 Protecting the Digital U is a talk that I've been giving for a number of years, although it stays the same in title, the content changes as technology changes as well. The Digital U is a talk aimed at a broader audience. I give this talk to many businesses. I give this talk in conferences where people who may not have a good strong grasp of how their online persona may be attacked or how attacks may come against their systems, it's kind of aimed at a broader audience. It's not going to dive into super technical details like some of my other YouTube videos do when it comes to technology. It's more of a broad overview to make sure people understand the threats against them or threats that are out there in terms of technology and the fingerprints and footprints that we leave online and ways to mitigate some of those risks. So it comes out from that perspective. So if you're deeply technical, some of this may be very obvious to you. If you only are just a user online of more basic understanding of how the technology behind the scenes works, this may be very helpful to you to get a better understanding of what you're doing online and how that may affect you. So like I said, this is a broader talk more so than a specific talk about technology, but I will leave links to my slide deck here and my slide deck also has links within it to sources for statistics I go over and things that are producers. So you'll see them in the bottom corner for the ones I know where the slides came from. All right. So let's get started. And for anyone asking if they may use any of the slides out of this, as I stated, many of them are not mine, statistics were pulled from my locations, I have no problems with anyone who would like to copy any of the slides or use this for their own version of a presentation. I do ask that you change the title because Protecting and Digital U has been the title I've been using for a long time. Thank you. Protecting and Digital U, this is the October 2019 edition. First I'd like to start off with, who am I? So my first computer was the one you see here, a Tandy color computer. This is what opened the world of technology to me. And I bring this up because it gives me a different perspective than maybe someone who didn't start with a computer like this. Back then, many people were intimidated by the little blinking cursor on the screen that meant nothing to them, that meant you had to start putting commands into the keyboard to make it do anything. That was exciting for me due to the fact that I knew computers were something that would do what I asked them to do. This was a kind of interesting way that I could make something happen by typing it in. And from there on, I realized that these are computers that are controlled and software written by people like me and you. And you think of it from a very functional standpoint. I may refer back to this because it changed my perspective from the very beginning versus people who have more ubiquitously grown up with technology. I think of it as this, you know, kind of smarter systems than they are. I always think about the fundamentals of they're not that smart. They're not doing anything that people didn't tell them to do or program them or create parameters for. That's a picture of me at the Star Trek exhibit. I wear the badge of people who say, are you a nerd or a geek? Whatever. I don't look at those as bad terms. Yes, I have loved sci-fi. I fit all the probably normal tropes of a nerd or a geek of, big time sci-fi, lots of time spent in front of a computer. It's something I've always enjoyed. I love starting out here. What happens in an internet minute? And this has been updated a number of years as well. They have one pretty soon. I'll have one for 2020. And it's a scale and scope thing that people have a hard time thinking about when you talk about just how big the internet is in terms of transactions happening and things happening and traffic happening. The scalability of it is absolutely immense. And when you talk about things like YouTube, four and a half million videos viewed in 60 seconds, one million people logging into Facebook, 18 million texts every 60 seconds being sent. It is wild. The Netflix hours and things like that needs to actually keep shifting. This is if you went over the years and if you look up at Laura Lewis and officially Chad who maintain this and keep it updated, they have going back a number of years. You can see a lot of different information related to this, how it's changed, which is just like I said, it becomes very fascinating to think about. Where does it all happen? People say it's in the cloud. And of course, I hear that term all the time. And from a marketing standpoint, I get it. And from a general user standpoint, it makes sense to say the cloud. But for those of you wondering, this is what Google's cloud looks like. These are a couple of pictures of Google's data center. And yes, the cloud is just someone else's computer or computers or several thousand computers and these places are fascinating to me. If you've ever been at them, they may look kind of novel and futuristic. One thing you may not know is a lot of them are kind of loud and you kind of have a hard time hearing them because they're noisy with all the fans running and all the cooling in there. They're also not occupied by many people, which I make that as a nursing side note for people that ever wondered what some of these large data centers look like. The thing that fascinates me when you look at them from a Google overhead view is just how few parking spots are due to the lack of number of people it takes to do for operated data centers are pretty much operated via software, via few computer man, few people managing many, many computers. All right, so who is the digital you? Digital identity and individuals, most basic identifying traits. Your name or IP address, you've probably seen it in a lot of movies where they say we're tracking them by their IP address. An IP address is simply an address given to you based on where you're connecting from. And I see given to you, but it also means like, for example, if you're using