s correct. Yeah. Okay. Let’s talk about number eight, update and patch. How do we make sure that we’re doing that?

Sure, um, that was pretty straightforward, especially nowadays, pretty much all of the operating systems and much of the software that we install, they auto update. So even our you know, I’ve got an Apple Watch, and it auto updates. By itself. I don’t need to press any buttons. So I would just say, you know, don’t turn that feature off for your operating systems or applications. Let it update. You know, a lot of times people refuse to reboot their computer, because they’re, you know, they’re in the middle of something or whatever. That’s fine, but reboot it later that night. A lot of times what happens is that You know, whenever Microsoft, for example, issues a patch, they’ll come out on patch what’s called Patch Tuesday. As soon as that patch gets released, a lot of researchers, and hackers will look at that patch to figure out, you know, read, they’ll reverse engineer it to figure out what the vulnerability was in Windows. And so those guys work pretty quickly. Because as soon as they’re able to figure it out, you know why they had to have the patch, they also know how to exploit the computer system. And that’s when they start coding and writing all these malicious applications to get to all of the computers that have not been patched. So if you don’t reboot your computer, you know, if the patch requires reboot, and you don’t do it, then you don’t have the you effectively don’t have the patch, even if you do have the patch, if that makes sense.

Will Bachman 35:49
Yeah. So so maybe almost make them make a habit of just don’t just hibernate, turn your darn computer off once per day when you go to bed at night? That’s exactly what I do. Yeah. Okay. Number nine secure mobile devices. Now I have a mobile device. I have an iPhone here that we’re talking on. Is that secure? Or do I need to do something to make it secure?

Sure. So I would say there’s, there are two things that I would suggest for mobile phones, is the first is to lock your devices when you’re not using them. So if you have Touch ID, or face ID, or you know, just a pin, or if you’ve got an Android, and you’re you know, sort of doing that pattern sort of lock, all of those are fine. Just make sure that you do have an auto lock, you know, after five minutes of inactivity, or whatever it is that you want to do, lock your devices when you’re not using them, and then have a way to remotely wipe the device. Because a lot of times what happens is that people lose their devices. And well, you know what, you’ve lost it, you’ve kind of lost it, right? So, you know, you can use, you know, like Apple phones, for example, they have this fine, my it’s called fine line. And you can go to the website, I think it’s like icloud.com or something like that. And then you can look for your device, and then you can remotely wipe it. And that, you know, while at least give you peace of mind that your data wasn’t lost. You Well, maybe it was lost. But I mean that your hack that someone else didn’t take it, even if you lost your, you know, hardware device.

Will Bachman 37:28
Okay. Number 10 is using encryption, what we talked about encrypt using encrypted websites, or, or secure websites, but you’re talking about, like encrypting your hard drive.

Yeah, that’s exactly yet I would encrypt anything that you don’t, if you wouldn’t publish it to the internet, I would encrypt it. So there, you know, with Windows, there is BitLocker, if you have, I think it’s like Windows Pro and above, that comes with BitLocker, you can use that if you if you have the home version, you don’t have BitLocker. You can you can use other encryption solutions. One of the ones that I really like is called Vera crypt, v, r, a, CR, y, PT. And veracrypt is something you can download for free. And it takes a little bit of learning. But the point is, is that you can use it to encrypt your whole hard drive. Or, you know, basically, you can create what’s called a container, which is like a, I guess, like a mini, mini hard drive, I guess, a virtual hard drive, you can think of it that way. And any files that you put into that, you know, virtual hard drive will be encrypted. So that even if somebody steals your laptop, you know, at least your data, even if you’ve lost your data, the other guy can’t actually read your data. So I would definitely use encryption whenever possible. So those are a couple of examples that you can use.

Will Bachman 39:06
Okay, and, and how does that actually work to get to get one of those who download the software? And is it you just type in a type in a password or something and then encrypts everything, or how do you do anything differently when you’re operating computer once you install the software just kind of operates in the background? What does it look like for someone who has not done it before?

