Host Adrian Vernon is joined by the usual cast, Daniel Spicer and Chris Goettl, to talk about Cyber Security Awareness Month and some of the best security practices from experts that have seen it all! The conversation includes:
Host Adrian Vernon is joined by the usual cast, Daniel Spicer and Chris Goettl, to talk about Cyber Security Awareness Month and some of the best security practices from experts that have seen it all! The conversation includes:
Adrian: Well hey everybody, welcome to another edition of Ivanti Insights. I'm Adrian along with Chris and Daniel, who I'm normally joined with, our usual cast of characters. Guys, we are smack dab in the middle of cybersecurity awareness month here in the United States. October, every year, cybersecurity awareness month. You guys were sharing with me offline that when October rolls around, you're thinking oh man, I need to swap my credit cards out, and that made us think today would be a great day to talk about just personal tips. We'll get into some travel tips as well as the holidays are right around the corner and some travel bans lifting, but let's start with this credit card piece. You both make a regular habit when October rolls around to swap and rotate your credit cards. Daniel, let's start with you, tell us a little more about how you handle that.
Daniel: Yeah, absolutely. So depending on the card, I typically rotate my cards either every year or every six months, it's very easy to like take out a little bit of cash. I call the card company and say hey, want to cancel this card and get a new one, and that's worked out really well for me. You know, there's a lot of services and websites that we use just one time or once a year, and then they save the card. And I can't tell you the number of times that I've been saved here where I've canceled the card recently a month or two later, that same service where I use the card will tell me they had a breach, right? They'll tell me to go and change my card and offer me all this identity protection, but I'm largely unaffected because I've already rotated my card.
Adrian: Chris, how about you, you're pretty much kind of following the same model aren't you?
Chris: Yeah, absolutely. No matter where you are in the world. No matter if you're traveling, no matter if you're just a home body, you're using your credit card online, you’re using your credit card in a variety of different retailers, fast food places, restaurants, anything else. You have no control over which one of those is going to end up getting involved in a credit card breach or skimmer was being used at a gas pump or in a retail shop. Being able to cycle out your card, and all it takes is really just changing the date and the CVV on those. That's typically enough to make it so that it'd be very hard to duplicate that card if it were compromised in part of a cybersecurity breach. But doing that, to Daniel's point, I've definitely had the same thing happen where within a couple of months of that, you see that your credit card had been stolen. You're already secure, you don't have to take any action. So you can plan for those events to happen because when you do that, yes you're going to have to go to Amazon. You're going to have to go to all the places where you are using your card regularly, and you're going to have to update that. And you can plan for it and you can get all those things changed over very quickly, rather than have it be a reactive situation when something is inevitably going to happen.
So I'm a huge fan of doing that, I've been doing it for years and like Daniel, a year is probably the most that I ever typically wait for that, and I've been covered fairly well for several years. At the end of our last episode, I did mention my summer vacation with the family this year, I did end up having a card be compromised in under a year for the first time in a long time, but a year is a pretty good mark.
Adrian: Well I'll tell you guys, you guys have sold me to be more proactive, especially thinking about this during cybersecurity awareness month. I can tell you, I have a number of credit cards like we all do, but my American Express card in particular, twice in the last year had been breached. So I've had to change it twice, and that wasn't even proactive. I had to, after being notified and then having to have to go through the whole hassle of saying, oh, no, no, no, I didn't make that charge, and in essence, defend myself to American express. So I like what you're saying that proactivity I think could help me down the road. That card in particular just seems to be cursed on my end for one reason or another. And when you think of cybersecurity awareness month, just thinking of personal tips, what you guys may do a little differently or as part of your monthly or annual cycle when this month rolls around? What else outside of credit cards may you each personally do?
