Video: Your Cybersecurity Survival Guide
Great, thank you. Good afternoon, everyone. My name is Gary Poth. I lead our Family office, the security at KeyBank and it's pleasure to have all of you with us this afternoon as we bring you a webinar on a very timely topic, cyber security. So, you're listening. I doubt if I need to tell anybody that it's a bit of the Wild West out there. It's a significant issue and seems to be getting worse. It started with businesses then over the course of the last couple of years, the cyber bad guys have really started to focus on family, family offices. Just to give you a few stats that prime this afternoon discussion as cyber attacks are up over 300% over the course of the last year, since COVID began. With ransomware leading the way, 77% of all high net worth clients, individuals, they're more worried about being hacked than they are about their investments declining in value, right? So, it's a significant issue for you and for your peers. 25% of families currently have malware on their computers, on their phones and on their tablets and they don't know about it. And then 95% of all attacks are caused by human error, which is something that we're gonna talk about this afternoon. And this is really a case where just an ounce of prevention is really worth a pound of cure. So, joining me this afternoon, I've got Tammy Gedetsis. Tammy is a senior information security manager at KeyBank. She's been with us for over 23 years. She leads our cyber education and awareness programs for all KeyBank employees, as well as our consumer and business clients. Prior to this role, Tammy was a senior digital product manager at key digital platform, including tNavigator, where she is responsible for strategy and delivery of commercial products and services. Joining Tammy, we have Rockie Brockway. Rockie is the practice lead for TrustedSec. And TrustedSec is really our partner at KeyBank uses for cybersecurity matters. Rockie is a highly experienced 29-year veteran of cyber security, and he also performs chief investment security officer activities for a multitude of mid-sized global enterprise organizations, focusing on program maturity and development organizational effectiveness as well as the business risk. Rockie specializes in effectively communicating ITs security and enterprise risk leadership and aligning detection of business critical data with business needs and requirements to ensure brand protection and continued innovation. So, I am thrilled to have two of our experts here with us today. What we're gonna do is we're gonna take the next, let's just call it, 40 minutes, 45 minutes. We're gonna hand it over to Rockie and Tammy. They're gonna talk about what's going on in the industry, share some very practical tips and best practices for all of you. If you've got a question that you would like to ask, in the lower right-hand corner there's a chat function. So, if you just type in your question, we'll get it and then we'll take the last 10 or so minutes to go though the questions. So, we do have a lot of ground to cover. So, with that, I'm gonna turn this to Tammy and Rocky.
Excellent, well, thank you very much, Gary and thank you everybody for taking some time off. I'm gonna kick this one off. I know we have 40 minutes or so. So, there's a lot of content that we'd like to get through. So, away we go. I'm gonna start with essentially from a very high level perspective. As Gary mentioned, I've been in the industry for 29 years, information security and risk management, and I've seen a lot of security awareness programs. What they typically fail to convey is actual changing behavior, right? Most of these messages are centered around you're our employee and it's your responsibility to protect our data and that doesn't resonate, usually. That doesn't really change behavior. What does change behavior is keeping it personal. We're humans. Change is bad. So, changing behavior is actually typically fairly difficult. So, I like to start with just these three. We're gonna walk through three levels here, call them three steps. The first is just the basics general best practices. The second we're gonna touch upon password managers and the third separate level, we're gonna talk about multi-factor authentication. But these are three, just very, very simple steps that will help protect you and your loved ones from all of the crazy stuff that in my industry we've seen on the internet and everybody is now, especially post colonial pipeline and things of that nature over the past year. Lots of ransomware. Everybody's very, very familiar with. So, let's start with the basic best practices here. When we take a look at just general best practices, I'm sure almost everybody on this call has probably at least heard the majority of this. So, I'm not gonna spend too much time on these, but they're typical never open attachments. Unless you expect and trust the sender, be very cautious when clicking links in social media. The one here called use URL reputational tool, I'll actually show. I'll give an example of one of those in a second when we kind of get into some of the things that you can actually do on your computer, but also then always be very suspicious of pop-ups and anybody asking you to install anything or click anything. Avoid doing really much of anything from a personal or private perspective from public computers. Always use HTTPS, which is the encrypted version of ADHTTP or web protocol. Make sure that you're configuring your WiFi with strong authentication. Change all passwords on those internet of things devices like web cameras. They can be very sneaky and if you forget step three in the manual to change the default password, then there's a potential for somebody to actually figure that out, that the password is default. And then I'll also show you an example, but always look for and validate the green HTTPS browser bars and trust marks. So, from an overarching best practice perspective, those are probably things that almost everybody has seen. What I'd like to do now is really just talk about some of the actual things that you can actively do on your computers. Always make sure that your firewalls are on. Make sure that your antivirus is updated and using the latest signatures. Always update your applications. These are your browsers, your Javas, your Adobe suite applications. Things