Comcast for your internet, Comcast assigns an IP address to your household or to your business, and that does give them an idea of what the location is where the data may be flowing from. But of course, for example, at your home, there's usually many people there, therefore that IP address represents all the people there. So it's a general idea, but not super specific down to you. Digital persona, the content and social behavior shared with your personal networks, your status, reactions and updates. Now, this is getting into the social media that you use. And some people say, well, I don't really use much social media. There's still anything you do to engage or interact online. Even other people who may tag you in something may create footprints for you, or there's things like Facebook that creates what they refer to as shadow profiles, where they start building the emptiness that you have left by not being online. They create the shadow profile to try to figure out still how to derive information about who you are. Digital footprints, a digital imprints passively left behind from online or physical activity, cookies and location data. Websites, as we changed this with GDPR, now we all have these little things and notices that say, hey, this site's using cookies. And some people maybe are aware of this. Cookies are not necessarily a bad thing, but they are the little footprints and trails, breadcrumbs, if you will, left of where you've been and what ads you may want to see next, or at least what ads they want to see next. Derived data, the results of combining and analyzing the end user data, consumer profiles. Derived data becomes the accumulation of all of this. If we start with, all right, we have these cookies about this person, they looked at this website, they come from this IP address, they start building more of a profile to target with you. And a lot of this has the simple purpose of selling ads. They want to have very targeted and focused ads. And I don't ever assume that these are good or bad things that are happening. I like to raise awareness of them. I don't like to personify them in any ways or ascribe agency to them. They are just data at that point. Now, people may use this data for bad reasons or good reasons, but there is no agency to the data itself. I always like to start there that I'm not trying to make assessments or assumptions on it, but there is a trade we have of watching ads and those ads allow us to, well, maybe watch this YouTube video, for example, there may be some ad that you've seen and that ad was targeted based on some type of derived data they had, hopefully an ad you wanted to see, which not, not to, you know, say this is bad. I kind of like seeing ads that I'd want to see versus ads I don't want to see because sometimes there's something on sale. And if it's something that I'm interested in, there can be something good from it. The other side of this is building new profiles in a way that is very opaque to you can be very dangerous to try to manipulate you. So there's both sides. There's no agency within the data itself. It all comes to what people want to do with that data for usage. That's the digital you. This is where things get interesting. So identity theft has been around longer than the internet. It's the internet, of course, has made this easier, more anonymous and well, more remote because, you know, people used to steal mail back in the 80s was a thing I used to hear about when I was a kid. And the idea was you could steal the mail and impersonate and get a credit card in someone's name and wait for that credit card to get sent to them and then not let them open it or know what happened and get it to a different address, et cetera, et cetera. That was very physical, very much more work than it is today. Identity theft and credit card fraud are still huge problems online, but there's actually, I'm not going to say been a complete drop in the rates of it, but it's become less profitable due to so many companies being breached. The more and more companies and especially large ones such as Equifax, losing all their data has actually pushed down the, let's say black market, as they would call it, for selling these IDs and things like that. Now, a lot of these top two options are started how they found a credit card fraud or how they're stealing data from you can be a virus, worms, spare, spyware, malware, and it goes both ways. Sometimes they infect a website that maybe you purchase things online and they hack that website. They get someone in the office to click a virus, worms, spyware, malware and attack an office from someone who has privileges to the credit card data. They attack the systems, the point of sale systems that you may use at a restaurant or even your system and set up something in your system that watches for something to happen. So they know that you use your credit card online if they infect your system. They have watching spyware that may watch for you to put a credit card number in. They understand the transactions, they gather up this data and then they'll later use it to either identity to that or credit card fraud against you. Ransomware, and I left this slide in because this is the older numbers. So according to the federal bureau of investigations, 209 million in ransomware payments were made in the US just the first quarter of 2016. That's true. There was a lot made. And this is what we can track. This is what we know. And this is from Titan HQ. And we've seen a pretty big increase. And of course, this was in 2016, three years later here in October of 2019. It's insane. It's one of those things where ransomware has become very, very popular. The concept of ransomware is they're going to send you a file, send you something, a phishing link. They're going to get you to click on it. And when you click on that, let's say you have privileges that give you access to all the documents on the network of your business. They're going to make some determination to what they think that's worth, or maybe the ransomware isn't that smart and just kind of throws a number out there, but they're going to have a ransom. Now, the