Daniel: Yeah, so just to kind of continue on the theme of credit cards just for a second longer, one of the things that I do is call the credit card companies and modify my upper limit for fraud. It's very rare that I'm spending large amounts on my debit card or my credit card, and so reducing it to a couple hundred dollars so that I can buy like a big grocery order or electronic at Best Buy. It is normally enough for me, but most cards have default limits somewhere around $1000, $1,500 and let's face it, we're not making those kinds of purchases on a daily basis. So reducing that a little bit actually goes a long way to help reduce potential fraud against your account. A couple other things I just do in my daily life as much as possible, I am moving to paperless alerts. You know, every time you get a bank statement or some kind of a bill that does potentially expose you, if someone was to steal your mail, they can get an incredible amount of data. For the things that I can't go paperless on, I have a micro shredder, and I shred anything that has sensitive information. Dumpster diving is still an incredible source of personal information. You know, going in and shredding the mail every once in a while, actually kind of feels good sometimes if we're to be honest.
Adrian: It's almost like a weight is being lifted in that way, right?
Daniel: That's exactly it.
Adrian: I had someone once advocate that oh, but you know what, I'm not shredding this, but I'm ripping it up a little bit. But they’re still decent size piece of paper from their bills, their credit card bills and what have you, but they're putting it into recycling, and saying well, people aren't really diving into recycling because it's going to be recycled. Can you guys speak to that, does that make any difference? Recycle versus dumpster?
Chris: One thing that happens is human behavior in general, is something that threat actors will pay attention to. If you had the idea, chances are a whole lot of other people had the idea. That's not going to be a deterrent in that case. For those of you who don't want to buy a shredder, another way to do that is if you have a fire pit, guess what your kindling is? Roll up a few bills and start your fire pit with that or occasionally have just like a little mini bonfire in your fire pit and catch up on your burning as well. So there's a variety of ways you can do that, but I do the same thing. Anything that go paperless wherever possible and anything that you still do get on paper, burn those or shred them and dispose of them properly. Because yeah, even a little bit of information off of there could be enough for somebody to get enough about your idea.
Daniel: Adrian I'll be honest with you, we had a paper only disposal at an organization I used to work for, and we stole the entire bin. And some of it was ripped apart, it wasn't hard to put it back together but honestly, it was nicer than dumpster diving because the smell was a whole lot better with the recycling. I'll be honest, it's actually easier to put those things together because there isn't as much other gunk there, so yeah, recycling's not a go.
Adrian: Oh, so what you're saying is that if you're going to go dumpster diving, that's a cleaner path, that's a cleaner way cleaner way to go. That actually makes sense. I'm going to forward this podcast to my friend after we get this episode edited. All right guys, let's transition to travel because of a couple of things in the news recently or just in the last couple of days. So the Biden administration here in the US, they're lifting the ban for fully vaccinated people starting in November to come across both the Mexican and Canadian borders. And then also lifting air travel restrictions from 33 countries for those who are fully vaccinated. So slowly and booster shots are right around the corner for folks. In fact, it's already started in some regions, so slowly but surely the world is really starting to open up. We all have traveled a little bit recently, so people are hitting the airports. Starting to see the crowds get bigger and bigger in the airports, people are starting to take flight. Holidays are right around the corner, what should we keep in mind as people look to get back to traveling, especially air travel? What should we keep in mind from a cybersecurity perspective, Chris?
Chris: Oh, let's talk about devices a little bit first. So basic cyber-hygiene is important for all of your devices. You may be traveling with phones, tablets, laptops, whatever it is that you're bringing along with you, think about is your device up to date. Do you have a strong passcode or biometrics in use on those devices? Especially for the traditional desktops or laptops especially. Have you updated those? It's not uncommon for updates to be a little bit behind for people's personal devices. This last patch Tuesday, October patch Tuesday, there was a zero day on the windows platform and on the iOS platform. So it doesn't matter what platform you're on, what type of device you have, all of these devices have vulnerabilities that regularly need to be updated.