of that nature. I will talk about a new browser that is actually very privacy-based called Brave, the Brave browser and then we'll talk a little bit about actual browser protections and ad-ons that you can add to your browser that gives you additional security. Some of those include ad blockers, things that protect your privacy from a social media perspective like Privacy Badger, HTTPS Everywhere, which if you happen to go to any website and forget to type HTTPS, it will automatically switch it over to the encrypted HTTPS version of that website. And then web of Trust is one of those web reputation tools that I'll touch upon in a second. Anybody running Windows 10, Windows 10 is actually now built in with what Microsoft calls its EMET security protections, which is, for lack of a better term, behavioral anomaly tech detection, which is much different from firewall. I'm sorry, not firewalls. Much different from antivirus, which requires an entire database of all of the known viruses detected to date. These types of advanced endpoint security solutions do not really require that. They're looking more at bad behavior. This application is doing something that it probably shouldn't do. So, let's prevent it. The example I give right here, Oracle, which is actually one of the suites. One of the applications suites that Oracle maintains is Java. This was the July, 2021 update for Oracle and it contains, it's a little difficult to see there, but 342 new security patches just for Oracle applications in the month of July. So, we'll talk about that. One of the right things, one of the great things about everything that I've kind of talked about already is that they are all free. So, I'll show you some slides in a second, how to download some of these applications in browser extensions and plug them into your computer. So, this is Web of Trust. Web of Trust is a URL reputation tool. So, you can see here that I've typed into this Google search bar free anti-virus and pro-tip, don't Google free anti-virus. You're probably gonna get a lot of results that do not have a good reputation. And as you can see, the second result here, Total Antivirus & Security Suite 2018, has a big red dot after it. So, what Web of Trust actually does is it's using reputation kind of technology, cloud reputation technology, to analyze all of the links that come back from a search engine or even populate in any social media application like Facebook or Twitter and it will actually tell you if any of those links have actually done anything "naughty" in the past. So, we can see that the first link of asked free antivirus has a green dot. That means that that is a legitimate link. The second one, Total Antivirus & Security Suite 2018, has a red dot and we probably don't want to click on that one. So, as we kind of like move through some of these, I wanna talk a little bit about, I'll go into detail a little bit here. We already talked about and touched upon HTTPS Everywhere. Privacy Badger is a really fun one that I really enjoy. I'm a privacy guy. So, if you've ever gone to a website and you've seen the little icons, let's say on the sidebar or at the bottom of the T for Twitter or the F for Facebook or the L or Li for LinkedIn, I forget which, those are actually basically tracking everything that you are seeing on that webpage, even if you're not logged into any of those social media sites. Privacy Badger disables those. So, as a privacy enthusiast, I really think that Privacy Badger is a great browser add-on, right? And then uBlock Origin down here. That is an ad blocker. One of the best reasons to block ads apart from the fact that they are typically annoying is the fact that if you go to any website, I'll just pick on forbes.com. If you go to the Forbes website and as all of the news articles are rendering in that webpage in your browser, you're also seeing all of the different ads across the webpage as well. Those ads are not coming from Forbes. Those ads are coming from third-party ad server sites, and they tend to be targets. Hackers like to target the ad servers because they are essentially distributing content across many, many, many legitimate websites like Forbes. So, if a hacker can actually breach any one of those third-party ad websites, they can potentially insert malicious code into those ads that then render into your browser, which then goes back to always make sure you're updating your browser to lower the probability and likelihood of a potentially malicious ad from executing something bad into your browser. So, next I'd like to show you a little bit about how we can actually install some of these into your browser. This is just an example from Firefox. You can see that on the right hand side, you can click on the little preferences bar and the dropdown comes down and you can click on add-ons and add ons and themes and then that takes you to, basically, what is the internal Firefox, right? And you can do this same kind of process. You can do this for a number of different browsers, but then you can search for things like Web of Trust, the URL reputation tool that I just mentioned, or HTTPS Everywhere or Privacy Badger and then you can click them and install them now into your browser and now you have added protections into your browser. One of the other things that I'd like to talk about is a relatively new browser called the Brave browser. The Brave browser actually is very similar to Firefox and other browsers. There's really functionally very little difference between any of them, but from a personal perspective, the Brave browser already has all, not all, but the majority of the plugins that I already have mentioned are already, basically, installed and functional in the Brave browser. The last thing that I'd like to talk about is simply just from a website kind of hygiene perspective. Whenever you go to any website, especially if it's a financial website, always, always, always make sure that this little lock that shows up in the majority of the websites in all websites, excuse me, all websites, make sure that that little indicator for the HTTPS encrypted version of this website is always green. If it's yellow or if it's red, do not insert any of your credentials. So, Tammy, I think let's hand it off to you to talk a little bit more about some of these other best practices. You're muted, Tammy.
Thank you, Rockie.