targeted ransomware attacks we're seeing now are seeing when they attack a city, which was the latest right here in 2019. They're asking upwards in the millions of dollars because they realize the cost of shutting down the city is expensive. Therefore, they'll have the ransomware. And if the bad actors were able to shut down the backups or delete any of the backups they had, they almost have no choice if they'd like to have all their data back to pay the ransom. Now, we're tracking these through Bitcoin. Therefore, we know some of the ransomware amounts paid, but it's only the ones we know. A lot of times ransomware, especially with private businesses that doesn't have public city hall meetings and public city council meetings, we never know how much businesses pay. We may know some business went quiet for a while, you know, they have some incident, as they may call it, but we don't always know how much is paid out or if it was paid in small batches. But what they were able to track here based on this blog post was $40,000 daily paid out on a handful of these days. It's getting pretty ridiculous. We know this is an industry that because there's money in it and because a lot of these companies have cybersecurity insurance, it's going to be happening more and more. And a lot of people say, what about backups? What about backups? And even companies that have backups sometimes make a business decision and that business decision comes at the cost of what does it cost to restore a solid backup system? What I mean by that is if you have a hundred thousand files and it would take X number of hours or downtime, maybe it would take three days, for example, to restore everything from the backups you have versus if I pay the ransom now in the ransom where person, the bad actor has decided to only charge $5,000 and you're going, well, it's going to cost me three days of downtime. My losses as a business will exceed $5,000 and it may cost me more money if we have outside AT. These are challenges that are done all the time, but there's more to it. There's also the compliance factor. Once someone has gained access to your system, I've seen companies make this statement of they're in the medical industry. They're under, for example, the HIPAA rules that they're supposed to be following. They'll say, well, no data was stolen. It was only ransomware. Honestly, the thing you have to think about, if someone was able to encrypt the files, even though it may not be them doing it, they're doing a software tool, that means they had access on the inside of the network. Therefore, you have been breached and reporting must be done if you want to be in compliance with the law. I just like to throw that out there for people that try to say, well, they only encrypted. They didn't actually steal data. And it may be true. They are not necessarily egressing data off of the system and removing it from your network because back to slide where I had everyone talking about being breached. It's just not as available as it used to be to sell that data. So they're frequently just encrypting it because this is where the real money is, is holding your data hostage until you pay it. 96% payment success rate. That's an interesting number. This is the one you pay. Do they actually give you the files back? 96% of the time is according to the surveys, which is pretty impressive. The ransomware people treat you like a customer and they really want to have good customer service because they want their money. So they usually give you a few samples of things that you can decrypt with a password, but not all of it to go, Hey, here's some samples of documents that we can prove that we are able to reverse this. And it's very, very good encryption that many of the modern ransomware systems use in the earlier amateur days were keys leaked online. And there's still companies or I refer to them as companies, I shouldn't, but they are. They're so bad actors that working groups, like I guess you can think of as a business that, you know, maybe don't use the best encryption. So sometimes you're lucky and some of these can be reversed. But it's a, it's a crapshoot if they're using some of the better well written ransomware. It's not easy or maybe even possible to reverse the encryption. You're either forced to restore from backups or pay it. And hopefully it was one of the more reputable ransomware people. I guess they have reputations that actually will decrypt it for you. It's scary. I would always recommend not paying. But then again, like I said, it can be a business decision where losses don't matter, matter more than the paying bad people. 93% versus 7% loss. This is the amount of data you get back. Once again, high recovery rates of data, but you're talking about systems running amok in your, on your systems. They may encrypt something in a way that can't be decrypted because of the software using or however it was set up. So there are mistakes made. I mean, these are systems that try to work fast when they get in there. They don't slowly, methodically, carefully encrypt and do testing. They do their testing in their lab. They deploy it to you when you click on a link or whoever clicks on a link in your office or however they got the ransomware in there, however the compromise happened. And this is just a fact of it that about 7% of the data just ended up being lost. Sometimes they encrypt things. There was some long threads everywhere where people said they went through this. And the ransomware people actually apologized that, sorry, we couldn't decrypt those couple last files, which I thought was weird. They apologized for it. But, you know, they do treat you like a customer and they're hoping to actually get your business again. Think about that for a second. Now, why is it so popular and why is it becoming such a thing? Well, a couple smart people, smart but still bad actors with very bad intentions said, let's do this at scale. There are a large group of people that may want to make money and profit from this, but they do not have the technical skills to actually write the software. Writing software is a little more