So before you go traveling and in general, you want to just do this regularly, make sure your devices are up to date. I had a really good question from somebody on our patch Tuesday webinar earlier this month, they asked the question around the iOS update. If I'm on the iOS 14 version, am I vulnerable? Well Apple hasn't been very forthcoming and they're usually very closed mouth about it, so most likely you are, but they only released the 15.X version. Another thing you want to do is try to keep up with the upgrades to the latest branch of whatever device you're on too. If you're still on 14 or 12 for your iOS devices, it is best to get up to the 15 branch and keep up to date with your updates there as well. They're going to be maintained better and more quickly. So vulnerabilities are a big thing, but securing your devices is something you want to look into before you'd go traveling.
Daniel: One of the things as a general practice I do around WiFi security is to make sure that I'm not always connecting back to the network. So there's always this checkbox on your devices that says ‘automatically reconnect,’ and I always uncheck that. What can happen when you actually get out in the world is someone can spoof that SSID, that access point that you're using and say well yes, of course I'm your house. Well no you're not, I'm out at the airport, I'm at Starbucks, I'm at the hotel, and so you're actually connecting to a rogue device that's trying to pretend to be you. Or in a point that you've accidentally access before, and that opens up to a man in the middle attack. So they can actually sniff all the traffic that you're sending, whether that's email or accessing your bank and anything else. So that's always something that I do as a daily thing. It's a little bit of a hassle, but it makes a big difference. Other things that I kind of prep for, there are certain things that I always pack to go with me before I leave, one of those key things is a little WiFi router. It's probably about 60 bucks, it plugs directly into whatever the point is in the hotel that I have to go to. So instead of connecting to the hotel Wifi, I'm connecting to a known trusted device that I set up and that I know the password for and nobody else does, and I'm not really sharing that connection with anyone. And a lot of these devices already have the ability to hook up VPN tunnels on them, so you don't have to actually connect to the VPN anymore. It's already establishing a trusted VPN connection for you. So that's something I always pack with me if I'm ever going to be in a hotel room.
Adrian: I want to talk about kind of bringing a second phone along in a minute, but how about if you have your cell phone with you and you have hotspot capability, how secure are you if you use that hotspot instead of say connecting to a hotel WiFi or an airport WiFi?
Chris: Yeah, so always best to connect up to a network that you know and trust a bit more. So your cellular provider, your cellular data is always the best way to go when you're traveling. When you start connecting up to WiFi in any location, whether it's the hotel, a coffee shop, at the airport, the risk goes up significantly. So if at all possible keep your cell phone to using your data plan, rather than connecting up to WiFi. I know it’s challenging. I made the decision to connect my whole family up to an unlimited data plan, and boy am I glad I did because I looked at how much my kids stream over YouTube oh my bill would have been nuts, but it really does keep you a lot more secure. So that is one thing that's really important there. If you do have to connect up to WiFi, as Daniel mentioned, having a device that can separate you from that risk…You know, one of those little WiFi secure routers that you can plug it in your hotel room and connect through, that gives you a buffer between your devices and kind of the wild open network of whoever else might be connecting up from the same location you're at. So those are a couple of things that definitely are good tips when you're traveling.
Adrian: Daniel when you're traveling, I think I heard you said offline that you will not always bring your corporate laptop with you, you will also bring a second phone, what some might call a burner phone to ensure you keep attackers at bay, away from your core stuff. Tell us a little more about that, how you approach that and why.
Daniel: Yeah, I'll start by saying it always depends a little bit on your personal risk. For me, when I'm traveling, I have to consider that I am the security person in an organization that if I'm traveling to conferences where other security or technology folks are going to meet, that's an excellent place for a threat actor to stage what's called a watering hole attack. You basically know that all of your potential targets are in one spot. So rather than phishing individually, they kind of come to you. And so when I consider where I'm going and what I'm doing I may consider bringing another device, typically a Chromebook; I have a Chromebook that I specifically use for travel. And when I'm done, I wipe it back to firmware defaults and upgrade it back up again. It doesn't take a lot of time to do, and it's a small price to pay to make sure that I'm not putting the organization at risk. If I'm visiting some of the cyber-risky countries over in the other side of the world, I also bring a burner phone. One of the things that's really helpful about that is just having a SIM card that is right for those networks. But also I don't need to do all the internet browsing and such that I may have to when I'm doing regular work in the states. So I have a burner flip phone, I get a SIM card that's local, and I use that for the duration of my stay.