Yeah, whenever I see that privacy one that you talk about now, I think of the new commercials we see on TV, where there's people following behind you and they're just collecting your data. So, then you pop into my mind. So, yeah. So, let's talk about a couple of the other level one best practices. So, one of them being freezing your credit. This is not something that everybody is familiar with, but you wanna make sure you're going out to all three of the different credit bureaus and freezing your credit. And what this does is prevents people from using your identity so it could prevent identity theft of going out and actually utilizing you to apply for different things. So, it's gonna freeze it so that when they attempt to get a loan or apply for a credit card, it's going to stop that from happening because they won't have access into that credit. This isn't just something that you should be doing for yourself. This is also something you wanna do for your children. I know that I have an elderly parent that I help take care of. So, I keep an eye on his credit. So, it's just something you wanna think about. You've probably seen a lot about this in the news actually lately, because of all of the unemployment fraud scams that have happened over the last year during COVID. So, definitely something you wanna do and we have the different websites here where you can go out and follow the steps to freeze that. Also, set up alerts, not just on your credit cards, but whether it's on your bank accounts, your credit cards. Setting up those alerts, which lets you know right away, if there's activity on your account that you're not aware of. This is something that drives my husband crazy during the holidays. So, we have to make an agreement ahead of time because I have my limits that's really low and I'm sure Rockie does too. And then the problem is anytime something happens, I immediately get notified and I might know what I'm getting for Christmas. So, he's not very happy with me about that. But it's a great tool because anytime fraud happens or there's attempted fraud, the quicker that you know, the quicker you can react and then contact your bank and let us know so that we can prevent something bad from happening. But setting, again, these credit card alerts, you can set these up in online banking. It just allows you to see that activity quicker and prevent things from happening or if they do happen, the sooner that you know about them and you can react to them, the better. And one of our favorite topics is passwords. So, you don't need to understand... This is a great depiction here and I'll give Rockie credit for this one. This is a great picture here of one of the complications with passwords. We know, right, as security experts. We know that you have a lot of passwords. We all do. We have a lot of them. But so do the criminals. The criminals also know that you have a lot of passwords and they also know that it's human nature to reuse passwords and also to make them as easy as possible so that you can remember them. But there's a challenge with that. The challenges that is people like to use patterns and they like to use very common dictionary words and add maybe a symbol, a number to the end or the beginning of them. And the problem with that is it makes them very easy for computers to guess. So, it's not just a bad guy in, and there are instances of this, right, going in to try to guess your password to get into the websites, but the problem is they have computers behind them that are guessing it. So, when you're doing something that is just that typical dictionary word, a symbol, one number and you're upping that number each time or using the different seasons in your password, which we see a lot, right, fall, winter, spring, then that's something very easy for a computer to guess. And then on the other side of it, right, you as a user you say, "Well, how do I make it more complicated, "but still make it easy for me to remember?" So, even doing something as simple as doing four random but common words that wouldn't necessarily go together. So, like correct, horse, battery, staple, that takes a lot longer for a computer to guess and it's something, again, four random words that you could remember. Maybe it's four words from a song, different things like that. So, what we've learned is, as it says right here, right? Through many years of effort, we've trained it so that everybody needs to create very complicated passwords that are hard for each of us to remember, but really easy for computers to guess. So, one tip here is really using something like a passphrase as opposed to passwords and you say, "Well, what's the difference?" So, as I mentioned, the typical password, you're using a combination of symbols, letters, characters and typically you're probably using something like a dictionary word. Something that I would propose is maybe using more of a passphrase, which is longer in length, but then you can use spaces. A lot of times I'll have as we're doing these trainings, that's usually an aha moment for people. Not everyone realizes that a space is a valid character in a password and can make it more complex. So, even doing something like food is the key to my heart is a much stronger password than one of these passphrases or flip that around. One of these passphrases is a lot more complex than something like one of these basic passwords. So, doing something like that can make it a lot easier for you to remember. If you have a favorite song or lyrics or different things, finding a verse in there or finding a sentence in there, that can make it easier to remember. But again, it makes it harder for that computer to guess it. But then I would go into as we start to talk... So, now we talked through the basics and as Rockie was talking about those building blocks of how do you get more and more complex so that you're building up those layers of protection around, the next thing I would say is, on top of just having something like a passphrase, which you say, okay, great, Tammy. Now I have to remember 15 characters. I have to remember those song lyrics and I have to have a different one for the different websites. You're making this really complex. How do I keep myself safe? What we would recommend is considering something like a password manager. You may hear it called a password vault. Now what these are is something that you can save all of this type of information within and it's really behind one very strong passphrase. So, what is an example of a password manager? So, there are a couple of examples out there. The one we're gonna talk about here today, but again, there's others out there. KeePass is