00:02
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:11
Welcome to CyberSound. I’m your host, Jason Pufahl, joined by Steve Maresca and Michael Grande. Hello. So it’s the 21st, 21st you say,Cybersecurity Awareness Month.
Steven Maresca 00:24
It’s come of age.
Michael Grande 00:27
It’s legal now.
Jason Pufahl 00:29
And it seems like then it also hasn’t learned anything, because it’s the same set of things in a way this year that we’ve spoken about now at least the last few maybe, maybe with a couple of additions or maybe a couple of changes. But really, unfortunately, we’re still suffering from ransomware being one of the bigger issues, driven a lot by phishing, the success of phishing and the tendency for people to provide credentials, right? I mean it in that regard, I’m not sure that we’ve seen huge improvements,
Steven Maresca 01:03
But, this is the time of year where repeating yourself is actually a good thing.It’s secure your life online. That’s the general theme here, and it’s been the theme for a number of years, right? But the same problems continue. People are newly entering technology roles everywhere. People are retiring, leaving the workforce, and are targeted in different ways. All of this bears repeating so,
Jason Pufahl 01:29
So I like the idea of secure your life online, because I think we really need to continue to drive home that it is the same set of skills from the workplace to your personal life, right?
Michael Grande 01:43
And the distinction has been blurred, yeah.
Jason Pufahl 01:46
I mean, you just need to have those basic skills, right? You need to have the basic capabilities of reading critically and understanding what you’re being sent. Modify your responses to not, to not, maybe be hasty, right? Take some time to think through things. If people did those couple of things, I always tell people, you know, trust your instincts. Might not be the best thing, because maybe they have bad, bad instincts, but, but there’s an aspect of that, right? If you’re getting email from people that you that you don’t know, or if it seems to be written in, you know, just a tiny bit of a way, that just seems peculiar, because now you can’t trust grammar anymore as well. You certainly aren’t able to read something and say it was written by a non native speaker. Because, you know, with the organized crime aspect of this, they’re hiring people to write these emails, or maybe they’re using ChatGPT.
Michael Grande 02:38
You just mentioned something you know, has that proliferated over the last five to 10 years, or is that inconsistent from an organized crime perspective, you know, as a criminal enterprise? Obviously, it’s always sort of had that then, but now feels like much more of a sophisticated, well oiled machine.
Steven Maresca 02:59
I mean, there’s truth to it. It’s more that as a general populace, we’ve all reached saturation and general understanding of that type of threat up until maybe five years ago, that couldn’t be said. There was a transition point around the time of interconnectedness, when people needed to talk to family members in far flung locations, that everyone came up to a basic level of technology competence, generally speaking. So yes, it has changed over time, but now I think it’s shifted in that most people know what a multi factor authentication is. Most people know they should be using it. Most companies and even individuals have deployed it, that means that some of the tactics have to change a little bit so there is additional sophistication, but it’s just chasing the reality that people know more and are better equipped. The theme is the same. A lot of the guidance is the same in Cybersecurity Awareness Month, but it’s still, you know, just a reminder that we need to be vigilant at the end of the day, or we can be even those who are attentive, tripped up by something that’s surprising us.
Jason Pufahl 04:08
Well, I think driving home, it’s less of an IT issue, because I think year one of 21 I’m confident the conversations were, IT needs to prevent spam, and IT needs to put a firewall in, right? All of that. And I think in year 21 of this, it is you have a personal responsibility to understand what those threats are. That’s why I think security awareness training is so valuable. I don’t know that it always works necessarily, but I think the concept and the content is hugely valuable to understand the organized crime aspect, right, the why behind some of these attacks, how they’re executed, and how you might better recognize them.
Michael Grande 04:47
And then, you know, out of sight, out of mind, when it comes to, you know, the repetition of the training, I think is so important. It’s really not just a, I had a training course three years ago, and I learned it all. It’s the, you know, consistency of it. It’s the you know, different aspects you had saying before you reminded me the old, you know, I think Reagan said, you know, trust, but verify. You know, and it’s hard. It’s hard to do that in every aspect of your life.
Steven Maresca 05:14
But is intrinsic to most of the messaging, in security awareness. That’s right, it’s worth repeating.
Jason Pufahl 05:20
Let’s talk about the verification for a second. Because, yeah, there are a couple of things that I know that we want to cover relative to this topic. And one, we have always told everybody, when you get an email, hover on the link and you will be able to tell whether it seems legitimate or not so and if we look behind us, yeah, right now, there’s a huge increase in the amount of QR codes that people are using, hugely convenient, but you can’t verify them as easily, and so we’re getting further, we’re getting further away now from the ability for somebody to actually make that decision for themselves, right?
Steven Maresca 05:54
I mean, we’re aware of attacks and email that have been delivered, because people know from MFA onboarding that a QR code is sometimes used. We have also encountered, you know, pay to park QR codes that have been replaced with a nefarious website, yeah? So you have to use some degree of subjective scrutiny in that moment to determine whether it’s legitimate or not.
Michael Grande 06:17
And for I mean, there was a period of time when you could walk into a restaurant you know, sort of right, COVID time frame, let’s say 21/22 maybe even into 23 where they didn’t have the paper menu anymore and they were just providing a code on the table. So it was, it was everywhere,
Jason Pufahl 06:35
And that’s still, that’s not going away. You’re still seeing restaurants that have stuck with that because it’s convenient for them, right?
