The Latest on Staying Cyber Diligent at Home

Tyler Podcast Episode 39, Transcript

Our Tyler Technologies podcast explores a wide range of complex, timely, and important issues facing communities and the public sector. Expect approachable tech talk mixed with insights from subject matter experts and a bit of fun. Host and Content Marketing Director Jeff Harrell – and other guest hosts – highlights the people, places, and technology making a difference. Give us listen today and subscribe.

Episode Summary

October is Cybersecurity Awareness month, but being cyberaware is something we must be every day. Cybersecurity subject matter expert Max Greene is back to give us the latest on the threat environment, plus give us the latest tips on remaining cyber diligent at home and on all of our devices. Do I really need a strong password? What about two-factor authentication? Did I really win a $100 gift card like the text I just received indicates? Find out on Episode 39 of the Tyler Tech Podcast.

Transcript

Max Greene: Over the last 20 years, the two biggest things out of cybersecurity that we've been screaming at the top of our lungs are, "Don't click on the link" and "Make a strong password."

Jeff Harrell: From Tyler Technologies, it's the Tyler Tech Podcast, where we talk about issues facing communities today and highlight the people, places, and technology making a difference. My name is Jeff Harrell. I'm the Director of Content Marketing for Tyler, and I'm glad you joined me.

Well, October is Cybersecurity Awareness Month, and so we wanted to bring Max Greene back. Max was on Episode #9 of the Tyler Tech Podcast, and he is an expert on cybersecurity. We wanted to bring him back to give us not only a refresher on becoming and staying diligent as we, many of us are working from home, and what's the current cyber environment like? How can we remain diligent? Is that text I just received from Amazon really a free hundred dollar gift card? What are some practical tips?

This is a great, very practical episode. I hope that you enjoy it and that you will share it with friends as well, because we all need to remain diligent. Without further ado, here is my conversation with Max Greene.

Well Max, I'm so excited to have you back. I know we had you last summer. I can't believe it's been over a year, back on Episode 9, and you helped us because back then, we were all new to working at home and you gave us some really practical tips on how to be cybersecurity aware while working from home.

We're going to touch on that because I think a refresher is not only needed, but important. But before we get to that, I wanted to ask you about October because October is Cybersecurity Awareness Month. If you don't mind, tell us a little bit about why is there one month and shouldn't we be cybersecurity aware every month?

Max Greene: We absolutely should, just like we should appreciate our pets every day and we should honor our parents and our children and all the things. Cybersecurity Month actually came together as a collaboration of really a lot of the government agencies and industry together to really get ahead of a flurry of cybercrime.

Sadly, Jeff, in the year that we've had since the last time I was on it's only gone significantly up. It's hard to really trust any of the stats or the numbers, but I mean every year there's just a steady increase and then this year was unprecedented. I mean, because I think we talked about last time that the ultimate advantage for cybercriminals is this world of chaos that we've been living in and taking advantage of the unknown.

It started with the World Health Organization fictitious sites and the CDC fictitious sites and the fictitious information out there. Then it just continued with things that were going to target specific to people that are at home. For everything from your Netflix account is compromised to that Amazon package we tried to send you is here, and click for the $500.

I think we've seen a huge uptick in text or smishing, or text message phishing, and I know that I've read at a few places that that will probably outpace business email phishing and personal email phishing just because it's so easy to get to the masses. It's really so hard to track down. We're really getting bombarded from all sides. We're always going to have email phishing. We now have that. We all have our phones on us all the time and sometimes it's really appealing and we're like, "Oh, well maybe we did win that $500, you know?"

Jeff Harrell: Right. Yeah.

Max Greene: Then, let alone the flurry of cyber calls, and even in our engagements when we do testing. We spoof the number as cyber criminals do, but I get calls now coming in that will say, "The state of Maine" or something ominous that feels like it's real, and then it's someone clearly in a call center telling me that my Tyler insurance isn't up to date and they need my insurance card, you know?

Jeff Harrell: Right.

Max Greene: It's definitely overwhelming, but I think you're right. It's something that we've talked about, but we need to get a refresher because I think it's harder to stay diligent when we've all been in our little bubbles and been remote, and it's not something we're talking about often. It's just something that's in the background.

Cybercriminal Tactics

Jeff Harrell: Well, we're going to hit on those specific tips here in a second, and you touched on this. I do want to talk about the most current threats, the new, maybe not new, maybe using the same old tactics, but what's the current threat environment? What are the things that cybercriminals are now? I know you mentioned current events and COVID situation and CDC. They're using these sensitive things that are happening in our lives to penetrate and to leverage. But what's the current environment like and what are the current tactics that cybercriminals are using?