a great example of one of the password managers that are out there. So, imagine this fall, you have all of your passwords behind it. You can even save things like those security questions that hopefully you're not answering honestly, and we'll talk about that in a minute, but you can save all of those complex passwords behind that vault, virtual vault door. And there are two different options. So, you have the PC option that you could have on your PC, but then something that I know Rockie and I both use are things like the cloud version, because if you use cloud version, this can also be used in mobile. So, you can use it across devices. So, here's the two different links and we're gonna look at examples of what it kind of looks like within the vault, what it does and how it can really help you make sure that you have long enough and it's strong, but then you don't have to remember it. So, in this password manager, some of the really cool features are it will auto-generate those passwords for you. So, no longer do you have to start counting on your fingers. Do I have enough characters to create that complex password? It will create that password for you. It also has a feature where it will auto generate it within the website's URL for you. So, you go out to that website, it has your password saved for you. It'll automatically input it into the field. Voila you're done and now you have something strong. And then we also know you have things like those security questions. And the security questions, right, you don't want to answer security questions with answers that are very easily found in things like social media. Bad guys know how to search that. I can go out and search that, right? Search your name and probably find some of your answers, unfortunately. So, a pro tip that we have here is never answer security questions with true answers. It's kind of funny. I took my 16 year old yesterday to open up a bank account and we had this exact conversation of how do I remember it? So, the security questions, if it says, what is your mother's maiden name? I have a calendar of Dilbert here on my desk. So, Dilbert, that's not my mother's maiden name, but then I take that and I can input that into the notes field here in the password manager and then I don't have to remember it, but it's also not something that a bad guy would be able to find because it's not true and now I've had that extra layer of protection. And then the great part about that is usually, security questions are only needed in the event that typically you would forget your password and you can't get in, but you don't have to worry about that now because you have a password manager that's remembering it for you. So, you don't have to remember that. So, that's gonna make it a little bit easier for you. And again, this is just a screenshot showing you how you could go ahead and perform those auto types. This is just one example. Again, this is KeePass, but it looks very similar in other ones like LastPass and other password vaults that are out there. So, Rockie, I'm gonna hand it back over to you to just talk to us about MFA.
Perfect, so we talked about level one, we've talked about level two now. Level three is multi-factor authentication. So, when we look at authentication, just at a very, very macro high level, authentication really is broken down into three things. It's something you know, it's something you are like a fingerprint or a retina, and then something you have like a smart card or even an ATM card. And speaking of ATM cards, everybody really should be familiar with multi-factor authentication because that's exactly what an ATM card is, right? You have to have your card and you have to know your pin. Now, granted, the pin is only a four digit little "password," but it is. It's functionally multi-factor authentication. So, there's a lot of different ways that we can actually use multi-factor authentication and enable it. I'm sure everybody has seen at this point the majority of financial websites are now all requiring from as far as I know, all the ones that I have accounts that they all require me to either have an application on my phone that's synced up to and we'll show one in a second, but something like that, or they'll text me a code, right? And so, really, the benefit here is once you receive that code after you've logged in with your login and password to that website and then they text you the code, and then you put it in, just for argument's sake, if your login has actually been breached, when one of those malicious actors tries to log into that website, they're not gonna be able to complete that full multifactor authentication process because, well, you're going to get a text on your phone and the bad guys more than likely, some young teenager in his basement in Bulgaria or something like that, they don't have access to your phone. So, that entire process doesn't have the ability to be complete and therefore multi-factor authentication is a great, great, great tool, a great control to prevent unauthorized access to accounts. Another example of multi-factor authentication is the Google Authenticator. This is just an app that you can download to your Android phone or your or your Apple iPhone. And basically all it's doing is every 30 to 60 seconds, those little codes on the right hand side of the screen, they change. And so, if you sync up your multi-factor authentication, let's say, to the key website using Google Authenticator, instead of getting texted a code and then having to pop that in, you can just when you're prompted for the code, you just open up your app and look at what is the code right now and type that in. So, it's a very, very simple process. It's very, very easy to use. And that's simple, easy to use process will really, really, really go a long way in terms of preventing unauthorized access to any website. Speaking of any website, this is just a sample list of websites that support multi-factor authentication either with an authenticator app or with SMS texting codes. The website is twofactorauth.org and it's gigantic now. It is actually broken down into industries. So, healthcare, financial, entertainment, et cetera, et cetera, and if you are just curious to see if any one of your websites supports multifactor authentication, you can just go there and look up whatever website you want and chances are they do support it now. So, given the fact that it's so easy today to actually just enable that type of very, very strong protections to help protect yourself as well as your loved ones from malicious actors and unauthorized access, there's no reason not to do it at this point. It's very, very simple.