complicated than actually deploying it. Getting you to click on a link might be easier. Finding a compromise credentials that an individual has, but they may not have the skills to deploy ransomware. That's where ransomware is a service. This is like so many other services that models that are seen online, software as a service, et cetera, where you can resell a product and there's a group of ransomware developers and there's forms for this, unfortunately. And yes, I know someone saying, why don't they shut them down and find them? That is a whole different topic and they're much more difficult to find than you may think. They frequently live in non-act tradition areas, especially over in the Soviet area that's where many of them reside, therefore they're very difficult to get to. And a lot of these have focused on attacking Americans. So their own country doesn't have much of an interest because it brings income into their own country, so there's not a big interest in stopping this flow of income that comes from ransomware. So these developers have created a ransomware as a service where they have affiliates, partners. They have the victims targeted and they just want a percentage of it. So it's definitely an interesting black market that is following standard business practices of, you know, how do you grow and expand? And a lot of their attacks have gone against IT providers lately because they know that scale is even bigger. So if you attack someone who is being the IT provider for a larger group and this is what happened, for example, in Texas and then again to these 400 dental offices, I both have videos on my channel related to that. What happened was they attacked the IT provider and that allowed them to scale up. So attacking one IT provider laid them 22 cities in Texas. Attacking one IT provider for dental offices landed them 400 dental offices. So it's a scaling thing. It's a someone had the opportunity to do it and these people have now made tools to facilitate this ransom and create these payments faster so they can get to their victims faster and they can scale up. This is probably one of the largest threats we've seen in 2019 with no slowing down here in 2020 coming up. Now a lot of these are a combination of phishing and spear phishing. This is frequently whether they're attacking the IT provider, whether they're attacking you as the individual. This is how a lot of it starts. Social engineering and that comes at the expense of sending you an email. It seems pretty plausible. So let's talk about that. This is a general phishing link that you might see. So someone has used your password to sign your Google account and you'll see these type of notices, change your password. If you look down here at the bottom, you'll notice that the right here, my account.google.com.security page.tk, not really the right place. If you get a notice in your email, whether you're using Google or any other email provider, go to for example in case of Google, Google.com don't click the link in the email ever. You can change your password in Google.com at the top in the corner and that will go through the password change through the proper Google method. And unless you for some reason you yourself prompted to get a password, you emailed a customer or you went through the password change reset yourself and you got an expected email from them. So anytime it carefully you can think about clicking on one of those links. You have to make sure be very careful when you're clicking on these. These are broadly sent out and this is frequently how a lot of these passwords get used and changed and they get into your account. Here's one in Microsoft Outlook and once again we're going to see the same thing. It says Microsoft.outlook.com MS Outlook 94 actual name but of course not everyone stops to look at the actual address. Email address in there service.outlook.com wait a minute out1ook.com real easy and out of expand this in the normal little 10 point font that it is at the top of your screen. You may not notice this and of course look like domains are a popular way for social engineers to get you to click on a link here. And once again it's MSoutlook.service.outlook.com and of course when we look closer it doesn't look much like a one but you can see how this can quickly become confusing. And once again it's similar password expired links. They're creating a sense of urgency. Suspicious keywords for your account security your current password cease to work shortly. That means do this now don't wait and look at this hurry up. So these are those type of broad email attacks we see phishing attacks. And of course Netflix your Netflix please update your payment details you don't want to stop whatever show you're watching this comes in here like I want to keep my Netflix going let's update my account and log in. And these are all broad phishing attacks spear phishing spear phishing is the much more specific targeted attack starts with some social engineering they can look you up on LinkedIn maybe your Instagram Facebook I left Google plus in here but yeah Google plus is now defunct but there's probably some data floating or maybe you had posted inadvertently or purposefully and they can start learning who you are what you do and what might be interesting to you maybe you complained about coworkers on Facebook and someone would like to send you an email about hey check this picture out of so and so you know I'm sending to you and honestly you can start building profiles on people online and start social engineering them and these do include phone calls we have seen attacks like this where the attackers and speaking perfectly good English whoever they hired or how they've done it if they weren't in the States they clearly have someone that can speak articulately and talk you into things or give you information we've even seen where companies have good solid policies for company email where it's very filtered it's very well protected to stop things from coming through in these bad links so what they do is they go oh did you get my email to let's say it will use a city as an example they look through the