Max Greene: We still have a ton of ransomware and malware in general, and of course that's always the easiest way to deploy that is through basic social engineering tactics. Through phishing, through text message, it's more typically they're trying to get your credit card information, but we are seeing a lot of apps that aren't vetted. If people aren't doing their due diligence and they're putting an app on their phone that can lead to compromise as well.

Phishing as a service is becoming more popular. Ransomware as a service was easily a billion dollar industry at this point. Now, using the same model just to get any kind of compromise has really become really popular. They operate like legitimate businesses in third world nations using sketchy tactics and they're well funded, and they got great customer service and they're just doing it around the clock.

Jeff Harrell: Just to remind everyone, phishing would be when is it usually email or it could be a bunch of different tactics when phishing is involved?

Max Greene: Phishing is typically considered email, and then sometimes people refer to phone calls as vishing, so voice phishing, and then the text messages are starting to be known as smishing, so SMS phishing.

Jeff Harrell: Is there a rule of thumb? I feel like I get more, as you mentioned, text messages now from out of the blue. People that aren't in my contacts list. I get phone calls, used to be from odd numbers, now it's from area codes that look familiar. Is there a rule of thumb that says, "If you don't know who it is, if it's not in your contact, just don't answer it?"

Max Greene: I mean, I've honestly, I've used controls in my phone. I know at least in the iPhone, you have the ability to say, "Don't even have it ring when it's an unknown number." I know that that's not applicable for everyone, depending on what your role is. But more often than not, if someone's calling you from a number you don't know, you're assuming they're going to leave a voicemail.

That's not to say that these fictitious calls won't leave voicemails. I get calls from, as I'm sure you do Jeff, the car warranty people almost daily. My student loan forgiveness and whatever they can do to get us on the hook and looking at our demographic and they target it based on that.

Jeff Harrell: Yeah. It feels like, and that's the rule of thumb I use. If I don't know the number, doesn't look familiar, I'll let it go to voicemail. My assumption is, if it's important they'll leave a voicemail. Sometimes I forget to check my voicemail just because I just don't talk on the phone that much, but that's a good rule. What about text messages? How do you respond to those?

Max Greene: Well, the best thing is to not respond to them. It's funny too. I noticed in the middle of COVID, the model started to switch a little bit. Where it wasn't just a direct text message to just me, but actually me and maybe 10 other people at the same time, just to let in more of a group message setting, allowing them to spray out even more potential targets.

Then you'd have people biting and doing the "stop" or "no," and it's honestly the worst thing they can do because it's just acknowledging that it's a live number. But the issue is almost impossible to completely stop it. The best thing the average user can do is just to block that number and look away.

The thing is that what triggers a lot of us is that so often it might be saying, oh, it's something up with your bank account or your credit card or someone's gained access to your Gmail or Dropbox or whatever it might be. The real mitigating factor that we can do as users is to ignore that message and then do our due diligence and log into whatever platform they're claiming to be for.

Call your bank, not from the number they texted you, but the number of the back of your card. Log into your online banking, log into your email, log into Dropbox. If there's actually an issue, there's going to be an alert in that account. That's really everything from Netflix, any account based thing, don't worry about the text message, log into your account.

Jeff Harrell: Got it. We've covered phone call, don't answer, let it go to voicemail. The text message, don't respond, go log in if you feel like it might be legitimate. What about email? Because we get a lot of email spam, some of it's just spam. It's just people trying to sell us something, but other times I imagine it can be more criminal than that. What about email?

Max Greene: Yeah. You know, it's a mixed bag, right? I mean, sales people are using social engineering tactics just as often as the cyber criminals. With email, it's just important to be cautious. Really, honestly, to take the extra second to be mindful. To look at the address, does it look familiar? Read the tagline.

What we're fortunate about is more and more, everyone from Outlook to Gmail's gotten really good at giving you a warning, of saying, "Hey, this person's outside of your organization." Or "This person's email looks like this person's email," and you'll get a little alert, and everyone should really take pause.

Sometimes, it's just the other day I emailed a colleague of mine through a Gmail he got that alert, but he knew it was actually from me and that's great that they're doing that. But it really, it's incumbent upon the user to really just take the extra beat.

 I know in some emails, I think really most platforms you can flag it and do the right click or the flag or whatever, it depends where you're in, but report it as phishing and that's really good to do as well. That will train your email that if it comes to that sender again, it's going to go right to junk or it's going to get deleted right away.

Certainly, if you open an email there's cases where you could be at risk just from opening it. But more often than not, there's going to be a link in that email and just absolutely avoid clicking on that link, and then once you click on the link, definitely don't provide any information.

Simple things, simple triggers that your gut should wake up to. If they're asking for credit card information, if they're asking for anything sensitive, if you're not expecting it, if you didn't initiate it, pretty good chance that they're phishing.

Jeff Harrell: Sounds like the rule of thumb then would be don't engage with the email. If you think it might be legitimate, go to your bank's website. You go to them versus them coming to you.

