In this digital workshop, Pure Financial Advisors’ Information Systems Security Manager, Jake Stampfli, MSCSIA, provides steps we can all take to keep ourselves safer online. Download Jake’s slides here.
*NOTE: The information in this video presentation and in these slides could be out of date within a year of publication. It’s always a good idea to seek out the most current cyber security information.
- What is hacking?
- Keeping your software up to date
- Practicing good password management
- Anti-virus and firewalls
- Wi-fi do’s and don’ts
- Be careful what you click on
- Using mobile devices safely
- Video conferencing in the “new normal”
Pat – If your Facebook posts are limited to friends only does this mean Facebook is hacked?
Nancy – What about password apps that save all passwords, are they safe?
Debbie – Is free software as good as paid software?
Jane – I have Windows 10 and you said to use latest version. Do I need to upgrade?
Emily – Is anti-virus software necessary for the cellphone?
David – Not sure what you mean by Public WIFI…is that what we can get at Starbucks, etc?
Nell – What’s your recommendation for anti-virus software?
Frank – Does using a VPN on a public network provide security?
Kim – How do I get a VPN?
Barbara – Is a personal Hot Spot secure?
Fred – Is Netgear’s Armor security package a good way to secure a home WiFi network?
Jeff – Do I understand you correctly … a Gmail account is more secure than a SBC Global account?
Teresa – Is it a bad idea to utilize the “Unsubscribe Here” link at the bottom of junk e-mails or other mailings not wanted?
Nancy – how do you run a security check on email?
Susan – But is it always safe to unsubscribe? This sometimes lets the Phishers know they have a potential victim. I have always heard it is best to simply delete the email and avoid any response to the phishing attempt.
Louise – Lots of websites ask about cookie preferences, how should these be handled?
David – Are Products such as LifeLock helpful?
Andi: Hello and welcome. My name is Andi Last, and I am media manager here at Pure Financial Advisers and thank you all for joining us for this webinar with Pure Financial Advisors’ Information Systems Security Manager Jake Stampfli, MSCSIA. Jake has a Master of Science degree in cybersecurity and information assurance, and today he’ll be sharing 10 cybersecurity tips and tricks to help keep all of us safer online. Great to see you! It’s so rare that I actually get a chance to see you on screen. You’re usually behind the scenes with me.
Jake: I even wore a tie for you. You know, I think you usually joke on this side of the camera. But you know, I appreciate giving you after you do this, and we’re here to kind of simplify some of the more complex cybersecurity issues of the day for you. So we’re going to we’re going to go through that and we’re here to offer our top 10 cybersecurity tips and tricks. So with that being said, let’s go to the slides. We’re going to go over what is hacking. I want to give you some tools to put in your bag. So you kind of understand, how is that done? What is being done to gather information to to be used against me, right? And now we’re going to go through keeping your software up to date, practicing good password management, antivirus and firewalls, Wi-Fi dos and don’ts, email, being careful what you click on? That’s a very important one. I’m going to kind of dive into that a little bit. I got some some visual aids for that one. Backups may be important. Some of you may not be important to some of you. We’re going to go through that and using mobile devices safely. A lot of people think of mobile devices differently than they do personal computers, encryption and video conferencing in the new normal. So hacking by Merriam-Webster is to gain illegal access to a computer network or system. And I kind of want to get you to think about that because that’s how we that’s how we know what hacking is today is what most people think of they think of.
Typically, they think of this dark hooded figure and in some nefarious location with a bunch of wires and some sci-fi movie setting, right, so real hacking is it’s boring. It’s a bunch of scrolling text and tools that the people can utilize against a target or a person. So it’s important for you to understand a couple of concepts, right? So you’re going to hear an onion analogy and most security classes that you take. So I’ll kind of shrink down what I’ve learned and what I’ve gone through in my in my education, my certification, so they like to use the onion analogy because onions have layers and in cybersecurity it is a it’s a moving target on a sliding scale. And what that means is cybersecurity is always going to be moving. Attackers do something and then we do something right and nothing’s ever going to be 100%. No one’s ever going to be 100% secure. Let’s say the Pentagon is 90% secure. Well, then the average person is probably going to be less than that, right? So we’re going to give you some tips and tricks to kind not be the low hanging fruit. You don’t have to be the NSA. You just don’t have to be someone without a password. Right. We’re going to layer that and layer the end and kind of describe the onion and give the layers to better secure yourself. This is a kind of referred to as what’s called the hunter’s dilemma. It’s kind of a more of an analogy, but you don’t if you’re if there’s two hunters in the woods, you don’t have to be fast or no, you just have to be faster than the slowest hunter, right? And it’s kind of morbid. But to relate that to cyber cybersecurity, you don’t have to be the most secure person you can be. You can have decent security and still be relatively safe. So I want you guys to think about that as we as we roll through this. So how do you get hacked? What happens? Right? This isn’t something that just happens. There is there’s usually five phases of this. There’s a bunch of different models that can be used and TTPs, as we call them, techniques, tactics and procedures. But I’m going to basically kind of shrink it down to a more bite size portion for you guys. So in reconnaissance, scanning, gaining access, maintaining access and then kind of covering their tracks is is generally how the average computer user gets compromised. So in the reconnaissance phase, reconnaissance is nothing more than steps taken to gather evidence. And that’s going to be what we refer to as passive or active. Passive is is looking at your your social media, right, your Facebook. They know who your friends are, your nieces are, what you eat for lunch based on your social media, anywhere from Snapchat to Facebook to Twitter. So it’s kind of funny. My first my first course was actually had nothing to do with toolsets. It was actually Facebook and reconnaissance passive reconnaissance on people. So be careful what you post on on Facebook. I actually had a friend side story who flew a drone through his house, and he asked me, Wasn’t this really cool like, look at this drone footage and I said, Yeah, you’re you’re showing everybody your house and what’s inside your house. And you know what? I’m always thinking from that mindset. And he wasn’t so and he was like, Oh, you’re probably right and took the video down. So scanning an enumeration is just what we have learned from the first phase we carried on to the second phase, right? They’re going to take that information and kind of maybe be more active and utilize tool sets to kind of see if there’s an avenue where they can get into your computer and they’re going to take what they’ve learned from two and move to three, which is gaining access. And this they’re going to use what they’ve used in the enumeration phase to kind of get entry into your systems or your network or or something that you didn’t see. Target was hacked through a thermostat. Smart enough on the network. Dumb enough to not be a computer and have normal, you know anti-vulnerability anti-malware controls. So once they were in, they compromised a bunch of users. So maintaining access once you’re in, you want it. You want to ensure that you have a way back in from a hacking perspective, right? So. A lot of people will go, Oh, you know, I think I have a virus. My computer flashing all these things and it’s really loud and it’s I don’t know to do. I have all these pop ups that’s probably just annoying spam. They can use that to deliver malicious payloads. But if something’s loud and noisy, it’s probably because they’re trying to get you to click on something or they’re just advertising and trying to be annoying. Real threats are quiet. Real threats don’t want you to know that they’re there, right? So that leaves the fifth stage where they’re going to kind of cover their tracks up and make sure that they have a persistent access to you. So this is generally how all that stuff happens. I felt it very important to explain because a lot of people think that, you know? There’s these Hollywood things, Hollywood movie scenes, where people are just in The Matrix and they’re hacking really fast and and also know they’re in. It takes months, weeks, you know? Sometimes years to, to hack into certain organizations or people, it doesn’t just happen overnight, and we’re going to talk about the time aspect of that a little later.