Yeah, so now that we've talked about the three levels, what we're gonna talk a little bit about are some of the things that we're seeing. So, some of the tactics that have been used in social engineering, and if you're not familiar with social engineering, basically in very simple terms, it's a way that one of those threat actors is going to try to gain access or get information from you in an unauthorized way. And really as humans, in our human nature, we wanna help others. And they unfortunately take advantage of that and try to use that to their benefit. And so, some of the ways that they do that, right, are to create a sense of urgency. So, we need to do this right now. A lot of times we think of things like business email compromise. Your boss is telling you, "You need to do this right now "or something bad will happen." We won't get that contract. The shipment won't happen. Our employees won't get paid. All of those things that cause us all to tense up for a minute and say, oh, no something bad's gonna happen. Again, using that sense of familiarity or trust right there. They're telling you that they're calling from Microsoft or from your bank or from the IRS or the FBI, right? Any three letter organization you can think of. They're trying to tell you that they are them. So, they're really trying to prey on human nature and us wanting to help and really trust the information that we get in order to... We're seeing it via text message. So, I'm sure you all receive on many times a day a text message from someone that it's really not who they are. I know my husband and I win Apple iPhones every day, multiple times a day from Amazon, I don't know how they can afford to stay in business, giving away all those phones. You get emails from people, and as Rockie mentioned earlier, emails are very susceptible and making sure that you are familiar and a lot of times they have a link in there that's sending you to a bad place. They're sending attachments that you click on it, you open it and then it's gonna do something bad to your computer and phone calls, even calling you. One thing I wanna make sure I mention 'cause we've seen quite a bit of this lately is here at KeyBank and no other bank, we're not gonna call you and ask for any of those codes that Rockie just mentioned. Those one-time passcodes over the phone. We're not gonna call you and ask for that. So, if anybody calls you to ask you for that code, you have my permission to hang up on them. It's not rude. That's not us calling. The banks will not call you to ask for that type of information. So, we thought, we'd give you a little bit of pop quiz and obviously you can't shout out answers, but you can if you don't mind, if you want to, and we're gonna go through some examples of some of the things that we've been seeing. So, a tech support scam, that first one. Yeah, PayPal is not really going to send you an individual message and pose as their tech support. PayPal is not gonna call you out and send you a message. And you can see that then they're asking them to visit here. We're so sorry that happened to you. Feel free to click on this link and I'm sure that's where it will send you. Please don't click on that link. Anytime anybody says they're gonna be sending you some money that you weren't aware of, that right there is a red flag. And then they're asking you to click on this link so that you can take a look at it. Please don't click on those links. It used to be a lot of the lottery scams or you had some relative from a foreign country that you weren't aware of that left you money. So, there's all kinds of interesting things, but just like I'm sure your parents taught you, I know mine did, if it's too good to be true, it probably is. So, just take that with a grain of salt. We're seeing a lot of these, as I mentioned, these business email compromises, where they're pretending to be the CEO at a company emailing an employee and saying, "Hey, I'm out on PTO, received this. "We need to make sure that you're sending out a wire "to this partner, contractor, fill in the blank here. "Otherwise they're gonna cancel that order "and then we're not gonna be able "to finish this project, " right? And so, they want you to just react. And so, that's one of the things we're seeing a lot of. So, just pause, take a breath. What we typically tell our clients or even our employees is anytime you're getting something, call that person and validate it. Call Mike and say, "Hey, Mike. "Did you send me this email?" And don't feel the need to just send out funds without validating that. We've seen a lot around even valid contractors that you might be dealing with and they figure out who you're interacting with and then they send you a false invoice under that contractor and then ask you to change payment instructions. So, things to keep an eye on, HR scams. Again, trying to ask you to change payment information for an employee. You should have processes around that and where they're going to the legit place to update any information. I certainly wouldn't just send a random email to one of my peers or HR partner, "Hey, can you change my paycheck information? "Can you do that right away?" So, something to keep an eye on. So, Rockie I'm gonna flip it back over to you. What happens if somebody does click on that?