Max Greene: Yep. Yes, same principals to phishing. Visit the account and oftentimes, Jeff, it's not actually phishing, it's email compromise, right. That someone has gained access to your email and you're now sending me emails, and I know that I trade emails with you back and forth and so harder to catch in those times.

But again, reading the message, does it add up? If you're uncertain, take it out of cyber, take it out of the internet, pick up the phone. Message them in another medium to say, "Hey, did you really send this to me?" before you just blindly say, "Oh, well, Jeff just sent me this weird fun photo."

Jeff Harrell: Yeah.

Max Greene: And you click on the link.

Cybersecurity in Apps

Jeff Harrell: What about apps? Because I use my bank apps on my phone, and I authenticate with my thumbprint. Are those pretty safe?

Max Greene: Most apps that are going to be connected to our banks or major organizations are vetted and are safe. It's really important, just like it's important for us to power down and make sure that we're getting the patches and updates from IT, we want to be doing that with our phones too. You really want to keep up with OS updates because oftentimes that's releasing patches for vulnerabilities, and updating your apps as well for the same reason.

Being really cautious of downloading apps for the sake of downloading apps. Because a lot of apps are coming from shadier places, coming from different countries, haven't really been vetted or have a small amount of users and are either just full of bots that are going to try to scam you. Or, giving a lot of unknown permissions to the app that now, unbeknownst to us because no one's really reading those long user agreements, have a lot more control or insight to our phone than we're aware of. Especially tracking services, right? So many are doing that in the background and they can get a lot of information from that.

Jeff Harrell: So, be diligent about the apps that you actually load onto your phone. I wouldn't even thought of that. I was just like, "Oh, more apps the better."

Max Greene: Right.

Basic Cybersecurity Tactics

Jeff Harrell: That's good. Well, let's turn now to we still, a lot of us, are working from home. I think more and more people may even be working from home in a permanent situation. I think more and more companies are making that and offering that availability to their employees. Let's do a quick refresher on making sure we're being diligent as we're working from home. What are just some basic things that people should be doing as they think about being cyber safe at home?

Max Greene: Well, for starters, really definitely dedicating certain devices to certain activities. You don't want to be, and I think it's a trap that I'm sure many people fall into, especially because we have been remote for so long. But your work computer is still your work computer and your personal computer is your personal computer.

The sites that you're going to visit, you should be extra mindful. If you're on your work machine, you shouldn't be sending information that's confidential or work related to your personal email or bringing it down to your personal device.

More often, the most important is if you have the ability within your organization to VPN into your organization's network, that's really, that's crucial. Because that's going to ensure that there's still eyes on your traffic. The security measures that we've put on our networks throughout our organizations, and so that's really important that we're connecting to our VPNs, especially when we're dealing with any kind of client or customer data.

Jeff Harrell: Passwords seem to be the bane of everyone's existence because you're always having to change it. You can't remember them and it just, it seems painful, but I'm thinking you're going to tell me that it's worth it because I would imagine a good, strong password is one of the best ways you can protect yourself as well.

Max Greene: It absolutely is, really in every case and we all, I mean and I'll admit it myself that there's certain things that I'll get lazier on than not, and I'm yelling at myself that I'm not even eating my own dog food. I'm like, oh, I should add an ampersand and a paraphrase and another 19 characters to this, but it's really the best thing we can do to protect ourselves as users is making strong, secure passwords, especially when it comes to our home Wi-Fi.

You know, even if we're utilizing our VPN, we're using our Wi-Fi to connect, so making that as strong as it can be. As well as making your network a unique identifier, as opposed to keeping it the generic. If you're in a really populated area, even considering turning off your broadcasting of your network if you live in a dense apartment building. Not even having the option for people to see that, and only you know that it exists and you can connect to it.

Now, that's gotten really cumbersome in a world of smart devices and IoT devices because it makes it harder for those things to immediately connect, but it's definitely a safety measure. But yeah, I mean in the traditional sense, Jeff, we've talked about this in the past that over the last 20 years, the two biggest things out of cybersecurity and that we've been screaming at the top of our lungs are, "Don't click on the link" and "Make a strong password."

 

For the people that are worried about remembering their passwords, because who isn't, I would strongly suggest don't put it on a sticky and stick it under your computer. But we do have these nifty iPhones with face ID and fingerprint, and they do have some pretty tremendous apps like LastPass or a ton of others, and of course again, like we said, do your due diligence. Research it before you just decide that you're going to give this one app all your passwords.

Password Safe is a tremendously strong move, and a lot of them will even make your unique passwords. It stores it right there, and then when you need it, you just jump on your phone and you have it.

Two-Factor Authentication

Jeff Harrell: I've been making a list since you've been talking. One was designated devices, using certain devices for certain activities, especially as it relates to personal versus business. Using a VPN, having strong passwords. What about, because I get asked this a lot on my devices and I usually skip it because it seems like a pain, but what about two-factor authentication?