Andi: Hey Jake, real quick, we’ve got a question, Pat would like to know if your Facebook posts are limited to friends only, does this mean that Facebook is hacked? I think Pat would like to know whether or not that is safe to be able to post that drone footage if the only people who consider your friends?
Jake: Right, great question. So a lot of these, these platforms have security checks and they allow you to go through and go who do you want to view this? I would highly encourage that. However, we like to refer to this as breadcrumbs or link ability. Chances are, like I said, it’s a sliding scale, right? Nothing’s 100%. So if you feel that it’s safe with just friends and family, then OK. But there’s always that, always that small percentage and I would encourage you, like, he said, to go through those security settings and make sure that you look at those and that you limit who has access to your personal information and your personal lives.
Andi: And I guess the thing to keep in mind is the fact that people can actually screenshot things and share them outside of friends and family. So there is still danger there.
Jake: Exactly. And it’s once it’s on the internet, it’s really hard to retract it, right? So that’s a great question. I love those questions. So this would be our first tip and trick, keeping your software up to date, right? A lot of people view this from from multiple angles. The two most common angles that I get on this one are, well, I don’t want to update my software because it’ll break my system. This is a fallacy. If it does break something, it’s going to be fixed within a week, maybe two weeks. And then the other angle is, well, every time I update, it takes like 45 minutes, it takes an hour and I don’t have time for that. I have to get my job done. And that’s understandable. Computers are a way for you to complete what you need to and connect to the world, right? It’s kind of inconvenient if you have to constantly be patching, which is in the state we live in. Constant patching is seeming to be the norm, but the reason why those patches take so long. Normal patches for windows take anywhere from 30 seconds to less than 3-5 minutes, right, core updates for for the major operating systems, those are the ones that take 45 minutes, 20 minutes. I mean, those are long. But if you take a long time to patch, I guarantee you will take 45 minutes and 60 minutes. The longer you wait, the more your system will start to degrade and not be able to operate. Windows actually needs to be restarted to apply these important critical patches. So if you just do something every Friday, like apply patches and then restart your computer once a week or twice a month, you’ll most likely be fine. The important thing to remember here is that a security patch or update is communication to hackers. If you have a vulnerability. Software manufacturers or computer operating system companies will push out was called a security patch. And if you don’t have that, that is now an attack vector for hackers. So they don’t break your system, they’re good. Please, please update. They are definitely communication to bad actors and you want to avoid older versions of software, so. So finding a way in right, practicing good password management is a huge, huge thing. I would encourage people right now the industry standard, how we use it in a corporate environment is to use a complex password. The person who came up with this stated that you know you want to an 8-12 character password or more. More would be better, I’ll talk about time in a second here. Complex password is upper, lowercase, special characters like that period you see here on the slide the dollar sign. The longer, more complex something is, the better it is, the more time it takes for that person to get in. But the person who made that is kind of recanting now, and he’s saying that a dice word passwords, which is actually the second on that slide right here. Dice word password is. Like 3-5 disassociated words. There’s a bunch of random password generators that you can create online or you can come up with them yourself. And there are 3-5 disassociated words connected with a special character in this case the Dash Bowling Utopia Prince, right? And this it takes a lot of time. The longer the password is, the more time it takes, the more complex it is, the harder it is. You know, they can’t just use what’s called a dictionary attack or so and the reconnaissance phase they’re going to. People are predictable. They’re going to they’re going to make their passwords, their nephew’s birthday or their fiancee’s name or their anniversary year. And attackers know this. They know that human beings have similar characteristics and they’re going to go after those traits and they’re going to take that information that they gain for you in the phases of hacking. And they’re going to use that an automated tool sets to come after you and try and crack your passwords. That’s actually was referred to as cracking, not actually hacking. Hacking is playing with something and come up coming up with a way to use it other than the way it was intended. You’ve heard of life hacks. It’s it’s a great way of thinking of it. OK, so you can even make a complex dice word password if you want. But the important thing here, if you have a takeaway from this, I would say, make it complex, make it 12 or more characters. Right now, we’re not really set up a lot of things still want that complex password, how it works in the real world applications we have, you know, the bleeding edge research and information coming back. And then we have where the industry is right and it’s always trailing behind the bleeding edge. So he’s kind of recanting on that now and saying, Oh, well, dice for passwords are the best.
