[show intro]
Jeremy: It is actually easier for the bad guys to just trick you into giving them your password. Doesn't matter how much security we put on your email account, on your computer, if you hand someone your password, they have full access. There's nothing we can do about that. So as a result, what you need to be concerned about is just being vigilant and making sure that you're not handing over your credentials to the wrong person.
Wendy: Welcome to the Bee Cyber Fit Podcast, where we're simplifying cybersecurity for everyone, where we cut through confusing cyber speak and make cybersecurity simple and easy to digest. I'm one of your hosts, Wendy Battles.
James: I'm James Tucciarone, together we're part of Yale University's Information Security Policy and Awareness Team. Our department works behind the scenes to support Yale's mission of teaching, learning and scholarly research.
Wendy: Ready to get cyber fit with us?
[intro ends]
Wendy: Hey, everyone. Welcome to Episode Three of the Bee Cyber Fit Podcast. We're so psyched that you're here joining us today. This is the place to come for information, and a bit of inspiration about how to stay safe online in simple ways.
James: Wendy, here we are in Episode Three, how are you feeling so far about the podcast?
Wendy: I'm excited, James. I'm excited. I loved our first two episodes. I think we're finding our rhythm. And I have to tell you that I'm learning a bunch of stuff, not just cohosting it, but learning things about cybersecurity awareness as we go. So, I love that. Let me tell everyone about our episode today. I am very excited because it is our very first guest episode, and are you as excited about that as I am James?
James: Wendy, we've got a really good guest today. So, I think I might be.
Wendy: Yeah, me too. Our guest is Jeremy Rosenberg. He is the Chief Information Security Officer here at Yale University where we work. He's a wealth of information. Plus, he's funny, too. And he's going to tell us a little bit about his role, what he does, but also address some of the questions that non-tech people, like me, might ask to get a better understanding of some simple things that we can do. So, I think it's going to be a really interesting episode. But, first, let's find out about our buzzword of the day.
James: Do you know what's increasingly seen as the biggest risk in cybersecurity? Most experts agree the human factor is the weakest link when it comes to protecting data and systems. Stay tuned to find out who the human factor represents, and why it plays such a big role when it comes to security.
Wendy: We are back. I'm really excited that Jeremy Rosenberg is joining us today. He has all kinds of information. He's got wisdom, he might have a few jokes, but we're going to have a great conversation with him about simple things we can all do to stay safe online.
Hi, Jeremy. Welcome to the Bee Cyber Fit Podcast.
Jeremy: Hello, Wendy, James, thank you for having me.
Wendy: We're so glad that you've joined us and being a chief information security officer, I'm sure there's a lot to that and we're going to ask you about that in just a couple of minutes. But we thought it would be kind of fun to begin our conversation today by asking you to tell us something interesting about yourself, something outside of work that you'd like our audience to know.
Jeremy: Oh, jeez. Something outside of work. Well, sometimes when I'm asked this question, I just go with fact that I'm Canadian, but in a weird Canadian way, that's like the most interesting thing but it's not actually. You know what, Wendy, you know what I did for a while before I was a CISO? I did stand-up comedy.
Wendy: Come on. No way.
Jeremy: I am a stand-up comedian CISO. I don't know how those two things work together, but, yeah, wasn't for very long, but I enjoyed it.
Wendy: I love it.
Jeremy: Makes a lot of sense.
Wendy: That does because you have a great sense of humor. I mean, what was that experience like, was it scary? Were you, like, "I'm crushing it?"
Jeremy: Well, first of all, now I've completely set myself up, if I'm not hilarious for the rest of this podcast, it's going to be a great disappointment. I mean, it's a rush. It's a pretty scary thing, you'd be surprised. I really liked it. I've been in IT for many years, I like doing presentations at conferences and stuff and I just sort of said to myself one day, "I get a rush from talking in front of people, for whatever reason, why don't I try doing this comedy thing?" It was fun. It was fun for a while, but it's actually really hard to find places where you can do it. In fact, one of the things they require you to do is often bring people with you, like you can get up on stage on open mic night, if you bring five friends, while I was already 40 when I was doing this, and it's hard to find five friends when you're 40, [Wendy and James laughs] who will go out on a Tuesday night to a bar at 9 o'clock at night. So that was a limiting factor for my burgeoning comedy career.