Sure. So I think they the one for Windows BitLocker. A, especially if you have the Windows Pro was already there. And you can always upgrade your Windows version. That one’s the easiest one by far to use. You just type BitLocker and then you say encrypt everything and it just encrypts your whole hard drive. So the key to logging in is basically whatever password that you use to log into your PC and then it’ll you know, as you’re using it You know, everything is as is like normal, right? So this really prevents it prevents your file from being stolen. If they like, if it’s on a laptop and you have your computer lock, they won’t be able to get in and everything there is encrypted. If you don’t have an encrypted but you have a lock on it, I’ll just make this point is I can still get all of your data, because I actually, you know, I know how I don’t actually need your password to access any of the files on your computer if you don’t have it encrypted. And this is yes. And this is what hackers can do. So that’s why you need encryption. Yeah, so. So yeah, too, in terms of the terms of the other free ones, like, you know, PGP is a very common one as well. But you can get some of these encryption solutions. Unfortunately, you have to read the instructions, because they were built, really, they do function, they function very well. But they’re a little harder to use. They’re not very user friendly. So you have to read the tutorials that come with them.

Will Bachman 41:09
Yeah. And I don’t think I want to do that. And number 11, you said you suggest to secure assets on the internet? What do you mean by that?

Sure. So if you have anything on the internet that you that you store, and the easiest ones are things like you know, OneDrive, Dropbox, all the things that we talked about on the internet, or if you do things in Facebook, or if you have your own website, just make sure that you’re securing them in the best possible way. I know that’s very vague. But the point is, is that every application has a very different way of securing it. So it’s impossible for me to tell you exactly how to do every single application. But all of the major applications come with some sort of manual or guide that explain, you know, what are all the settings and things that you can do in order to make it as secure as possible. And amongst some of those things, usually, it’s something like multi factor authentication. But there, there are things that you can do for every application that you’ll want to use to make sure that they’re secure. Unfortunately, a lot of hackers nowadays, they don’t bother trying to hack your device, if they know that it’s in the cloud. Because if I try to hack your device, that means I actually have to have your device, and then I have to hack it. But if it’s in the cloud, I don’t actually have to have your device because I can access it from anywhere. And then I can just hack it from there. So like, if I want to get to your email, I’m not going to bother trying to steal your physical computer. And then, you know, take your emails from there, I’m just going to go to Gmail or whatever it is that you’re using, and try to hack in from there, right? So make sure that you have difficult to get, you know, sort of recovery, recovery, question answers, things like that. So there are a lot of things that you have to do, but it depends on your specific application or website.

Will Bachman 43:06
Okay. And finally, by cyber insurance, so what is cyber insurance?

Sure. So cyber insurance is essentially something that any individual or business can can buy, that will help cover you in the event that you lost data. So just be cognizant of what the policy says, because depending upon what you buy, you might only be covering security for yourself. Or you could also be covering it for your clients, which is what I would would think that most people on this show would would be interested in. And essentially, as long as you have security protections in place that you know, and this will all vary based on whatever insurance providers that you get. You know, as long as you have meet certain requirements, you show that you are, you know, doing some level of due diligence, you’re not just you know, emailing around people’s social security numbers, for example, then you can get coverage for your business up to a certain dollar amount, you know, for a yearly premium. And that’s very helpful. If you think that you have sensitive information and you want to make sure that you’re you’re covered just be really clear on what the policy does cover and the types of information for example, patient health care or credit card data or whatever it is that you’re covering that that’s part of the policy.

Will Bachman 44:33
Well, okay, super helpful list. A lot of action items probably for for many of us. What could you tell us just a little bit about your your practice, Gary about the types of clients that you work with and the types of services that you offer.

I’m an Information Security Management Consultant. And what I do is I work with businesses to understand what their cyber risks Fall is. So depending upon their industry, setting upon how big they are depending upon what type of information they have, for example, we can identify and figure out what are the ways that they what are the types of issues they may run into. And then we can identify the best sort of defenses for that. So my typical audience, or I guess, companies that I work with are typically highly regulated organizations, which will typically be banks. And so that or rather, that is my typical client, but really it goes with anybody who has any type of information that they want to keep protected.