I mean, it’s really time. The longer it is, the better it is. So you want to disassociate from that. You don’t want to have things that you can attach to you or someone can find from your life, right? So avoid that and avoid password reuse. Password reuse on the web is is huge right now. If you use the same password in multiple places, then people really don’t need to try very hard to to attack you from that angle. They can kind of just take that one password that you use in multiple places, and they can they can just compromise you that way.
Andi: Nancy would like to know what about password apps that save all passwords? Are those safe?
Jake: Really good question. Yes. I wanted to touch on that real quick. So that’s called the password manager. I encourage those, password managers will memorize the passwords for you. And here’s the key they’ll generate unique passwords of any length or complexity for you, and some of them even do dice word passwords that we just discussed. The caveat there is if you have one master password to access all of your saved, randomly generated passwords. Well, then you can be compromised if they get that one password, right? This is where two factor authentication comes into play, so how I like to explain two factor authentication is that something you have in something you know, right? So two factor authentication will be the something you know, will be your ID and your password that you normally would use for a site that can be stored in a password manager.
And then two factor authentication will be an application that you download to your phone. A text code that you send to your phone or a one time password to send your email right. I would avoid the less secure routes like text based authentication and an email based, one time passwords because those avenues can be compromised. So having that is better than not having it. I don’t have an all or nothing attitude. When it comes to security, something is better than nothing, but I would encourage you to download an app on your phone and use that app to generate codes every 30, 60, 90 seconds. However, that works. Another one.
Andi: I think this one is actually related to your last slide, but I think it applies here as well. Is free software as good as paid software? That one’s from Debbie.
Jake: Oh, that’s a good one. So there’s a lot of free software alternatives, and this one gets tricky because people get really passionate about this. So this is this is one of those things that I’ll give you my take on it. I don’t by any means pretend to know everything. So this is this is this is a very passionate camp of people, so I’m going to be as delicate as I can. Free software is generally created by companies in order for you to be the product. It’s meant to be distributed to meet a need or a service in order for you to serve an analytical base, so they get information from you for using that for that software. Open source software is is a principle that the code should be open source behind software and that it should be free for people to use, manipulate and if they manipulate it, it’s up to them. They just have to change the name. It depends on the licensing behind it. Free Software Foundation software is more of an ideology, so you can read more about those things on the open web. But open source software is generally it’s more free as in freedom than is free as in beer. But it’s yeah, like I went to. So that’s that’s that’s really how you can think about that. I would I would avoid freeware and I would stick to more free software foundation and open source. Whenever you hear open source, it’s not that it’s necessarily safe or trustworthy. It just has a it has a better purpose behind it. If you’re going to use free software, you go that route. All right. Next, we have antivirus and firewall, so there’s a lot of arguments today. Do I need it? Don’t I need it? Doesn’t Windows Defender offer free antivirus? I heard Macs don’t get it. I’m not here to endorse one brand or another, I have to kind of stay away from that. So. But Macs typically have less of the market share, so it’s not that they don’t have viruses. In fact, they’re in the news today for more zero days because they’re getting more popular. There’s another operating system you might not be aware of Linux that every website, just about every website, the entire internet is. Everything that connects the internet is Linux. And they’re starting to get some malware being written for them. But for the most part, most people use windows. So Windows is what’s written for the most. You can use it, it is getting better, but antivirus can be more, antivirus does more things they start to combining with more tool sets. It can combine with artificial intelligence. It can combine with other security tool sets. So utilizing that on your computer is definitely going to be another layer. As we talked about, going back to that onion is going to be adding layers to your security. And that’s what we want to do. We want to elevate ourselves to not being low hanging fruit and hunter’s dilemma. And we want to add layers to our our security posture, our onion. So. With that being said, firewalls are your doors and windows. Right? It’s kind of a crude analogy, but a firewall essentially will filter traffic, and there’s all sorts of firewall. They can be hardware based or software based. They can be combined with other platforms to make you more secure. And they come native on every operating system. So if you have one, Mac comes off by default, I believe. So you could check inside of your security settings, Mac and you can just turn it on. And that’s going to start making sure. Just like you check to see who’s at your door, your computer’s going to check to see what’s coming through your computer, right? So. All these things are because hackers constantly are attacking and finding new avenues for us to kind of mitigate, so they make a move and we respond. They make a move and we respond. Things are becoming a little more proactive today, but that’s that’s generally how it goes.
Andi: Jane says I have Windows 10, and you said to use the latest version, do I need to upgrade?
Jake: So as long as you’re running patches, you’re pulling down security patches, so you can you can hit the Windows Start menu and just type in the word update and it will automatically and your Windows Settings updates and then click search and it should pull down the most recent security patches. Sometimes you have to force it. I mean, and like I said, Windows needs to restart in order to get those security patches implanted. So no, no need. If you already own Windows 10, no need to upgrade unless you’re on. We go by versions, so if you’re on 1607, I don’t know how that’s possible, but I would I would encourage you to upgrade to the latest version release, and you can check that Microsoft should be checking your operating system and keeping you slowly, incrementally up to date. Microsoft’s actually pretty good. They know that they’re the most attacked operating system out there, so they should be kind of nudging and gradually implementing these core updates, as we call them. So when it goes from one version of Windows to another, it’s not a huge forklift and you’re not sitting there for 40 minutes, right? So I hope that answers the question.
Andi: We do have one more right now. This one is from Emily, she says. Is antivirus software necessary for cell phones?