Wendy: I love that. And I'm going to tell you a little secret, Jeremy, I dabbled in stand-up comedy too.
Jeremy: Shut the front door. [laughs]
James: [laughs]
Wendy: I did. I went to some open mics.
Jeremy: Well. Now, I think we should do a buddy routine.
Wendy: Totally. [James chuckles] Which is [crosstalk] going to be in our next episode. We're going to have to work on that.
James: That'll be a whole new podcast
Wendy: Absolutely.
James: Yeah. The third podcast.
Wendy: I love it. Well, we do want to welcome you very much to the Bee Cyber Fit Podcast. We have a few questions we wanted to ask you. I thought we'd start off in a really simple way by asking you what does a CISO do? If you were to boil it down to explain it in a really simple way for us non-technical folks, what is it that you do as the Chief Information Security Officer?
Jeremy: Well, what do I do? I sit in meetings is pretty much what I do. What am I thinking about while I'm in those meetings? The answer is risk. You mentioned that it's a question that people have who aren't all that familiar with technology, what does a CISO do? But the truth is, technology doesn't have nearly as much to do with my day-to-day work. I mean, we certainly have very technical people on our team who are doing a lot of deep technical work, but for me, it's all about thinking about what are the biggest risks to the university, from the internet, from a cybersecurity perspective.
Wendy: That makes total sense that there's a lot to think about, and I'm sure there are a lot of different risks that perhaps keep you up at night. Why is it so important to have this focus on risk?
Jeremy: Well, because it's a matter of resources. We're Yale University, we are one of the top research universities in the world and that requires us to be flexible. We can't have a one size fits all computer network. A bank can lock things down and just say, "You're only allowed to do very specific things on this network." Well, we can't say that at Yale. We need to provide academic freedom for people who work and study and research here, they need to be able to use the network to get their work done. And so that means that we need to be sort of open by default. And so that means that we need to prioritize how we deploy the resources we have to protect the most important things. So, that's what I mean by risk. Figuring out where the most important things are, where the biggest risk is, and protecting those things and making sure that we're not actually over-investing by protecting things that are not as significant. So that's in a nutshell, why I focus on where is the greatest risk, and we have what we call a Risk-Based Program as a result.
James: So, knowing that risk can be variable, what should we be worried about? What's the risk we should be looking for?
Jeremy: I don't want to give people a false sense of security but the technology that we use has actually gotten a lot better than it once was. The Internet itself was sort of built without security in mind. It was free love, open Internet, let's communicate. It was only afterward that somebody said, "Oh, crap, there are bad people here, too. We better put some security on this." Over the years, we have improved. Your phone updates itself as soon as there's a security update, things like that. So, what's happened is, and don't get me wrong, there are still bad people out there who are hammering away at our network. We have millions, millions of blocked connections every day from places that we believe are malicious and trying to attack us. But for the most part, the technology does a pretty good job. And as a result, it is actually easier for the bad guys to just trick you into giving them your password because no matter how much security we put on your email account, on your computer, if you hand someone your password, they have full access, there's nothing we can do about that.
So as a result, what you need to be concerned about is just being vigilant and making sure that you're not handing over your credentials to the wrong person. That's not easy to do, but that is what I recommend people be thinking about is that if you're going to get compromised, that's how it's going to happen, someone's going to trick you into giving them your stuff.
James: Right. We actually talked about that in our buzzword today. How technology has evolved, and that it's people that are actually the biggest risk. Maybe it's time for us to evolve and become a little more secure as well.
Jeremy: That's a great point. I mean, there are definitely colleagues of mine who will say, "What is he saying? This stuff is not nearly as secure as we would like it to be." It never will be. It's an arms race, but the truth is, there was a time when we had to be concerned about brute-force attacks from the internet. At this point, that's just not where the bad guys are putting their resources, they're putting their resources into social engineering.
James: What's the difference between a brute-force attack and social engineering?