Will Bachman 45:42
What what are banks doing now in the coronavirus pandemic, with employees working from home? How are they? How are they dealing with with with all the security risks.

So right now, they’re really just following the same, the same protocols that they have before. Unfortunately, a lot of these guys are squeezed pretty tightly. So they’re trying to find ways to reduce their costs at this particular time. What’s interesting about I guess, bank, and the reason why they, you know, they typically need security services is that they have a legal obligation to do certain things. So they actually aren’t allowed to turn turn things off. So really, what they’re doing today is the exact same thing as what they were doing before COVID-19.

Will Bachman 46:33
So their employees are kind of logging into the bank via some sort of Citrix or VPN kind of thing where it’s more secure than if, you know, employees that are just like logging into a corporate email or something that are not, not under that strict requirements.

That’s correct. Yes. So yeah, banks, because they’re regulated, they have that, what I will say is that there are other organizations, which I’m starting to get calls on that are not they. So because what has happened is, when they start to rush, I would say rushed, really, to work from home in March, what happened is that they would lower their security standards, or not even think about it. And then now they’re running into problems. And so companies with a lot more to lose. So for example, law firms, they have a lot of intellectual property there, they have a lot of, you know, non disclosure type of things, things that you definitely don’t want to get out of that. But because they’re much less regulated than other industries, they have a lot more leeway to sort of to reduce the security in times of sort of crisis, I guess, when they need to move quickly for functionality. But now they’re finding that with the increase of hackers, because of this sort of trends, vary, they have problems that they need to address. So it’s actually been quite interesting to see how COVID-19 has, for about a month actually significantly decreased the amount of work that I had, but that was very brief. And now it’s like, gone way back up. It’s just kind of interesting. Okay.

Will Bachman 48:23
Yeah, boy, law firms like the Panama Papers, and all, the law firm gets hacked, a lot of stuff comes out. So

yeah, and I’ll tell you, there’s a very interesting use case, you know, whether it’s legal or not, I don’t know. But at least from a technical perspective, I think it’s very interesting. So you know, that there are ways that, you know, marketing people or sales, people can sort of track emails and whether or not they’re open or not. So what some companies will do is they’ll send like a track or two opposing counsel or whatever, of the organization that they’re suing. And then if that organization afford the email to an insurance company, well, that first company can actually see that going on, and could see that that email got forwarded to insurance. Because you can look at like the IP address and figure out, you know, who does this belong to and where it is, and so and so forth. So then they become much more aggressive at seeking a payout, because they know that the insurance companies involved, so it actually you can use these sorts of tools to do very interesting things. And then from a security perspective, you know, I get called to say, you know, how do I prevent them from knowing that I’m contacting my insurance company? So it’s, it’s very interesting that the use cases that people are coming up with and they’re getting a lot more creative by the day.

Will Bachman 49:50
Wow. So Gosh, Gary, thank you so much. This has been incredibly informative and really important that while you know, folks are scrambling to, you know, rescue their business and develop plans, we need to be more vigilant than ever on on cybersecurity. So you gave that gave the email address the you gave the website before but mentioned again, where can go people go and find you online. And if you want to give a Twitter or you know, account or handle or any other thing, where’s the best place for people to find you?

Sure, um, I think my website, probably the best place. So that’s, I’ll fizeau a lfizo.com Ford slash Unleashed. And I’ve got a contact form on there that you can use. You can also download a copy of one of the 12. That’s sort of notes that I had there the 1212 activities for security that we talked about on this podcast. My email address is G ch A n at L fizeau. calm. So g Chan at a pi.com. And I just wanted to thank you very much for your time. Well, I love hearing your show, and I’m so thrilled to be one of your interviewees on it as well.

Will Bachman 51:09
Gary, thanks a lot. This was really fantastic discussion, and really appreciate you coming on the show. All right. Well, have a great day.

Related Episodes


Author of Imposter No More

Jill Stoddard


Author of For Profit: A History of Corporations

William Magnuson


Commercial Leadership Roles in Professional Services Firms

Scott Ratliff


How Expert Networks Can Add Value to Primary Research

Ammad Ahmad