Jake: Good question. That was a huge debate, and a lot of my academic and certifying authority circles, I would say. The the conclusion after the argument is it couldn’t hurt, but the I will leave you with this the biggest attack vectors today are web and mobile. So. Take it for what you will. A lot of times if you get an antivirus, they offer free mobile with the PC and laptop subscription. Mobile is usually defined as anything that’s not like a traditional computer, like a laptop or desktop. So I know this this might rub people wrong because this is public WiFi, right? Most people are like, look, I just I just want to exist on the internet. I just want to. I’m just trying to text my husband. I’m trying to look at what my my nephew is doing on Facebook. I’m not trying to do anything nefarious, you know? I mean, but you’ve got to be careful. You got to be aware that there’s people out there that don’t have the good intentions and don’t really care what you’re up to. They’re just out to target people. So public wifi, I would just urge you probably not to use that. There are some that are safer than others, but it’s it would be impossible for the average user without tools to tell. There’s a good place that offers free Wi-Fi, should be implementing good security and doing something called segmenting. So that’s if you hop online and I hop online. I can’t see what you’re doing, right? But that’s not the case. A lot of people just want to offer a service when they open up like a small coffee shop or something like that. And in that case, I can be malicious and sit there and put up a fake network and just add a period at the end of it. I can be, you know, big coffee chain period as opposed to just coffee chain. So and I can intercept your your traffic. And then if you’re doing banking on there, which I hope you’re not doing banking on public networks, please don’t do that. Then I can capture that traffic and I can go back to our hacking phases and I can get more information from reconnaissance.
Andi: David would like to have a little bit of clarification. Not sure what you mean by public Wi-Fi? Is that what we can get at Starbucks or something like that?
Jake: That is correct. Yes. Sorry about that. So to clarify that that would be any Wi-Fi network that’s not your own. That’s a good way of thinking about it, like even work. You shouldn’t be doing anything on a work computer because trust me, they’re capturing all that information and they have to. Some some industries are regulated like financial industries, and they have to meet certain regulations. But for this case, to answer your question. Anything outside of your home network? Yes, that is that is what we’re referring to. That would be Panera Bread. You know, the big chains that you go to. A lot of these places offer free Wi-Fi. It’s kind of expected that free Wi-Fi is out there. So. But they’ve learned to capitalize on the information gathered from that, and some of them do sell it to third party vendors. Some of them will, you know, there’s a lot of things that can happen. We’re going to focus on the hacking aspect of it right now.
Andi: I have one more for you? Mell would actually like to know if you have a recommendation for antivirus software.
Jake: I can’t personally endorse things. I have used ___________ in the past, I’ve had people use Norton and have been successful, but I would just use something that uses more than just a signature that they can compare. And so in English, what that means is I would use something that uses more than just, Oh, hey, these are the things that this antivirus should be looking for. They’re incorporating next next generation tools like artificial intelligence or, you know, file behavior. And what you normally would do in your computer, like you can look up the top paid antivirus, please stay away from freebies. They tend to. If you’re not paying for it, you are using the product. So just remember that too.
Andi: I’ve got a couple of questions here about VPNs. Do you want to take those now or should we wait?
Jake: Sure, because maybe I can kill two birds with one stone with that one.
Andi: Frank would like to know does using a VPN on a public network provide security? And Kim would like to know, How do I get a VPN? You might have to explain what a VPN is first.
Jake: So a Virtual Private Network. What it does is it encrypts your traffic from your computer to the point that you’re connecting to the VPN gateways is called so from your computer to the VPN, right? The easiest way to explain it and what encryption is, is we’re going to get into that next slide, but I’m going to cover it here, too. It’s just encoding what you’re doing. So it’s not readable to the other party, right? So easy. Probably rip down version of what encryption is. But anyways, so yes, they’re not going to be able to gather in plain text all of your stuff. They will be able to gather some information, but for the most part, you’ll be protected. So if you do have to go on a public network, I would encourage you to utilize a VPN, a virtual private network. You can stand these up yourself, but for the sake of, I’m going to assume that we have a varied audience here and there are tech savvy people and that I have to I’m going to cut it down the middle and say I would go with a paid service. There is a ton of really good paid service. And what you want to look for in that is do they keep logs? You’re not trying to hide from the government, you’re not going to. That’s another whole big rabbit hole. That’s not possible. There are so many degrees of trust from your point of connection to the internet. I just would avoid that and I would worry about companies and whether or not you’re accomplishing what you want to in a safe manner. And I think a paid virtual private network, will for the most part, accomplish that, but know that you’re still at some risk. And the last one here would be to secure your home Wi-Fi, so most people, they’ll go to their internet service provider and they’ll get. They’ll get a box that does everything. That’s a network appliance, essentially, but this box, it’s actually a bunch of different things if you were to blow that up. Everything in that box we have here just individually is its own little appliance. So if you were to go get internet from your internet service provider. Chances are they’ll print everything on the side. And as long as it’s a complex password, it’s longer than 8-12 characters. You should be fine. The only thing to remember there is if you’re in an apartment complex and that box is in the window and people can just read, know the the password to your router and the pin to your internet box. They can probably get into it, and there’s there’s two passwords there, so there is the password to your Wi-Fi network, right? Let’s say Jake’s wi fi and I have a really strong password, right? And that’s how you joined my network. But there’s also another. Like I said, there may be tech savvy people here that bought their own modem from a big box store, right? There might be another. Mode that you’ve purchased yourself and then you set up, so you might not be aware that the default admin username and password for just about every modem is just available for free on the internet, you can just look that stuff up. So if you’re out in the sticks, if you’re one person out, Ramona, or that’s a local town here, it’s pretty rural and you see a set of headlights, it’s going to be pretty suspicious. You’re going to know that someone’s kind of trying to get free Wi-Fi, right? But if you’re in an apartment complex and you have 100, 200, 500, 1000 people, chances are there’s somebody in that apartment complex is pretty tech savvy. And they they know how to get into the back end.
Andi: So Barbara would like to know, is a personal hotspot secure?