Jeremy: I may be overloading the term brute-force attack. Strictly speaking, a brute-force attack is when they come in and try every password imaginable until they get the right one. They try ABC123, ABC124, ABC125, until they've run through the entire dictionary, they don't actually use the whole dictionary, because unfortunately, we're all pretty predictable and we use a bunch of fairly common passwords. So, they'll use those first and they hammer away at them until they get the right one. So that's what we mean by brute-force, just take the power of the computer and fire it at something until it gets through. We're kind of wise to that, we don't let you hammer away at our systems anymore. If we see somebody trying that we can stop them, we're looking for that. So that's an example of where a technique that they used to use, we've sort of defeated that. So now it becomes an arms race where they now have to try something new. And so things like sending out phishing messages.
And then for a while there, they could send out a phishing message, if they got you to tell them your username and password, they could log in and get your email. So, we put multifactor in front of it, we said, "Okay, now you also have to have your phone with you." If they don't have your phone, they can't use your password, except now they've started to trick people into answering the Duo Push, the phone piece of that answering their second factor while they're logging in as you. So, they've upped the bar again, and so we sort of end up in this back-and-forth game.
James: Wendy, that's something you and I talk about all the time, how these bad actors, these cyber criminals, they're constantly coming up with new ways to try and fool us.
Wendy: They really are. I think it's interesting in hearing what Jeremy is saying, James, that we're doing all kinds of proactive things to address what's going on. And as the cybercriminals up their game, we up our game too, but of course, there is always going to be the human factor. As Jeremy just mentioned, they're finding even more sophisticated ways to get to users because I know back in the day, it seemed it was so much more obvious that someone was trying to trick us when you get those emails, and there were a lot of misspellings or grammatical errors, and you could very quickly tell this doesn't seem legitimate. But, today, they've advanced so much, they're so sophisticated, that it feels like it's easier to be tricked. And we have to really stay in that vigilant state that Jeremy's talking about.
Jeremy: Yeah. We've gotten busier, things have become second nature, it's just we're more comfortable with our technology, where we used to sort of have to really focus on simple tasks on the computer where our fingers just fly by now. It's just the world changes, and we have to stay on top of that.
James: I think that makes it harder for all of us. We're also busy, and who has the time to inspect every email or text message or website, but if we're not vigilant, any one of us can become a victim of one of these scams.
Jeremy: It's true, but we need to be careful and not be fatalistic about it. Yes, chances are one day, one of us is going to slip up. But I think that just some of the small simple tools that you both put on the Yale website that you talk about in your newsletters, and here on the podcast, a little bit can make a big difference like small things can make a big difference. It isn't inevitable that you're going to be a victim of this.
James: That's a great point.
Wendy: Yeah. I really think it is because the reality, as we just mentioned, is that we're all so busy. So, if we gave our community a laundry list of things to do, do these 20 things, it's not realistic. Being able to share a couple of simple things that people can do, or a few things to make them more aware might ultimately help change their behavior or that of their kids or their parents or their grandparents because we always like to think about the extension that it's not just our work life, but of course, as we know, our work life and our home life is so intertwined. Sometimes it's hard to separate, so we can also share this information with those people in our family or our friends who could also benefit from some of this learning.
James: Yeah. Absolutely, I find it helpful to talk to my daughter who's a teenager and lives on her phone. To talk to her about this stuff helps put it in perspective for me, it helps ground me. I remember I sat her down and sort of, I realized she was using the same password for everything. She uses Instagram, Snapchat, TikTok, or whatever she's using. I pointed out to her, I just sort of painted the picture for her, how would you feel if somebody actually logged into your Snapchat as you and started posting things. Well, she was mortified at the thought. I said, "Okay, well, here's a password manager." This is how a password manager works, and now she has a password manager, which then manages the different passwords she has for each of her services. And so just grounding in that real-life example, I'm hoping, I've helped her sort of set the stage for the rest of her life.
Wendy: I love that idea that you're talking to your daughter about this and having conversations and helping her see what she could do to change. I love the fact that she actually is using a password manager because I'm not sure how many young people are doing that.
James: Wendy, I think even more generally, people may not be doing that. A lot of that is probably awareness. To that point, one of the questions we see a lot is why cybercriminals would be interested in us. Jeremy, maybe you can tell us, why are cybercriminals interested in the average person. What do they want from us?
