20-Minute Tech Talk:

How IT Security Savvy Are You?

Do you want to see just how security minded you really are? Watch our recorded webinar below for a fun, interactive learning experience as we leverage a game-based learning platform to increase everyone’s awareness of IT security.

Watch the replay here:

QUESTION #1: What percent of security breaches could be avoided by simple steps (such as updating software)? 78%, 82%, 87% or 92%?


Cathy’s Comments: Getting back to the basics about security is important. So obviously with everyone working remote and the distributed workforce, it’s a lot harder to make sure that you are practicing good security hygiene. When you’re in the office we can do a lot…we can control the things that are in the office. But when you’re remote, now you’ve got to really be concerned about making sure that everything you can is patched. We’re not talking just the computers, and we’re not talking just the servers; we’re also talking about your network devices (in the office, that would typically be your firewall, your switches, and your wireless). You likely have the same, at least those three components, in your home as well, so you want to try to keep those updated as much as you can. And not only just the hardware updates but also all the Windows updates, Mac updates, and the software that you’re using. So, you want to make sure that you’re updating your Office software, your browser software, Adobe…different types of updates. One of the things that we’re seeing is that because everybody’s remote, they’re not necessarily thinking about this and they’re not necessarily able to easily track or actually accomplish it in any kind of systematic way. So just a reminder, get back to those basics and make sure you’re patching everything.

When you can, you also want to secure the network, so that includes things like a firewall. And since folks are remote, you want to make sure that you’re doing a good job of securing the endpoints, the actual devices that you’re using. That includes things like the antivirus software, something that’s doing called DNS cleansing. What it does is when you try to go to click on a link either in an email or on a web browser, that it checks that link and makes sure that you’re going to a safe location on the web. And, of course, you want to always make sure that you’re backing up your data. If everybody was in the office and they’re all centrally located, that might actually be an easier thing to do. But with everybody distributed, you do have to worry about people pulling things down to their local machines and having a lot more data locally on the machine that they’re using remotely. So you want to make sure you’re practicing good security and also backup so that you are protected and you can avoid 92 percent of security breaches just by getting back to the basics and patching and having good backup in place. Basics work!

QUESTION #2: Multi-factor authentication (MFA) occurs when you:
  • Approve a financial transaction
  • Log into your computer using your profile credentials
  • Submit two or more pieces of evidence to an authentication mechanism
  • Multiply two factors

ANSWER: Submit two or more pieces of evidence to an authentication mechanism

Cathy’s Comments: First, I just want to remind everybody that typically what we encourage everybody to do is to have a unique account for each user, and whenever possible don’t share accounts. Now sometimes there’s websites or places that you go to where you do have to share them And when you do that obviously when you can, we would like you to put MFA on everything—especially on shared accounts. MFA, in particular, what that does is it’s two pieces of authentication, so you put in your user id and your password and typically most people are using their cell phone as the second authentication piece. But think beyond email… any of the banking websites that you go to, social media sites that you go to, your applications, your software applications and things of that nature. If they’re in-house or cloud-based, if you can implement MFA on it, you should. Because what we’re finding is that by having those multiple layers of authentication, that is how we’re stopping the ransomware and the attackers from getting in. We’ve had some sad incidents throughout all of this where we’ve had what they call “lock and leak” or “name and shame.” They will encrypt the data if you don’t pay the ransom or because you have the backup you think, “oh, I don’t need to pay the ransom, I have my backup,” they will then say well you know we’re going to take your data and we’re going to expose it out on the public. This has actually recently happened in the news. So, if you’re paying attention to the news, you can see some current instances of this.

The other thing is we remind everybody to have really strong password policies—unique passwords for everything which leads you nicely into having a password manager. The average person has somewhere around 80 accounts that they’re trying to keep track of. I don’t know about you, but I can’t keep track of 80 accounts, so the password manager is a godsend. So unique passwords, strong passwords, long use passphrases, in particular (they’re harder to get and they’re more memorable). So strong password policies and a password manager will help tremendously to help keep those hackers from knocking at your door and they’ll move on to somebody else instead.