Jake: Cell phone companies do what they can. They’re limited, and it depends on if the traffic is encrypted or not. Like I say, that’s where it’s best just to default and just turn a VPN on when you can. That’s the best answer I can give you for that one.
Andi: And Fred would like to know, is Netgear’s armoured security package a good way to secure a home Wi-Fi network?
Jake: I’m actually not familiar with that one, so I can look that up and probably get back to you on that one. So yeah, so there’s two things to remember with the screen you’re on Wi-Fi, right? There’s your actual network. And then there’s the back end of that box, right? And if you get it from your internet service provider, it’s going to have a password already set in there as long as complex, you’re fine. Keep it out of plain view, right? Because that would be part of the virtual reconnaissance face, physical security, walking through and seeing what I can just observe. Some hackers will resort to that so be careful. Email. This is a huge one. This this is a huge, huge one. So avoid internet service provided email service, please. If if you get almost nothing from this, I would say. Password manager, two factor authentication and a decent email service would that you have that has security tools that you can run through? And that’s I’m going to talk about that. The security check will be great. So to clarify what that is is if you get internet through AT&T, then sometimes they offer email. I believe it was SBC Global if if you get some of the other ones that offer an email, right? That generally isn’t the best idea. They’re here to offer you internet, it’s not what they normally do. So if you have this, it may be OK to keep it. I would lean more towards you should get a normal outlook or Gmail that has, you know, the tools to secure you in the hack so you can go through security checkpoints and they’ll guide you through how to secure your account as opposed to someone who that’s not really their thing. A good marker to know if, well, is this is this something I should have or not ask them if they offer two factor authentication? If they don’t? I would move immediately to one of the bigger services. Yeah, so this is this is a huge, huge issue. Phishing. You can see here I have an example up, it’s from PayPal. So when PayPal, when they purchase a domain, so domain is PayPal.com, that’s a domain. Once they purchased that from the providers. Nobody else can purchase that right. And that’s something to help you determine whether this email is phishing. A lot of things that you can do to is compare the email address. If your brother, Dave Smith, sent you an email, right, and his and his email says, you know, WWF Smackdown@gmail.com, it’s probably not your brother Dave, right? Or if it’s garbled or encrypted, we’ll get into that in the URL links. It’s probably not, Dave, but that’s not everything, right? Security is a sliding scale, so nothing equals 100. You kind of OK, I can compare the email. Let’s check one, and you can see here to that. So they can’t own the domain. Example here is PayPal. They’re trying to spoof, right? You can see here it says Real PayPal. They’ve entered a one, right? And then the dot.ru .ru is the designated for Russia. So obviously, this is probably not a good email and they’ll try. And at the bottom of this phishing e-mail, this is something I set out company wide for our our training. And this is really great because it mocks them through like, hey, check the email for any misspellings, suspicious tones demanding requests. Does it feel legitimate to you? Because you know when traffic feels legitimate to you, and if you don’t? Worst case scenario, just delete it. As you know, they’ll have to send the email again. It’s better than you clicking on stuff, right? Which I’m about to into the danger of clicking on stuff. But you can see here that there’s this kind of robotic tone to it. Alert! There have been multiple failed login attempts to your account. It may have been compromised like all caps. It’s very robotic. It’s almost not proper English, and you can see that they have urgent tones to it. Like immediately urge risk now. That’s that’s someone trying to get you to click on something. Now the good part is that’s phishing. They haven’t executed an attack yet. They’re trying to get you to click on something or they’re trying to get you to call them. And if you’re unsure. Amazon’s not going to send you stuff, Google is not going to send you stuff. Apple’s not going to send you stuff. But if you’re curious if you’re really legitimately worried. Pick up the phone, call them. Say, Hey, has my account been compromised? I received this email and they might even request that you forward the email. It’ll help their security department. So it’s a huge, huge thing. Phishing emails So one of the biggest attack vectors I it usually results in insider threats. So an insider threat is someone inside of a company that will actually click on a link by accident. They don’t mean to. They don’t mean that there’s no malicious intent behind it, but they they’ve just kind of oops and let someone have access to the system, right?
Andi: Jeff would like to know, do I understand correctly that a Gmail account is more secure than an SBC global account?
Jake: I don’t know. I don’t want to go and going to endorsements, but I would say anything that allows you to run security checks is inherently at least more hardened.
Andi: OK. Dorothy says, would you apply the no ISP email to spectrum or are they large enough?
Jake: I would say none of them are large enough, in my opinion. There are so many attack vectors with email, and there are so many things on the back end that need to be in place and happen, and they may have that, they may not have that, but it’s just it’s better not to have that question mark, in my opinion.
Andi: And another one just came through. This is from Theresa, is it a bad idea to utilize the unsubscribe here link at the bottom of junk emails or other mailings that you don’t want?
Jake: No, that’s perfect. Yeah. A lot of people don’t actually know about that. So thank you for the tip and trick. So well, we’ll include you as the eleventh. So, yeah, the eleventh tip and trick here is you can unsubscribe from emails. That’s great. You can send in some e-mail providers. It’ll be up top or in three dots on the sidebar, but most e-mails have them. When you scroll all the way down, you’ll see like an unsubscribe link or a Hey. If you don’t wish to receive this, go ahead. No scribe here. And that actually lessens the amount of junk mail. Imagine if you know your physical mail. Imagine if you had control, if you could just go no more junk mail. That’d be great. And that’s kind of a way of limiting. That doesn’t you’re still going to be subject to third party advertisers.
Andi: And then Nancy just asked, how do you run a security check on e-mail?