Right, so, oops, we've clicked on something. And this is, especially today, this is really one of the most popular kinds of attacks, which is called ransomware. So, the way ransomware works is if somebody happens to click on any one of those links and the payload delivery is successful, so to speak, then what happens is this malicious application goes and encrypts all of the files on your computer. If your computer is also potentially connected to other network computers or servers, it may also then actually spread over to some of those network servers and potentially encrypt all of those as well. This is very bad to say the least. However, from a process perspective, what happens then is you get this pop up, oh, all of your files are now encrypted. Essentially, the process goes like this. Step one, right, here's instructions on how to transfer money to Bitcoin. Step two is please then send or transfer those Bitcoin funds to this Bitcoin wallet and set three is once we confirm the transfer and receipt of the Bitcoin to our Bitcoin wallet, we will now send you the decryption key and then you will get the decryption key and then you will attempt to decrypt all of your files. Now, a lot of problems with this. First of all, well, before even the problems, right? It's actually a very sophisticated operation. This is a global business. So, they actually provide tech support numbers and their tech support typically rivals most cable companies. So, if your grandmother happens to click on anything like this, she can call in and they will step her through the process of transferring dollars to Bitcoin, and then transferring that Bitcoin to Bitcoin wallet, et cetera, or et cetera. But the problem here is obviously, well, if you get the decryption key, A, sometimes the decryption keys don't work and B, we haven't really fixed the root cause, right? And the root cause may more than likely just be the fact that you clicked on something, but it also could be after you clicked on something, something else took advantage of a vulnerability and let's say your browser that was not updated to the latest version and that was really kind of the root cause of the actual infection that led to the ransomware. So, if we kind of then now in the next slide, taking a look at the actual full delivery methods for ransomware, you can see that by and far email is number one, right? And so, Tammy walked through a number of the previous examples around phishing and social engineering through emails. But that is literally the biggest vector for ransomware followed by, well, not necessarily a vector button. A lack of cybersecurity training is also a variable in this entire process, right? So, when we look at why all of this happens, we have to take a look at threat actor motivation, right? Every actor is going to be motivated by something. And when we kind of take a cross look at everything that we now do on the internet, right, through our computer, we're doing so much that basically represents a very large attack surface, right? So, we're reading emails, we're using text instant messages, social networks, watching videos. All of these represent vectors that potentially can deliver something like ransomware. When we then take a look at the actual motivating factors of these malicious actors that are involved in trying to deliver ransomware to individuals, we see that in this particular graph here, and this is June, 2021, so last month, 85% of the cyber of the breaches that were reported in June alone were attributed to cyber crime, right? So, what is cyber crime? Well, make no mistake about it. That's organized crime, right? This is a giant global business. And apart from cyber crime, then we have a smaller percentage of attacks and breaches attributed to espionage, attributed to hacktivism, which is typically your groups like Anonymous and they're typically more politically active than anything else. A small percentage attributed to cyber warfare. So, certainly nation states are doing all sorts of nefarious activities as well. And then another small percentage of other, but the lion's share of the motivations for any type of breach is far beyond financially motivated and typically opportunistic as well. So, when we take a look at then these types of motivations, we have to also remember that, look, this is a gigantic global enterprise business. And every business has a model. Every business has their profit margins. Every business needs to make sure that they're making a return on their investment. And so, this is just a very simple example, looking at, well, an actual, almost a P&L, so to speak, for a threat actor. The value of the assets compromised could be a million dollars. The attack costs $200,000. There's our profit. However, we know where we're assuming because of the targets that we're attacking, that their controls and countermeasures are probably gonna be pretty strong. So, that's gonna lower the probability of a success. So, if our success is X% and our probability of failures is then Y%, what's the probability of us being caught and if we're caught, then what's the tangible ramifications? And like any other business, they're also concerned about the intangible, let's say reputational hits, right? So, this really is. In my industry, information security, we have to think in terms of adversary return on investment to really help organizations more effectively protect against the likely actors that are motivated to target them, right? So, the last thing we'll kind of show here, we really kind of talked about ransomware already, but the two most common financially motivated attacks are your ransomwares and then as Tammy showed in an example, the business email compromise, where the "CEO" is trying to take advantage or the actor is trying to pretend they're the CEO, trying to then take advantage of, let's say, an assistant and say, "Hey, wire are these transfers. "You're really doing me a favor "and it's gonna help us from a business perspective," blah, blah, blah. So, those really are the two most commonly seen financially motivated attacks. And I wanna emphasize this, right? For the most part, the majority of these financially motivated threat actors are opportunistic, right? They're not sitting down typically, right? They're not sitting down and saying, "Oh, business X. "I wanna go after business X today "because of A, B and C reasons," right? What they're doing is they're sending thousands of phishing emails out to many, many different organizations and once someone actually does click on one of those malicious links, now the focus is on whatever that organization actually is, right? That's the lion's share of these types of attacks. They're primarily opportunistic. Not to say that there are not specifically targeted attacks as well, but most of these attacks are opportunistic.
So, I know we wanna make sure we have time for some questions. So, I'll just leave the checklist up here for a minute. Most of these, we did cover already. So, I'm not gonna belabor those points. A couple of things just to point out really quickly is you may wanna think about things like a cyber insurance policy. That's just something that you may wanna discuss. If an incident were to happen, do you have coverage? Do you need coverage? What might that look like? Thinking about who has access to your information. If you're running a family business, right, who has access to those rights and thinking about that. Do you have a process in place for things like money movement? If you have payroll, who has access to it? Do you have processes in place? Because a lot of that, those are where there's a breakdown in process or not. Everyone's aware of the process could be a potential for someone to come in and do something like B, C, right, and somebody circumventing that process. So, having processes in place are important. And then do you have something like an incident response plan and are you practicing it? Are you using a third party provider for assistance? Someone like a trusted . Are you working with a company that can help you to do things like that? So, with that, I'm gonna hand it back over to you, Gary. I think you were gonna take us through potentially any questions that might've come through?