QUESTION #3: Microsoft sends you an email indicating that your password is out of date and you must set a new one. Your next step is:
  • Follow the link and reset the password
  • Delete the email
  • Reset your password manually
  • Reply asking for more information
ANSWER:  Delete the email
QUESTION #4: The best defense against a phishing attack is:
  • Email filtering
  • VPN (Virtual Private Network)
  • Human intelligence
  • Anti-virus software

ANSWER: Human intelligence

Cathy’s Comments: The one thing that we really want to emphasize is that your best protection against insecurity is the human firewall. It’s really the people in your office. No matter how strong your security is, one person can make a mistake and undermine the whole thing. So, you want to make sure that you’re educating them and training them on security awareness things like what to do when you get a phishing email. The gut reaction on that question was to go out and change your password but you don’t necessarily need to do that. What you really need to do is be smart enough to realize that this is a phishing email and delete it, which is why we had that as the correct answer. If you are concerned, there’s certainly no harm in changing your password, but what you should do… let’s just pretend it’s your Office 365 password, you should personally manually go over to your webpage, go to Office 365’s web sign-in page and change your password there. The human firewall is Step #1… you want to teach people how to recognize a phishing email. Sadly, we had somebody call us… they are preying on folks in the remote workforce and they’re preying on people’s sympathies through all of this (e.g., I need help because of Covid or things of that nature) and it may look very legitimate but it’s still a phishing email and they are managing to get money and information out of people.

The other one, you notice I have all these social networks here too, I wanted to mention is that quite often what they’re doing is they’re now starting to troll these social networks to get the answers. For example, you know when you go into a banking site, they’ll ask you who was your firstborn or what school did you go to first or things like that. So, what you want to do is be careful about what you’re putting up on social networks. You know if you’re comfortable sharing that information on a social network that’s great, but then maybe what you want to do instead is as a trick/tip like I do. When I get asked “where did you go to school first?”… instead of putting the legitimate answer in there, I’ll put something else. Or they’ll ask you “what’s your mother’s maiden name?” Instead of answering my mom’s maiden name, I’ll put in “skywalker” because she’s related to Luke and Leia Skywalker. So, I’ll keep track of that, and I’ll put that into my password manager. So, you can still share on your social media sites, but when they give you those social questions that they’re asking you for your security questions perhaps come up with a fun answer that you could use instead. And again, save that in your password manager. And one of the other things I meant to mention back with the MFA is that quite often when you set up MFA they’ll give you something called a recovery password. So, if your phone kicks the bucket and you have to replace your phone, some of them will allow you to go in and change the MFA but some of them will request this thing called a recovery password. So, when you set up the MFA, if it offers you up a recovery password, you want to make sure you save that and put it in a nice secure place as well.

QUESTION #5: When a hacker sees all your incoming email, they:
  • Have access to your password
  • Have auto forwarded messages in your account
  • Lay and wait to get information needed for an attack
  • All of the above

ANSWER: All of the above

QUESTION #6: Your client asks you to complete a seven-page IT security questionnaire filled with lots of technical stuff. What do you do?
  • Answer the questions as best you can and return it to the client
  • Answer “yes” to all the questions asking about IT security you have in place
  • Get guidance from your trusted professional in IT
  • Send them a copy of your IT security policy manual

ANSWER: Get guidance from your trusted professional in IT

Cathy’s Comments: When it comes to these security policies, these questionnaires tend to ask a lot of technical questions. We see them come in often from our clients (their clients are asking them), we see them come in for cybersecurity When you’re applying for your cybersecurity insurance, they’ll often ask you what things you have in place. If you accept credit cards in any way, shape or form, you’re going to get asked these types of questions on your PCI compliance audit. And then, of course, there’s all kinds of industry-specific ones that are out there as well. So, one of the things that we like to emphasize here is that you need to have a nice IT security policy and structure in place and you need to make sure that you don’t have things hiding like this little mouse is in the clouds. A lot of our clients what we find is we start to talk to them (what kind of data do you have and where is it and how is it stored?) and we discover for example, yeah we work with outside consultants and we get their social security numbers so that we can pay them as a 1099. But we also help reimburse them for travel expenses and things like that so they may end up with documents or PII information about maybe their passport or their driver’s license or credit card numbers so that they can make a reservation for these people as well. So, one of the things we want to mention to make sure that you’re looking at is looking at ALL your data. Make sure that you’re not hiding information that’s valuable inside of all of your other stuff and have it all jumbled together. What you want to do then is segregate it out. Things that are truly not confidential, put over here and give general access. But, if it’s something confidential, put in some access levels in place and classify it and make sure that people understand that something that’s over here in the classified area should not be copied or stored over in this sort of wide open not confidential area.