Jake: If it’s a function that they offer, there will be some sort of security check up in the settings area. Normally that would be under your icon name or. Under some sort of setting, you can even Google it. I’m trying not to endorse people on my air. You can Google it so. So see how you can. You can search on the web security checkup for your your email service. So be careful what you click on, right? Web links are more than you think. One of the ways that I take control completely of a computer, if we get a new laptop, I actually just send it a link and I click on it. And now I have complete administrative access and control of the whole thing. And there’s various other things like remote access. I don’t want to go into that black hole, but it can be pretty scary, links can be pretty scary when it comes to clicking on stuff. If you do click on a link, a good way to maybe mitigate that is to run your antivirus. If you if you are still unsure, I would take it to a computer professional and have them look and they can run their own tool sets against it. A lot of times these guys have really high dollar tool sets. I would avoid once again big box stores. They are not going to really have the knowledgeable personnel. They’re not going to have the certified personnel. And if it’s not their first focus, their first focus is selling you things. So I would go to your local computer repair shop or a security computer security specialist and have the run industry standard toolkits with certified personnel. And they may recommend new hardware or wiping the system. And I would urge you not to chase viruses, as I call it. So don’t try and remove it yourself if there’s any question, just ramming your system. I’ve seen too many bad things happen too quickly. So back to the web links. Look at the uniform resource locator. So when you go to Jon’s website.com right, you’ll see up here we use Pure financial. You can see that that’s the domain that we’ve paid for, as we discussed prior. And you can see the lock, right? The lock means it’s your interaction with between your computer and the website’s encrypted right. Does that mean you’re necessarily connected to a trustworthy person? No. It does not mean that your connection is trustworthy or not malicious. There can be a malicious server that got you to click on it, and they just use a free search generator to generate that lock. So it is kind of suspicious in 2021 to not have that lock there, that representation of encryption, but it doesn’t mean for sure that your connection is safe. And I’ve had that question a lot, so you can see the URL. Number one JohnSmith.com. That’s a that’s a really straightforward. When you go to the web, this probably you’re probably going to be a John Smith icon and your website, your web browser knows to kind of look at that a web browser is Chrome, Firefox, Edge or Safari, something that comes with your computer or something you download. People get pretty passionate about browsers, but so and you can see if we take that principle of looking at the domain JohnSmith.com. Well, number two is still legitimate. Number three, however, is where a hacker might start to get clever. They put a period in there separating it. So this is no longer John Smith’s dominant domain. This is John.Smith, and it might not even be a proper domain. And then we have another spoof on number four, where it’s John with the zero one for the Eye Smith dot com. That’s also malicious things you see quite frequently also, or number five. That’s a encrypted link that will be something that’s obfuscated, which means hidden through encryption so they can’t really hover over it. I mean, and then number six is you can find links, you can shrink a link through sites you can go to where you can paste like a malicious Lincoln and you can shrink it. So it doesn’t say, you know, John Smith.malware.com, you know, it’ll just say tiny CC or whatever the link is, right? But you can hover over these link and email, and I’ll show you where it goes. And like I said, real viruses are quite right to link back to that first one.
Andi: All right, real quick, have a number of people who have actually asked about the unsubscribe thing, is it always safe to unsubscribe? This sometimes lets the phishers know that they have a potential victim. I’ve always heard it’s best to simply delete the email and to avoid any response to the phishing attempt.
Jake: So by default, yes, delete. But and marketing uses this as a trend to they know if an email has been delivered successfully. They know if you’ve clicked on it, they know a lot of things off the bat. So you’re kind of you’re kind of hedging your bets here. But yes, delete by default, but unsubscribe. Chances are they already have that information anyways by just simply the successful delivery of that email. So backups, what are backups, backups or data integrity, right? We have this this rule of of backups and see if I can remember my my my best high class. So three two one three is two. Two is one, one is none as far as backups go. So for enterprise, it’s really necessary for you. You’re going to have to decide, is this important for me? Is it’s not important for me. You don’t know how important is the the paperwork you’re trying to protect, right? Or the thing you’re trying to protect if it’s your if your kids photos probably want to back that up, right? Everything’s digital now. It’s kind of a weird thing to think about, but I have things that aren’t on the internet. My son kind of doesn’t ever get his. The whole digital life is has been on the internet, so. It’s kind of weird to think about from that from that angle, but your backups. It depends on whether you want you want a local backup. Most people think, think of backups in that manner. But it may not be necessary. You might be utilizing a cloud platform service that is backed up redundantly. And it may not be necessary. So you have to decide that, but there’s different types of backups. You can use network backups, you need a little external drive. You don’t have to be crazy and do something that’s next level computing, right? But something like that helps preserve preserves information. And you can restore from that, too, if you’ve been compromised. Using mobile devices safely, so we a personal computer, a lot of people think of of PC, it means windows, it actually doesn’t. Personal computer just means a chipset that is designed for personal computing. So by that standard and iPad as a PC and iPhone as a PC and Android phone as a PC, the Samsung tablet PC. These are all mobile devices, though, and they should be treated as computers, I know I said earlier, someone asked me earlier, Hey, should I put antivirus on my phone and it couldn’t hurt. It’s just going to continue to be an attack vector and companies like Apple are blurring those lines were now Mac OS is on an arm based chips, so that’s a a smaller chipset that’s usually built for iPhones. So it feels like they’re heading in a more mobile centric direction, right? So we need to be concerned about how we use mobile devices and what we connect to. And that’s that’s kind of just my PSA, my public service announcement for this slide. The best practices that we had previously discussed. Still, stand for this. You can download a VPN as an app, a paid VPN. You can connect to a VPN if you’re if your tech savvy enough and you want to take that on, you can connect to your home via a VPN that you stand up yourself. Just remember, it’s not. It’s not different just because it’s mobile. It’s still an attack vector and hackers only need to be right once we need to right all the time, right, so it’s that’s kind of our fight. Go ahead, Andi.
Andi: Let’s see. We’ve got a question from Louise. She says a lot of websites ask about cookie preferences. How should those be handled?