city meetings notes they find some information they say hey I'm on the planning committee for that thing that just got approved the new building going and could you open my attachment what is that how do they find this out well like I said they read city council meetings they know there's a new project you say no I didn't and they know you can't get it because oh crap the system filtered it so they're like hey can you just do me a favor and open it on your personal Gmail can you log in your personal Gmail or maybe a Yahoo account and open it so we can really get this approved I know the city is excited for it etc. So they'll sit there back and forth on the phone and get them to open it up in their personal email and then infect the computer this is one of the reasons why it's important for businesses to not open personal emails I mean they put a lot of effort in filtering the company ones having your end users open personal emails can open up a big threat and never think that these threat actors when they want to target you are not doing something along the lines of that I've actually taken the time to call we've seen it we've seen them register domains very similar to businesses so we've had we were a lot in the transportation market and we've had transportation companies where they transpose the Inao and transportation registered a similar name but transpose two letters in that domain and then pretended to be the CEO of that company and send emails out to back and forth with people who thought they were talking to people at the company and they had set it up to an elaborate scheme to get them to switch payroll companies so this is a real problem spearfishing is very very real and don't think your companies immune to it because many small businesses are the biggest target to this lately because larger companies develop process and procedures because of these attacks that were popular with them leaving the smaller 20 person office frequently getting targeted for things like this because they're used to doing things the way they do them and like oh yeah yeah you know so and so from sends an email all the time related to changes I'm used to processing orders this way that's fine and once again this is something you really have to be thinking about a small business passwords now back to the especially the broader fishing campaigns one of the things why would they even try to hack your Netflix account you're probably thinking that's low risk it's just Netflix right and with Netflix you know whatever they know my watch history and then you might be able to watch it for free and it would be annoying and I could just change my password the problem we run into more than anything else with these is people reuse their passwords constantly this is a major problem and the only solution really comes down to password management and a password manager now there are several out there you can use one of your choosing there's bit warden there's one password I think past portal there's there's a lot of companies out there last pass has been doing it for a very long time I've been using your product for a while they get poked at a lot and it's one of those things one of the biggest password managers out there having a very very large customer base and even though they've been purchased by another company several years ago I've been impressed with the fact that they've maintained the vigilance they have towards making sure any flaws that are fixed or any flaws that come up get fixed and then it remains a really solid product but use the one of your choice password managers are really good and they're so inexpensive you can use the free version works really well and upgrade to premiums like three bucks a month I mean it's it's such a small amount of money to pay and if you're a business and you want to share a lot more passwords or manage it from a client they have business plans as well so starting out of free you can try it for free or their free version just has a few sharing options missing from it so from a personal use or single user awesome for free definitely worth signing up now what does it look like this is what it actually looks like here so we have this whole list of passwords here that I have and we'll go down to how many I actually have 759 unique accounts I started looking in there and I think I might have a couple more but it's a little bit older but there's a lot of places I log into because I have a lot of accounts different places and using the same password all these places would mean if any one of them got compromised I see Netflix right in the center right there Netflix were to get compromised and I use the same password everywhere else obviously this creates a big problem because almost universally everyone's email address becomes their username this is how most sites are logging in therefore that combination is going to work in a lot of other places if you didn't use unique passwords and how it manages it LastPass generates a unique password for every site and then manage it so as the namesake is LastPass this is the last password you need to know and this is the same principle working with many of the other password managers you create one really complex passphrase I would say passphrase over password you know like Tom likes going to Hawaii or something like that and now you've created something longer maybe put some numbers in there and a couple exclamation points something that you can remember and once you unlock that password it then unlocks all these complicated unique passwords that are much harder to remember this O-H-J-I-A-U-W-Q-C-R-U-5-6-K or hit the generate again and it's a completely different random set of passwords now if anyone were to compromise a site that used one of these passwords they would have one high entropy very unique password which is awesome that wouldn't be used anywhere else which is also amazing frequently breaches that we've had to clean up come from password reuse what does it look like functionally well functionally when you go into the vault this is the showing my Google account here my username of course my email address and then my