Yep, thank you, Rockie and Tammy. I thought that was really good information. Covered a lot of ground here and just to underscore on something that Rocky said, right? Most of these attacks, the vast majority are opportunistic. And so, if you're leaving your door open, right, the front door open, people are gonna walk in and take something. Generally, to his point, right, they're not gonna break down your door. So, if they test the lock, right, if your car is locked, right, you're probably not gonna get your car stolen. So, they're gonna move on to the next one. And so, this gets back to, again, an ounce, just an ounce, right, of prevention results in a pound of cure. So, really good information guys. Just to remind you, if you have a question, type it into the chat and we'll go through what we've got. The first question, Tammy and Rockie, is any advice on robocalls that come in on cell phones and landlines.
So, from what I know today, something recently just went through our, I think, federal legal system that is intended to help really reduce the number of those robocalls. I get them all the time as well. What I typically do, actually, from a preventative measure perspective is in my home I have a landline. So, more often than not, I'm giving out my landline as opposed to myself phone number, just to kind of prevent the robocalls all coming to my mobile phone on a daily basis. But I'm not 100% positive right now 'cause I know it was just very, very recent when something just came through our systems. I'm not exactly positive if you have to actually contact your phone providers to enable something or if it's an opt out scenario, I would need to kind of get a little bit more data to be able to fully answer that question right now.
Great, thank you. Next question. Many sites require security questions every time you log in. Any suggestions for that situation?
Yeah, so I'll start that one and hand it over to Tammy if she has anything follow up, but with the password manager, if you're not being truthful about your actual security questions and documenting them in your password manager for those sites that also are asking not just for your log-in and password, but also for your security question, your security question is right there. The answer to your security questions is right there in the notes field of your password manager. You can just copy and paste it right into that website for that login. It's certainly not a lot of overhead from an additional effort perspective. Anything you have to add to there?
Yeah, and the only other thing I would say is make sure that sometimes what you might see on websites is you're gonna see us moving more and more away from security questions to other authenticators. So, my suggestion would be too is make sure that you don't have another option because I prefer, and I think it's easier too for things like OTP or biometrics or things like that and that's where the industry is moving anyways. So, if you have to have a security question, exactly what Rockie mentioned, don't use the right answers and put them in the password manager. Even if you're not using a password manager and you decide that you're just gonna remember them, just make sure you're not, as we said, using things that could be found on social media. If you can select the questions, which usually you can kind of selectively pick sometimes which ones you wanna answer, make sure you're just not putting things that could be found easily in your name and lying but remembering, but I would also look into if there's a possibility to change the authenticator you're using to do that as well.
Right, next question. What can be done to protect small children that may not be entering credentials into a website, but just browsing the web or going onto YouTube kids types of things? Any thoughts or suggestions around that?
Yeah, the first things that come to my mind are many of the cable modems that are probably gonna be living in most people's homes do actually have parental control type options. So, just from the perspective of lowering the probability that your child is going to actually randomly surf to a potentially malicious website, given the fact that if you have those kind of the parental controls on, that's gonna limit to a very large degree where your child can actually browse, right? And then, so that ends up being just a mitigating factor to the potential of running into a malicious website itself. Tammy, anything to add there?
Yeah, I would say, and I've actually done some sessions on this, one of the things too, I think even with small children, right, is also monitoring, obviously, what they're doing, but I think also having a conversation. Our children are getting exposed to things earlier and earlier, right? I can remember my children in kindergarten coming home with electronic device and you're like, okay, we're already starting this. So, having that conversation, right? And making sure it's age appropriate so that... Definitely the parental controls, but if something slips through or they're on a different device at school or something else, having a conversation with them that if they see something that isn't right, to make sure that they are letting you know or letting an adult know. And then I would also say just stressing the importance from small children but as they get older, having that open and honest dialogue so that they know that the person on the other side of the screen isn't necessarily who they say they are, because I know as they get a little bit older, right, they start doing video games and different things. And so, having that dialogue and then continuing that dialogue as they get older in the situations change, I think, is extremely important.
Great, thank you. The next question. I use auto fill for my credit card information, et cetera, for online shopping, bad idea?
So, I get this question asked quite a bit. At the end of the day. I'm not gonna say that it's a good or bad idea because security is subjective. We all have a very, very different... At the end of the day, it's related to status quo and everybody has a different kind of risk appetite and risk tolerance, right? I'm a security professional. I'm very much a privacy advocate. I typically don't use my browser to save passwords and auto-fill into, let's say, a website. I do use password manager, right? And so, there is a big difference here. There are password managers that are built into browsers, okay. I'm okay with that. I personally tend to use the separate password manager apart from the browser because my risk tolerance is very low, right, just from a professional perspective. And especially with things like the Android operating system, the Android operating system tends to be a little looser validating that code that is uploaded into the Android store is not malicious. The Apple, iOS, the Apple iPhone stores are much more stringent about reviewing code. So, I tend to err on the security professionals safe side and I simply use my password manager, my separate application password manager for all of those things that then can itself auto fill into the websites.