Jake: Yes, I believe that’s due to GDPR. That is. They’re actually rethinking that from the last security summit notice that was looking at, because what happens is in enterprise security, you get a lot of false positives and then you get technicians just going, clicking on it and they’re just tired of looking at it. So that’s happening with people. But yes, cookies are locally stored information on your computer, and there’s information that’s gathered from that, too. I don’t want to go down the privacy hole in this one. We’re trying to talk about the best way to add layers to our security on right to make you not low hanging fruit. But, but yes, information is stored. You can clear those cookies. I’ll just give you a little privacy tip there. You can set your browser Chrome, Firefox, right edge as far as your browsers. You can clear them. And your question originally, can you repeat that again, make sure I’m answering the it’s entirety.
Andi: Lots of websites ask about cookie preferences. How should these be handled?
Jake: Right. I would personally, set a cookie deletion rule on your web browser that would that would be what I would do. I know you have to click, accept or ignore if you’re not comfortable with it. You can click, do not accept. But people are starting to get savaged and are starting to make websites not work or you know how to be limited or actually redirect you. I’ve had a couple of websites redirect me as just a test. So it’s up to you. It’s kind of the world we live in today. There is actually more persistent cookies being created as we speak. So. But I think the best way right now is just to kind of clear your cache upon exit, which means that just anything stored locally, you just kind of clears up when you close your browser.
Andi: I was say, I think isn’t that’s that’s something you can set in. I believe Firefox and possibly other browsers as well where when you’re done with your session, you close the browser, all the cookies are cleared.
Jake: That is correct. Yeah, it’s kind of become a big talking point because it’s kind of a you started the thing like, there is this big privacy wave that happened in Europe and GDPR kind of took a lot of that on and and they started bannering people and then so people got curious, OK, you’re bannering me. What is this banner mean? And they’re like, Oh my god, OK. And so they just continue to have questions. So this is kind of the back of that wave, so to speak. But yes, you can set your browser to delete and it’s a good recommendation. They actually can produce problems, right? Andi we’ve run into that bunch of times where local information was stored and it was the incorrect information in the browser couldn’t refresh. And so we’ve had to clear it out and then it started working again. It’s kind of like a weird mini operating system, but it’s not really app. But yeah, if it’s convenient, it’s not secure. If it’s secure, it’s not an inconvenience, really a principle that you can apply to to everything. So you have to decide how much security you want and how much security you don’t want or as necessary for you. I hope that can be as clear as possible and to a really nebulous, we’ll just say topic. We touched on back ups and earlier back. On storing information separately. And so you can encrypt that data encrypting is just encoding, I’m not going to go into, you know, types of schemas or anything like that. But how can it help? Well, it basically takes your information and and makes it so that another person can’t read it. So you have to decide if that is appropriate for you. If you will have a bunch of sensitive documents and you want to do that and you want to have encrypted. Then it’s up to you to decide whether or not that’s something you need. But how can it help? It keeps private things private? But like I said, a way of looking at this as a file vault in MacOS when they start, when you start MacOS, you have the option of having your drive encrypted. You can do the same thing with Windows and BitLocker and encrypt your your computer. Right. So if someone tries to copy the data and it’s going to give me the BitLocker keys or give me the keys to that, and if they can’t, then they just can’t get it or they’ll have to wipe it completely, right? So at least that they might erase your data or at least safe, a big company can help you get back into it. Not always. And if you do it yourself, know that you will be taking that on and there’s a possibility. Just like you can lose the key to your house, you can lose the key to your information. And it might be it might be an issue. And videoconferencing in the new normal, so this all just be quick about this, a lot of people are COVID happened to us. We didn’t expect it right. We had to pivot to going to school remote, going to work remote, and we had to do a lot of things to mitigate risks around that and pivot to these, these things that just allowed us to connect. Zoom did very good, you know, patching a lot of these vulnerabilities that were found at the beginning and they’re not the same as they were when they started them. It’s kind of great. You want to judge companies. If companies have a breach, you don’t want to go, Oh, will they hack? I don’t want to deal with them. You want to go, Well, how do they deal with the hack? That’s really what you want to look at. So in videoconferencing? Look at how many people are participating. You can actually see participants in most video coming up. Be careful what you click on. The principle of links still exist. Is the conference encrypted? How was it encrypted as in end to end? Because that means something different. End to end means from my computer to your computer. This session is encrypted, and nobody else can kind of intercept it unless it goes through back in server somewhere. And then obviously, the vendor can see that information. What security controls are there, I know in some applications. Once someone’s once, all the participants have joined, you can actually lock it and be careful sending files back and forth. Do you trust the person who sent the file because malicious code can be executed in files? So with that being said, like I said. If it’s secure, it’s probably not convenient, if it’s convenient, it’s probably not secure. I can’t decide what’s secure or what your security needs are for you. You kind of have to do that, but hopefully we’ve given you enough layers on your onion now to not be low hanging fruit and kind of mitigate some of the risks. But if you were to take anything from this, I would say password manager two factor authentication and make sure you go through security checks.
Andi: I have a couple more questions for you, David says. Are products, such as LifeLock helpful.
Jake: Yes, LifeLock can be helpful. There are several other industry standards, I’ll just say. Real tricky dance around this. So, yeah, there’s a few other industry standards, but it does help you. In the event that something bad happens, we’ll just leave it that.
Andi: All right, and then are bank websites secure?
Jaek: I love that one. So they’re subject to the same rules of everybody else is, just because they have that lock doesn’t mean that someone can’t conduct an attack on their website or strip your information or. And there’s a million connections between your computer and that banks website. The bank can’t guarantee that those connections are secure, either. So just because you see a website once again with a lock on it, it doesn’t guarantee that it’s not malicious. Or there’s not something malicious on your computer or in between your computer and that website.