Jeremy: Yeah. That's a great question. One of the things that struck me the most when I started to really get into information security, was just how little a cyber-criminal needs to get in order to make the scam worthwhile. The bar is really low, they don't need much. And I think one of the reasons is, because as little as we may have, they probably have less. So, there are a lot of cyber criminals from places in the world where there's significantly worse poverty than where we live. And what seems like an insane amount of time and effort for a very small payoff to us, is actually a significant payoff to them.
The other thing is, what often happens is that the scam that you are being targeted by is actually just a small part of a much bigger scam. So, an example is, especially at the university, you can get a lot of free services because you have .edu email address, because you can prove that you are affiliated with Yale University, you can get free data storage on Amazon, for example. And so, what we've seen is concerted efforts to take control of people's email accounts, and the only purpose is to sign up for these free services. And the only reason they're doing that is that they're actually building up-- they're collecting up a bunch of these free services, and then using that to launch a bigger attack somewhere else.
It makes it hard because we would like to think that we are savvy, and like I do, making risk-based assessments on how much effort and resources to put into securing any one thing. And someone saying, "Well, I'm not going to put a lot of effort into this, because nobody cares about my phone." But the truth is, just having access to your phone number can be something that they used to then sign up for services that they can then use to launch some other attack.
James: That's really interesting. Wendy, we so often talk about our personal data and our financial data as being two of the most common things bad actors are looking for. But we don't usually think about the less obvious and more innocuous things, like a simple email address. But even that could be useful to an attacker. So, it's really something to think about.
Wendy: It really is, and I don't think most people, probably the average person would necessarily know that is all news to me, and I'm guessing it may be to others as well, because, I think we often think of like big breaches or something really bad happens, but not these small things that can lead to something bigger that we might think of as sort of nothing, "Oh, that seems like not a big deal." Which ultimately, it could be potentially.
Jeremy: The truth is wherever you work, you probably have a computer account there. You only have to get one account at Yale to get in and start to make your way through our network and find other things. So, getting control of a Yale computing account, any Yale computing account already gives you access to our network where you can sort of start to get into trouble. So there really is a shared responsibility for everybody who works here to do their small part to protect the bigger mission. I know, that's something a theme that we've talked about with our program, but I like to reiterate that. This is a prestigious institution that we work for, and we all sort of have a responsibility to do some part to protect it. We do our jobs and part of that is being careful to be good stewards of Yale's resources.
Wendy: Absolutely. As we're coming to an end in our discussion, because you know Jeremy, we're going to have to have you come back. This is just the beginning-
Jeremy: Oh, I'd love to.
Wendy: -to scratch the surface of all the things we can talk about regarding cybersecurity and awareness, and what we can do, but I'm kind of curious about if either of you has ever been a victim of a scam. Jeremy, have you ever been a victim?
Jeremy: Yeah. I mean, it's hard to admit even for me, and I know that there's nothing to be ashamed of. But I fell victim to a pretty sophisticated phishing scam once. I guess I share the story so that people don't feel stupid if it happens to them. But what happened to me was, I had a brand-new iPhone, when they first came out with the really big iPhones, I was so excited, I got one. I was sitting in a mall waiting for my wife and daughter to shop. And somebody ran by and grabbed my phone right out of my hands and took off, and it was upsetting. It was a really alarming thing.
Wendy: No kidding.
James: But I immediately did all the right things. I went and found my wife, I took her phone, I used it to lock the iPhone, put it on Find My iPhone, they'd obviously turned off the phone as soon as they grabbed it. When you have Find My iPhone turned on, they can't unlock the phone, the phone cannot be used if there's an account connected to it. And so, I went and got a replacement phone with through insurance and everything. Got a replacement phone, had the phone number ported over to it. So, I had my same phone number back and went back to my life, shaken up and holding my phone with an iron grip everywhere I go. [James laughs] Till to this day, I do. And so then a week or two later, I was rushing from meeting to meeting, it was the middle of the day and I got a message. It was a text message, I didn't clue in that it wasn't a pop up but it was a text message that said, "Find My iPhone has found this phone and it had the name of the phone that had been stolen. Click here to see where it is." Well, of course, as I'm rushing along, I'm like--
Wendy: I want to know where my phone is.