Adrian: I got to tell you, trying to stay secure, it's work right?
Daniel: It is.
Adrian: It takes some effort, and not everyone would even think of doing that. I certainly know I'll go out there, and I certainly do some of the basics that we talk about, but I have never thought of bringing a burner phone or this extra Chromebook, as you mentioned, Daniels. So those are some things for me and for others to think about down the road. And guys, we're kind of winding down here, final parting thoughts. Anything that we didn't cover, that you want to make sure you leave people with in terms of cybersecurity awareness month tips. Whether it's at home, at the office, traveling, Chris we'll start with you, final parting shot.
Chris: Okay, let's talk about one of the most essential things that everybody needs when they're traveling. Your power needs, wherever you plug in your device, it's with a potential risk. If you're plugging into a USB port anywhere, any of those could have been tampered with and then used to basically put a device in there that basically will be able to load malware onto your device through that USB cable. So it's very important to make sure that you're using methods and devices to connect up to get power that are more secure. The best way to approach that is to bring a battery pack. It's not too expensive, I've actually got a variety of them that I've either picked up from shows that I've been to, or a couple of ones that I got personally as well. I've got enough power packs to manage all the family's devices for very long days traveling, charging multiple cell phones or tablets or things like that fully if needed. So everybody when we travel, the family has a travel battery pack and we have a couple of spares besides that, that we make sure we've got enough power to get us through what we're doing. If you do need to plug in, especially on like a flight or in an airport, the best thing to do is to plug into an actual outlet, and only with devices that you yourself brought. So you know, a lot of the charging stations and other things like that, again could have been tampered with. So best to plug in with devices that you know, that's just one of those essentials that we all absolutely need while traveling. A really good thing to plan for.
Adrian: I love it. Daniel, your final parting thought.
Daniel: Yeah, just think about how you're using your social media accounts when you're traveling, and there's really two things to look at here. The first one is posting that you're out of town or that you're going for a trip or posting pictures from your destination notifies crooks in the area that you're not home. And that it's much easier to go and burglarize your house. On the reverse side of that with GPS technology and auto-tagging features, it also helps crooks that are local to the area know where you may be and where you may be staying. That's a lot harder to track down, but it could potentially be used in combination with a little bit of social engineering, for someone to figure out what hotel room you are in. Or even convince a receptionist to get a key for the hotel room and steal stuff while you're out and about and enjoying the sites. So just keep an eye on your social media usage. It's always best to share those pictures and let everyone know about your experiences after you get back.
Adrian: So what you're saying is if I'm in Hawaii with the whole family and using a battery pack for everyone, like Chris was saying, don't put on social media ‘whole family been in Hawaii for two weeks and we're going to be here another two weeks.’ That's a no-no.
Daniel: Absolutely not. Yeah and again, two levels of risk, right? That tells people that you're not home, it also tells people potentially where you're staying in Hawaii, so they can steal stuff from your hotel room as well.
Adrian: Oh yeah, good point about that. I could just put a note on my door saying we've gone to Hawaii, come on in.
Daniel: Yeah, absolutely.
Adrian: All right. Hey Chris, Daniel, always a pleasure. In the middle of cybersecurity awareness month, great talking, some personal safety tips, security tips, as well as travel tips and travel is going to start to open up real soon and holidays right around the corner. So happy rest of cybersecurity awareness month here in October for you guys, we'll talk to you on the other side. Ladies and gentlemen, thank you so much for joining us, and until next time, stay safe, be secure and keep smiling.