The other thing is you want to review this on a regular basis because what we found is people THOUGHT that they were keeping things segregated but they were sneaking in. We would say roughly once a year, you want to evaluate this and re-architect this. One of the things we also find is as we’re helping clients move from having in-house, on-prem servers to the cloud, that this is a super time to have that discussion and really dig into the data.

And then last but not least, you want to test what your vulnerabilities are from the inside out—both on the inside and on the outside—so if you accept credit cards, PCI compliance is now starting to require that you do inside vulnerability scans in addition to external vulnerability scans so we’re seeing more and more of this with our clients.

And then one of the things I’ve pointed out on this last bullet here about the logging. If you look at it, most breaches are taking MONTHS to be detected. And what we’re finding is, because it’s taking months that quite often all of the audit trails and the audit logs that you need to back into how this happened and what the breadcrumbs that are left behind, they may be gone because quite often people aren’t keeping the logs for long periods of time. So, the first step is obviously get the logging enabled so that you have the breadcrumbs and the second thing is start to evaluate how long do you need to keep them and manage them. By doing these things, even if something does happen, let’s just say I’m breached, if I don’t have access to the classified data, the risk of what’s going to be exposed for the company goes way down. So, that’s why you want to segregate your data as best as you can.

QUESTION #7: When you use a public Wi Fi network, your device and data are theoretically:
  • Accessible on the World Wide Web
  • Accessible to anyone on that network
  • Broadcast throughout the network
  • Secure and protected

ANSWER: Accessible to anyone on that network

Cathy’s Comments: One of the things that we’re seeing now is that as folks moved to working from home is that they’re a lot more mobile. A lot of companies had desktops and they’ve moved to laptops. A lot of us maybe you were already going prior to Covid going into Starbucks or whatever and jumping on the Wi Fi there. Theoretically, if you’re at Starbucks and you jump onto their Wi Fi, other people on their Wi Fi can see you unless you have something in place to protect your device—whether it’s your cell phone or your laptop. So, one of the things we want to make sure you do is have some sort of a plan and protections in place to prevent that. The other thing that we are encouraging, because more people are moving towards laptops, their desire to be able to install things on the laptop. Maybe they’re remote and they want to download Kahoot or download Dropbox or something like that. You want to think about what they can and cannot install on the individual devices. What we’re seeing from an industry and a trend standpoint is that we’re moving more towards instead of denying you the ability to download things, we’re implementing technologies that flip that around and essentially you white list or you say these are the only things that are allowed to run on this machine, so it’s a zero trust type of a model. So, instead of saying you can download whatever you want or we’re going to deny you the ability to download something, we’re going to say “no,” this is the subset of what you need for your job and that’s it…if you want something outside of the scope of that, you need to get assistance from the IT Department.

The other piece to this is that the technologies that we’re rolling out now are starting to leverage Artificial Intelligence (AI) and the SEIM (System Events and Information Management) the logging that I mentioned previously, they’re using AI to filter through all of those logs and now trigger and alert you when something that is untoward is happening. So, these are all things that we’re starting to see roll out now whereas in the past people were less concerned because they were in an office behind a firewall and so you may find that we’re going to be reaching out to some of you to talk about the implications of this and what you might want to do to tighten up the security in your own environment.

Additional Post-Game Questions:

  1. What are your thoughts of very long simple-ish natural language passwords?

    I like those. I think that this is what they’re recommending now in terms of passwords—using some passphrases or things that you could string together that are memorable but have meaning to you. One of our techs here, Tracy, I like asking her for passwords because she’s extremely good at this. You’ll ask her for a password and your password will be ice20cream21 and I can remember that… I love ice cream so it’s easy peasy for me to remember and she’ll put some capital letters in there and it’s got some numbers and maybe she’ll do an exclamation point at the end. I think that is a great way to handle the passwords. I would still put that in a password manager, though, and I would have a unique one for every site that I go to. Short gibberish is easier for a computer to hack…the longer the better, length definitely matters. I don’t know if you remember War Games. But that scene in War Games where it was flashing up there and it was figuring out the numbers for the launch codes is the exact same thing when they’re trying to crack a password. It’s going through every iteration and the longer it is, the more iterations it has to go through. So definitely length is more important over complexity, if you had to pick between the two.