Jeremy: Yeah, I had a rush of adrenaline like, "Oh, I wonder where maybe I can tell the police or something." And so I tap on it and it asked me to log into my Apple account and I log in. And then it punchs me back out to the Apple homepage, which is not what should have happened, it should have brought up a login and I immediately realized that that was not an Apple webpage, I just punched my username, password, and second factor into. They had put up a page that I fell for and put in my credentials. and then they immediately took those credentials and replayed them into the real Apple website. So, I immediately went and changed my apple password and everything, killed all the sessions, revoked all the tokens, whatever I could do, but the phone that was in Find my iPhone had already been released from my account, which meant whoever had it could now register it as their own. And so, the entire operation from grabbing my phone in the mall, to sending me the text, to building a custom piece of software that put up a fake Apple website and then immediately, at a computer speed because they had less than a minute before I locked them back out, the program they'd written immediately logged in as me, unlock the phone, and the whole scam was done.
So, it was a very sophisticated attack, I felt super stupid. I replayed it in my mind a bunch of times. One thing that I could have done differently is to take a breath. In fact, it wouldn't surprise me if they did it at 1:45 in the afternoon knowing I would be or right at 2 o'clock or something knowing that I would likely be in a busy time between meetings, that's how much they think about this stuff. So, if there's any lesson that I can share with all of you is, don't rush. Urgency is the thing that they prey on the most, they create urgency; they prey on urgency. If you can stop, take a beat, and think about what you're doing, you have a way better chance of staying a step ahead.
Wendy: I have to say that is such a shocking story. I mean, I think just the part that you're just sitting there with your phone and someone grabbed it, number one, because it feels so bold and brazen.
James: For me, it's that they were so organized and even followed up with a fraudulent Apple website. It's pretty clever.
Jeremy: Well. There was no point in stealing the phone if you didn't already have that part figured out. That's what I realized.
James and Wendy: Right.
Jeremy: I was like, "Why would they--?" They know that a phone is a brick once you steal it. So, I realized now they had it figured out from start to finish. When the police showed up, it was the fourth phone that had been stolen in that mall that week, they were just-- that's what they did.
Wendy: It was an operation to try to figure it all out. I think that illustrates so beautifully. Not that we want this to happen to anybody, but I think it's a great window into how these things happen. It goes back to what we were saying before, "Why would they be interested in me? What do I have?" And I think that speaks to, we might not think we have something that they want. But there are many things that cybercriminals may want from us on a whole bunch of different levels, especially when we are so busy, as you mentioned, Jeremy, and distracted, they really do leverage that in a host of different ways. So, it's eye-opening to hear you talk about that.
Jeremy: I'm glad, I could share. And I hope you don't all think less of me as you see, so now that you know I fell for the oldest scam in the book.
James: Hopefully, our listeners will be encouraged by that story. It really shows us that any one of us can be affected. And I think the takeaway is we need to pause. Just take a minute and then come back to it with a fresh set of eyes.
Jeremy: Well put.
Wendy: Yeah. I think that that to me, and in hearing, you actually shared, Jeremy, so many different tips in discussing this. You talk to your kids about this and have a conversation about technology and security and privacy and help them be aware of what they may be sharing unknowingly. And then what you both have mentioned is this idea of pausing, trusting our gut before we just react, it's human nature. Something happens, you want to immediately take action, and we don't always think it through. I really like that both of those suggestions that you've made in our conversation today is as great takeaways for all of us to be thinking about.
Jeremy: Well, it's my pleasure.
Wendy: It was awesome to have you come join us, Jeremy. This was so much fun, such a pleasure, and I found out that you were a stand-up comic too, just finding out all kinds of cool things about you. I think we're like kindred spirits.
Jeremy: It would seem.
Wendy: Right. I love it. So, thank you so much for your time. And we will definitely look forward to inviting you back in the not-too-distant future.
[show theme music]
James: Here's the buzz on the human factor of cybersecurity. Our devices and digital resources continue to evolve and become savvier and savvier to threats and risks. And this helps make our work devices and data, and our personal devices and data more secure. On the other hand, the human factor represents us, and the actions we take or incidents we cause that result in a data breach. Truth be told in 2021, 84% of organizations that experienced a security incident found it was caused by user mistake. Cybercriminals already know the human factor is the weakest link, and that it's much easier to hack a human.