Steven Maresca 06:41
But that now widespread familiarity is being weaponized. That’s right, main message. So you know folks who are using QR codes when you encounter them, you can, in fact, check the link. It just requires you poking a little bit further in your camera app.
Jason Pufahl 06:55
It’s just a little harder. Yeah, that’s all.
Steven Maresca 06:57
But yeah, it’s it’s worth emphasizing. We deal with that type of a problem in multi factor bypass attacks all the time, right? Yeah, and that’s an area of sophistication that people need to be aware of. If you’re getting a message that asks you as the recipient, to log in somewhere, you now expect to have an MFA prompt. If it’s a nefarious place that tricked you sufficiently to log in, well, you’re going to say, yes, that’s me logging in right now, and it’s actually the bad guy. So thinking about the tactics that are being employed as well, Hundreds. Yeah, yeah, we’re talking about sophistication of the phishing orchestration tools that the bad guys use, right? That’s why it looks the way it does, and why we need to be very, very cautious that there are other things in the mix here. I think that other emphasis in this year’s Cybersecurity Awareness Month re-emphasizes the importance about privacy and data leakage. Don’t put what you don’t want disclosed where you shouldn’t, make sure that you’re sharing a document with co workers and only co workers or only family members. Make sure you’re not over sharing. If you’re going on vacation, don’t put it on social media. Just being diligent about that type of thing remains ever present and ever acquired.
Jason Pufahl 07:28
And so that, I would say, maybe in the last year, maybe two, that has really changed, because we, without a doubt, our language around MFA last year was you have to implement it. We would never have said it was foolproof, but it was hugely challenging to get around. And this last year alone, we’ve seen multiple bypass attacks,
Michael Grande 07:51
How can I show off where I’m going if I can’t do it on social media?
Steven Maresca 08:37
Do it three weeks afterward!
Michael Grande 08:40
Oh, that makes sense, but
Jason Pufahl 08:41
So sharing data, then don’t upload data into your favorite AI platform,
Steven Maresca 08:50
AI, data exposure is a big deal. It’s a huge deal. There are a lot of people putting full documents into ChatGPT, not thinking a second about it, but it’s potentially being used for training purposes. Yeah, that’s a it’s a problem, yeah,
Jason Pufahl 09:05
But, do go in and play and make some fun images, and, you know, get a sense of what the tools can do. You should understand it, but don’t feed it your tax returns, right? Don’t repeat it, right? Don’t feed it personal information. And unfortunately, we’ve seen that all too often.
Steven Maresca 09:18
So to emphasize a point you made earlier. Jason, the personal private boundary is pretty thin. Being conscious of what you’re doing while shopping for the holidays coming up while at work, very important, right? Similarly, if you’re doing work on your personal computer at home or on your personal phone, same sorts of concerns. It’s pretty common now for us to encounter, you know, compromised work computer because of someone using it for personal reasons. That’s the risk. And it goes bi-directionally too, right?
Michael Grande 09:50
You know, you brought something up earlier, and it sort of really resonated with me, which is, you know, I think personally over the last year, I’ve had five or six friends of myself or my wife or family members who have had elderly members of their family taken advantage of, yes, and you know, sizable amounts of financial loss. And the first question always is, you know, what do we do? And I have to be honest, in some cases, it’s just it feel, you feel quite helpless for the individuals, because the sort of the the rote response is to contact certain authorities and start a process that really doesn’t necessarily provide resolution,
Steven Maresca 10:36
This is where the personal responsibility transcends to family members. Yeah, everyone here, everyone listening, probably has some vulnerable family member who is inclined to pick up a phone, sure and speak with a scammer or an advertiser. Talk to them and say, in advance, Microsoft, your bank, they’re not going to call you right if they do seem to be calling you. The number that they’re offering is not the real one. Call one of us for assistance. Don’t engage to fix a bill or get money back that you know seems to be claimed as a charge, right? Yeah, all of that is ripe material for scams, and at least just give them a sense of what’s common in the world, now is the right time before you need to say sorry the money’s gone right? Banks, CVS, grocery stores, all of the places that might be encountering people being victimized in scams. They know to ask those questions, but people can sometimes be very, very insistent, and sometimes money continues to walk out the door. So have those conversations.
Jason Pufahl 11:49
I feel like that’s a good PSA to end on, yeah. I mean, the QR code and MFA, that’s great. The reality is, yeah, take a little bit of ownership and have conversations with your family members. We all have, and it tends to be elderly people that are targeted. So speak with them ahead of time. I think that’s a great message coming out of this.
Steven Maresca 12:09
That’s it, be safe, secure, and we’ll talk to you again for the 22nd!
Michael Grande 12:14
Take cybersecurity month for a drink now. That’s true.
Jason Pufahl 12:17
Thanks. Well, I’m not that note, I think we have to end, if anybody wants to talk about, you know, honestly, a conversation about how to actually have a conversation, and some of the threats that are out there who we can actually probably provide some advice. If you haven’t done MFA yet and you want to chat about that, we’re happy to do that because that’s mean, honestly, that’s sort of foundational to any security stuff now.
Michael Grande 12:44
And I always like to say, and if you’re not in the market for any type of loan or any type of financial transaction, freeze your credit. There’s no easier thing to do. And be cognizant of that. It’s an easy step,
Jason Pufahl 12:58
And they have made it a lot easier. Yeah, sure. So well. Thanks everybody for listening. And happy Cybersecurity Awareness Month!
13:05
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant, stay resilient. This has been CyberSound.