Max Greene: Jeff, I cannot preach enough about two-factor authentic.

Jeff Harrell: I thought you were going to say that.

Max Greene: Yeah. It's honestly the bane of my existence, if I'm being candid, but I do it for everything. It's the bane of my existence because I'll have my phone in my bedroom and I want to log into my bank account in the living room and I have to then get up and go get my phone.

Jeff Harrell: Right.

Max Greene: But it really is the equivalent to, not just doing the key fob beep beep to lock your door, but also having the car alarm on. Because someone might have the key, but they don't have the way to deactivate the alarm. In a situation where maybe you didn't have a strong password or someone's cracked your password and you all of a sudden get a text message with that authentication code. Well, that's given you the knowledge that something's up.

You can go and immediately change that password. You can notify your bank or whatever account that is, and you've stopped the attack right there. It's really, it's highly recommended just really on everything, on any sensitive account. I do it for my socials. I do it for my bank accounts. I even do it for my Gmail and Amazon.

Jeff Harrell: That's great. I figured you were going to say that and I know I need to do it. It's one of the-

Max Greene: I hate it, Jeff. I hate security, it's a pain in the butt, but you got to do it.

Jeff Harrell: It's almost like flossing. I know it's really, really good for me. It's just a little bit of a pain, but I need to do it anyway.

Max Greene: Yeah. I mean, it keeps us all safe. That's the wild thing about the current landscape of cybercrime is it's really not, kind of in the same vein of COVID, right. It's not just about us, it's about everyone else. Protecting ourselves is also protecting our communities and our national infrastructure.

Jeff Harrell: That's right, and we were talking before we got on the actual recording that, and I think this is where we can land here, is that cyber criminals are looking for the path of least resistance. If we can put up some resistance, then that really helps us protect ourselves. Is that right?

Max Greene: It's absolutely right. I talk about it in my trainings all the time. You talk about all the different types of cyberthreats out there and the different "adversaries" from your typical cybercriminal to your hacker, your cyber terrorist. They're all utilizing social engineering for exactly what you just said, Jeff. It's the path of least resistance. It's so much easier to have someone give you the answer, open the door, give you the password, than to try to hack in past security or really do any work at all.

As we were talking about it before and something I find fascinating, people talk about why would they send this broken English email or why would they make it so obvious? It's actually, it's more sophisticated than we think, and the reality is that they are not just phishing, but they're phishing for the person to fall for the broken English email.

Because if they'll fall for the broken English email, then they'll probably give up their credit card number. If they'll give up their credit card number, who knows what else they'll give out? They'll probably give you remote access to their computer. It makes the target pool that much more enticing to the cybercriminal.

Jeff Harrell: Yep. That makes total sense. Everyone out there listening, put up some resistance. These have been great practical tips. Max, this has been fantastic, and I think too, more than anything for me, it's a reminder to stay diligent, not just in the month of October, but every day because there are cybercriminals out there trying to get to us. So, put up some resistance and these have been great tips to do that. If someone wanted to reach out and get in contact with you, Max, what's the best way for them to do that?

Max Greene: There's a couple different ways. max.green@Tylertech.com. I can also be reached at max@Greenridgeci.com. Always available to answer any questions. I also want to just leave the group with one last famous tip, Jeff. Just in that diligence, and in that mindfulness we want to employ always, when it comes to a URL or a link, hover over that link first. See where it's sending you and then follow our first forward slash, two dots back rule.

Because if in any web address, if you go to that, whatever the first forward slash is, and you go two dots back, that's where they're actually sending you. It doesn't matter what it says before it, or after it, that's the convention, and that right there is going to tell you, "Am I going to a safe site? Am I going to a site they're telling me I'm going to?" and it will allow people to catch things more often than not.

Jeff Harrell: First forward slash, two dots back.

Max Greene: Yep.

Jeff Harrell: I feel like we need to make a song or something to make sure remember that. First forward slash, two dots back. Well, Max, as always, this has been super great information. Again, our goal here is just to help people become diligent because we want to keep, like you said, keep not only them safe, but other people safe as well, so thank you so much for this.

Max Greene: Thank you, Jeff.

Jeff Harrell: Well, thank you, Max, for helping us understand and to remind us to stay diligent, especially as many of us again, are still working from home. A lot of us will be working from home in a more permanent situation as well, so thank you for that.

Hope you enjoyed that episode. We drop a brand new episode on the Tyler Tech Podcast every other Monday. We've got lots of great episodes planned, so please subscribe if you enjoy the podcast. Also leave us a review, we would really appreciate that. Well, this is Jeff Harrell, director of content marketing for Tyler Technology. So glad that you joined me and we'll talk to you soon.