In fact, in many cases, a cyber-attack can't even be successful unless someone falls for it. And that's why mitigating vulnerability starts with increasing security awareness because cybercriminals target and exploit people, it's critical we know where we're most vulnerable, how attackers are targeting us and the potential harm when we're compromised. To stay informed and ahead of bad actors, visit the Yale cybersecurity website for resources and other helpful information. Subscribe to the Bee Cyber Fit newsletter and be in the know about current cyber scams. And listen to the Bee Cyber Fit podcast where we're simplifying cybersecurity for everyone.
Wendy: James, I really enjoyed our interview with Jeremy, and I learned a lot. I thought it was really interesting to hear his perspective as the Chief Information Security Officer at the university talking about some of the things that he's concerned about. But I also found his story to be so compelling for him to talk about what happened to him. And the truth is, it could happen to any of us. It doesn't matter how much money we have, how much education we have, or where we live, we're all vulnerable to cyber criminals in many different potential ways.
James: That's so true, Wendy. And I'm so happy we were able to get Jeremy to join us today. And his story was really fantastic. I love that he was willing to share it with us, and hopefully, it encourages other people to share their stories, and as you said, shows everyone that we really are all vulnerable. My favorite thing that I learned today was that you and Jeremy, both tried stand-up comedy.
Wendy: Right. Who knew? I had no idea. Although knowing the outgoing person he is, after him telling me that, I'm not at all surprised. What I do remember about my experience during standup is that I was so incredibly nervous. More nervous than I've ever been. I think about anything that total butterflies in the stomach feeling. I did my first open mic, it was at a small venue, it was at a coffee house, maybe 30ish people, we're not talking about some huge stage, but I was so nervous, I was going to forget my jokes. And I tried so hard to remember them. So, I go up, I do it. It ends up being funnier than I expected. And when I was done, the other comics were like, "That was great." "Great said." I was like, "Really? Oh, okay, I guess I'm not too bad at this after all."
So, I got all this confidence and then I got ready to do it the next time, I was nervous again, of course, so nervous. But I had this idea, "Why don't I try all new material that anyone who's a stand-up knows that's not what you do?" I went through this whole terrible feeling of being incredibly nervous, and then not doing that well, the second time around.
James: I can imagine that, that must have been very stressful the second time around, but I will say that I think it's interesting that you mentioned that you were nervous and that there was so much to remember because I think that a lot of our listeners, and a lot of people who are new to cybersecurity, could probably say the same thing, that they're nervous about whether or not they do the right or the wrong thing. And that they might think that there's so much to remember, so much to learn. And that's why I'm glad that we're here to make things a little more simple for everyone and show them that it's really not that daunting to try to be a little more secure.
Wendy: You're right. It doesn't have to be so difficult and we are trying to simplify it for people just simple things that they can do to make a difference.
James: That brings me to one of my favorite tips that Jeremy offered, which is using unique passwords across all of our accounts. And by unique, we don't mean the same password with a different set of numbers and characters on the end. But something actually unique and that's because if a cybercriminal gets a hold of our password for one account, then they pretty much have the passwords for all of our accounts.
Wendy: Yeah. That's a problem. We don't want that. And to make it a little simpler, we have a really easy call to action for all of you. We've included in the show notes a worksheet and we encourage you to list a few of the accounts you use most often, those accounts that are most important to you to protect. We want to encourage you to update your password if it's been a while. And also, you can indicate if you are using a multifactor authentication on that account, whenever possible, we highly recommend it for that added layer of protection, because, James, is really those simple things. We're talking, that those little steps that can help make things more secure.
James: Absolutely. Those are two really great little steps, updating our passwords and making sure we're using multi-factor authentication.
Wendy, that's all the time we have for today. So, until next time, I'm here as always with Wendy Battles, and I'm James Tucciarone. We'd like to thank everybody who helps make this podcast possible. And we'd also like to thank Yale University where the podcast is produced and recorded.
Wendy: Thanks everyone for listening. We really appreciate it. And remember, it only takes simple steps to be cyber fit.
[Transcript provided by SpeechDocs Podcast Transcription]