Anything to add, Tammy?
Nope, nothing to add.
Good, so a question Rockie and Tammy, just regarding financial transactions and any advice on separating those out from kind of all of your other internet business. Is that a good idea, bad idea, no impact to you? What are your thoughts on that?
So, I personally do this. What I do and I'm a little bit more of a tech head, right? But I actually run what's called a virtual machine that has a different operating system. So, I'm on a Macintosh and I run a virtual machine that also has a Linux operating system. So, all of my financial activity, my bank, my credit card, any of my investment websites, HSHs and things of that nature, anytime I actually want to log into any of those, I don't do it on my Mac. I actually spin over to my virtual machine, which is running a different browser, a different operating system and that is dedicated to my financial activity. Now, like I said, I'm the security professional and I'm the tech head. That's a lot of work for many people. Now, maybe a less complicated solution is just using a different browser. You can still keep on your Macintosh or your windows operating system. If you typically use, let's say, Chrome or Internet Explorer or Edge now, sorry, maybe you download the Brave browser and dedicate the brave browser or dedicate Firefox to only your financial activities because they're different. They're in their different kind of application boxes on the same operating system. So, a breach of your normal browser that you use for all the other types of web activity will not necessarily or we'll have a much lower probability of actually affecting the other browser where you're typing in your financial credentials and things of that nature. But also remember for the most part, all financial websites are also using multi-factor authentication. So, again, I like to keep them separate, that may not be for everybody, but that fits my risk tolerance.
Tammy, any ?
No, I agree with what Rockie said. I think the major theme, I think insecurity is about building good habits and then building those building blocks. There's no one silver bullet that's gonna prevent everything, but as Rockie said, right, it's putting up those different layers and understanding your risk tolerance so that you're at a level that you accept. There's no risk-free anything. It's about putting those layers in place and just making sure that you're not an easy target.
Got it, yeah. Yeah, I know in our house we've got just a separate tablet that we keep and it's just for our financial transactions.
Let's see. We're coming up here at the top of the hour. I don't see any more questions, so--
Real quick, Gary. There's somebody in the chat who was actually wasn't sending the questions out to the whole group.
So, one of the questions here is are online password storage services a good idea? And the short answer, again, from my professional opinion is yes, right? We gave an example, KeePass as the password manager, which was a local application to your operating system. However, there is a version that is also cloud-based, which then gives you the ability to access your password manager from different devices. At the end of the day, there's a lot of really trusted ones out there. LastPass, 1Pass, the example that we gave was the cloud version of KeePass is keywebkeeweb.info. But at the end of the day, the answer to that question from my perspective is yes. They are a good idea.
Great, thank you. Any other questions that I missed?
I think we just got multiple questions around making sure we'll be sending out the deck because they've been furiously taking notes. So, that means they're paying attention, which is good, and yes, we will be sending the deck out.
Oh, great, yeah. So, that leads me to some closing comments here. So, in terms of next steps to Tammy's point, we're gonna record the session. We've already recorded it. We will send that out. We know that we've got a number of clients that couldn't make it today. With that, we'll send out the deck. Also, I wanted to let the folks know that if you think you need more personalized attention, right, and you'd like to spend some time with Rockie and Tammy and do a vulnerability assessment, they are available to do that. And so, if you're interested and you feel compelled, reach out to your Family Wealth advisor, and we'll get you in touch with them and set something up. They take a couple of hours, they go through your personal situation and from that develop a set of recommendations, things you ought to do. But candidly, you look at all the ground that they've covered this afternoon, There are a lot of really good things here that I would encourage all of our clients to implement. And again, if you have any questions, just go through your advisor and we'll try and get your questions answered. So with that, thank you to Tammy, Rockie for your time this afternoon, for all of your help and a special thanks to all of our clients. We know that you've got a lot of different choices when it comes to wealth management and we are very thankful that you are our client and I can assure you, this team wakes up each and every day thinking about how we can better serve you, better serve your business and better serve your families. So, much appreciated and we'll sign off now and everybody have a great afternoon. Thank you.
Thank you, everybody. Take care.
Data theft is rising to a global criminal enterprise. Headlines of major ransomware attacks on municipalities and businesses are becoming the norm. But recent data indicates a new trend is emerging:
Hackers have expanded to a new lucrative target—affluent families and their businesses. We wanted to ensure your family is prepared.
Watch this video workshop, as founder of TrustedSec Rockie Brockway and KeyBank Senior Information Security Consultant Tammy Gedetsis, delve into a wide range of cybersecurity-related issues and topics focused around best practices to protect you and your family from the next cyberattack.
Hear from our experts, as they:
- Model best practices to apply across your family accounts
- Review the latest social engineering tactics
- Outline hacker motivations and why individuals can be valuable targets
- List additional best practices to safeguard your family and their data