Andi: We have just a few minutes left, so if you do have any more questions for Jake about cyber security, now is the time to type them into the chat. We have another one from Jane. How can you secure personal information online? When I google my name it comes up on several different people search websites with a lot of information city age, address, phone number. What is the best way to wipe this or control what personal details show up online from public records?
Jake: So, that’s tricky. Like I said, with the internet, it’s it’s easy to expand your footprint, but it’s really hard to contract it, right? You can change your habits on social media, you can change what you share on social media, you can petition those companies to take your information down and you can also. I believe there’s a few third party applications that will allow you to kind of conduct web based privacy searches and kind of, not retract your footprint, but help clean it up. I don’t have those off hand right now, but yeah, it really boils down to being aware of your digital self and your digital footprint.
Andi: And I know Jane mentioned some of those people search websites, some of them have places directly on the site where you can ask to have that page removed. But the problem is is then state that there’s no guarantee that they’re not going to continue repopulating that information. So it’s a constant effort to keep that information offline.
Jake: Yeah, information is kind of the new oil.
Anid: Mark says are fingerprint passwords safer than written ones?
Jake: So biometrics that would be your face, your eye, something of physical biology. Six in one hand, half a dozen the other. So you have if you have a really weak password because a lot of these phones will be like, Hey, give me a pin before you give me before I allow biometrics, right? Well, that pin, that’s four digits still exists. And yes, the biometrics are harder to crack and you’re not in public, you know, putting this pin in. So if you have a shoulder surfer, nobody’s going to be able to get that pin. But it’s a four digit pin, given enough time. There’s a time thing we talked about earlier. You know. Almost everything is crackable. I mean, we account for that. The major vendors account for that. But to answer your question? I would have a strong pin, and I would say, yes, it’s inherently a little harder to crack than just a pin. But that still is reliant upon other measures on your phone. So I know that may be clear as mud. But a lot of cyber security stuff is I was hoping to clarify a lot here.
Andi: Christine says. Can the home Wi-Fi password be changed to make it more secure?
Jake: Absolutely. So. These home life, if you’re unsure about what it is, you can contact your internet service provider because if you don’t know what it is, chances are that you’re just renting a box from a service provider and you can contact them and say, Hey, I would like to make my my home internet more secure, and you can even petition them. What you have that would make this more secure because more and more companies are kind of taking that on and going, OK, we’ll monitor your security, we’ll monitor this. We’ll monitor that. There’s a privacy aspect to that. But you know, for the most part, we’ll stick to the security here and they’ll tell you how to get in. But for the most part, it’s a default IPv4 web address like 19216801 or 1.1 or 1.0 or 1.254. You’re going to be one of those, and if you do that in your web browser, you’ll actually get in to your internet service provider. Internet appliance, we’ll just say it’s actually local things, like I said, so. And like I said, the password should be on the side.
Andi: OK, we only have time for one more question and a bunch more questions are coming in. So if you do have more questions for Jake, email info at PureFinancial.com and we will make sure to get those to him so that he can answer your questions for you. And let’s see. Let’s pick one more question. Let’s see. Bruce says, how do you know if the Microsoft Web page that comes up on a Google search is the real one or a fake?
Jake: Sliding scale, right? So it should have the TLS, so you can actually click on that lock that seals the little lock on the top left. If you click on it, you can see view certificate and you can actually drill down into who issued it when it was issued, when it’ll expire. And there’s various third party apps that you can use to copy and paste that that URL Microsoft.com into the domain, microsoft.com into a checker, right? Central Ops will do that. But then we’re getting into more tech savvy stuff of like, Hey, you need to be able to read the back end stuff that happens on a website, and I don’t expect you to do that. So just look at the domain. If it’s Microsoft.com, your chances this Microsoft have increased. If it has a TLS, chances are that it’s increased. You can view the certificate and it’s valid. Your chances increase. Nothing’s 100%, but that’s how you tell these things.
Andi: And then just finally, David says, Thank you. This is really good and a little scary.
Jake: Oh, wow. Remember, low hanging fruit? You don’t have to outrun the bear. You just have to outrun the other hunter.
Andi: And again, if you do have more questions for Jake, you can email those two info at PureFinancial.com, and we will get them to him. And in the meantime, Jake, thank you very much for the time and thank you all for joining us today. Have a great one.
• Investment Advisory and Financial Planning Services are offered through Pure Financial Advisors, LLC. A Registered Investment Advisor.
• Pure Financial Advisors, LLC does not offer tax or legal advice. Consult with their tax advisor or attorney regarding specific situations.
• Opinions expressed are subject to change without notice and are not intended as investment advice or to predict future performance.
• Investing involves risk including the potential loss of principal. No investment strategy can guarantee a profit or protect against loss in periods of declining values.
• All information is believed to be from reliable sources; however, we make no representation as to its completeness or accuracy.
• Intended for educational purposes only and are not intended as individualized advice or a guarantee that you will achieve a desired result. Before implementing any strategies discussed you should consult your tax and financial advisors.
• References to any specific product, process, or service by trade name, trademark, manufacturer, or otherwise do not necessarily constitute or imply endorsement, recommendation, or favoring by Pure Financial Advisors, Inc. nor its employees.
MSCSIA: The Masters of Science in Cyber Security and Information Assurance (MSCSIA) degree is earned after successfully completing a bachelor’s degree from an accredited institution. This is a professional degree for those who endeavor through technical and managerial measures to ensure the security, confidentiality, integrity, authenticity, control, availability, and utility of the world’s computing and information systems infrastructure. The degree program has a required core and a required specialization, which can be selected from some alternatives. The core is designed to provide a means of supporting the variety of backgrounds (both education and work experience) that those who wish to study this area may bring to the program. The core is also a statement of the knowledge domain that is common to most efforts in this area. The specializations provide for study in particular domains of knowledge within the field – which are also tied to communities of effort within the field. The typical length of time to complete the program is 1 to 2 years for full-time students.