    A lot of the password managers will help you generate a password. You can click “generate my password” and it’ll save it in there and then what they also will do is populate the answers into a web browser. One of the things I will suggest, though, is if you have a password manager that you’re using and you’re just moving into it, you should clear your browser cache passwords and then install the password manager. Then start to save them into your password manager because most of the password managers aren’t emptying out what you already have in your browser cache. So, I would do that as Step #1, clear your cache, and put your browser extensions in with the password manager and then fill those in to populate your password manager with those passwords.

  2. How can we update a browser (i.e., Chrome)?

    If you go to the top right (where it has the three dots) and then go to “Help” and “About Chrome,” that’ll check for the update and tell you your current version. If there is an update you just hit “Relaunch” and it updates it. Most of the browsers, Firefox has a similar thing, you can actually set them up to prompt you when they have updates as well. We find sometimes people ignore those. The other thing that we would like to see you do is to have it in such a way that you can tell if somebody has updated their browser or if they’re behind. That’s one of the things that our management agent is able to tell us.

  3. Can the browser manager be hacked, or would a firewall prevent access to your machine?

    If somebody gets onto your machine and they’re able to run any kind of a script—this is why I suggest clearing out your cache because if they’re on your machine and they run a script, they can easily extract any passwords that you have saved in your browsers. So, I’m not quite sure if I totally understand this question in terms of the browser manager be hacked. The password managers obviously they could in theory be hacked but they have put all kinds of things in place to prevent that. The other thing on password managers is by default some of them don’t require MFA. If they don’t, I would obviously recommend that you turn that on because your password manager is sort of like the top keys to the kingdom. If you use a password manager, obviously use a userid and password and some other level of multi-factor authentication with it. Most password managers, in my experience, offer that as a standard thing now but they don’t necessarily make it mandatory.

  4. Are hardware firewalls necessary?

    I believe that they are adding an extra layer of security. So, I would answer, “yes!” What they do is if you think about how your network is constructed there’s the internet connection coming into whether it’s your house or your office and then it hits the ISP’s piece of equipment which is usually a router or a modem and then it hits your network, whatever’s behind it that they don’t control. So, the next piece that you want it to hit is that firewall. The firewall is going to actually look inside the packets that come through and say, “Is this something that somebody on this side of the network requested?” and allow it through. It’s also going to do some light scanning for viruses and things of that nature and you can also now configure some of the more sophisticated firewalls like a SonicWall to look inside of encrypted SSL traffic as well. The point behind SSL (when you get that little https and the little padlock down in the bottom) is that what’s happening is every piece of data that’s going back and forth at that point is now encrypted. So, you can get pieces of equipment that can look inside that encrypted traffic and make sure that it’s still legitimate stuff that’s going in and out of your network. We still recommend firewalls… frankly, I have one in my home. You do get a really sort of light one from the ISPs, but I would suggest that you consider using a firewall pretty much because it is blocking things like traffic trying to hack in, denial service attacks and things like that.

  5. What about people that log in and sync their passwords with a service like Google, Firefox or Microsoft?

    I am not a huge fan of that, but I know people that do. One of the things that we do find with some of the password managers is that they will now block you from being able to do that type of syncing between the services. This goes back to education and educating your employees around what you’re allowing them to do and not do. As an example, if you’re in marketing, there’s a tool called Hootsuite that you can use to schedule social media posts and you have to allow it to get into your LinkedIn, for example, so that it can push your LinkedIn posts out automatically on a scheduled basis. So, one of the things that you have to do is authorize Hootsuite to get into your LinkedIn account. So, what you want to teach your users to do is to think twice about using your Google account or your Facebook account or whatever to log into other sites. For example, my son wanted to buy something on StockX and it nicely offered up logging in with your Facebook account. But, if your Facebook account gets hacked, now they can get into your StockX account which has a credit card attached to it and it can ripple all the way through. So, my suggestion would be is wherever possible just have a unique account for every single site and don’t do these connected logins. Some things you do have to do it, though, and there’s just no getting around it. Again, it goes back to that education and making sure that you’re vetting… I’ve decided that Hootsuite is the platform we’re going to use for posting social media and it wants access to LinkedIn, I’m good with that because I believe that Hootsuite and LinkedIn have appropriate security measures in place. I’m not so confident with StockX. That would be my advice there. Sometimes the techs disagree with me on some of these things, but I came from an Exxon background and I used to call them security and controls freaks but living in the world we live in today it’s served me well.

Thank you for joining us today! We hope you enjoyed our little Kahoot webinar experiment.