password and I can show the password but I'm not going to here and it shows a password history of when I change my password and things like that so you can go here and see those things so you can go through see the history of password changes I could view old passwords if that was ever necessary but I don't actually know what these passwords are they're also going to be very long and unique because I don't need to remember them because last pass takes care of that for me you can share passwords this is a great tool from a friend standpoint or from me my family standpoint when I want to share Netflix account I don't have to try to get that complicated password written down somewhere and then they get a problem of trying to tell my son that so I can then share my Netflix account by having him sign for last pass and then I can just share and it lets me know who accepted to share and what happens if I change my Netflix password it can change the shared password as well without having to bug them about it this is also great for businesses if you use the password management system like this you can know all the passwords you shared with an employee so one if you're starting up a new employee you can share passwords easily to them or for accounts that you may share you can also unwind an employee what does that employee have access to what websites did I share we may know local things we sit up for employees but maybe there was some shared website where they ordered paper where they did some type of simple task that didn't have their own username password or it was a shared company account you can easily see what was shared with them you can unshare it with them then change the password and you have a good documentation for that you have teams that you can group together so you can even hide the password whether or not you want them to see it whether or not they can change it etc so it's got some granular options for that for when you share passwords with people you can use it for form billing so here's my office 2017 here's personal office I actually have updated these because new credit cards because my credit card has been stolen probably four times since this you notice that there was a credit card breach and of course I think it was Home Depot had a breach and then of course I used my credit card at Wendy's and Wendy's had a breach so there's so many places so keeping the credit card numbers memorized is hard letting this fill in sites until they get compromised yes you can put all your credit card information and personal information in there and it's nice because it'll do all the form fills for you and even bank account to factor authentication which is important because obviously if someone gets your master password unlike last pass they could go a step further and start thinking Tom they have keys to the kingdom they actually need two pieces of things they would need my Google Authenticare and we'll talk about that next what two factor authentication is so they actually need two factors getting this and the other question that comes up all the time is what about last pass would they be able to see my passwords and this is where last pass is a very interesting product they figured out that they don't want your passwords and they use a very complex encryption algorithm where they never decrypt the passwords they store only the encrypted back end of the passwords I'm not going to get into the absolute technical details but it's been well audited and well vetted they've gone through several audits by third party companies to make sure that they're doing it properly but by only ever decrypting it in your browser they don't have it and what they learned early on when setting it up the person who found the last pass was if they had the passwords they could be compelled by governments they could be attacked by bad actors and holding on to people's passwords is a very dangerous thing so by only hanging on to the encrypted what we refer to as the encrypted blob on the back end they mitigate that risk they cannot be compelled by government to give up your password they cannot be attacked and compromised and give up passwords they don't have them by not having them this is also why it's so critical that when you set up the last pass that you make sure you don't forget the password because there's not a reset option they don't know your master password because knowing it would give them access to your passwords so if you need your password reset you have to reset your account like delete it all and you lose everything in there so there is a danger to this of course there's a convenience trade off people do forget passwords don't forget your last pass password you make sure that there's a process by which you can recover at least your second factor because you need two things to get in my account you need my master password which is really long and then you would also need my Google Authenticator account so what if I don't have my Google Authenticator because it's on my phone and my phone gets destroyed there's a recovery method for it so you have to be careful when you're setting it up because I can potentially lose all 759 passwords that I showed in there so something to think about so there's a good and bad the good is you're not reusing passwords it makes your life a lot more convenient and hopefully you're not saving them browsers but the bad is yeah if I lose these things or if I forget my own master password that I do not have written down so a good bonk to the head could cost me all of my passwords as well what does it look like functionally when you sign into a website so we see these little dot dot dots that dot dot dot means I have a login ready so there's my login right here so you can sign in right here and go okay cool here's how we sign in we click it and it'll fill in the password for me I don't know what those passwords are what about social media yeah works fine I actually have more than one Facebook account back in the day you had to have your well you didn't really have the business pages but I still have the login when I created one back in forever ago with PC pickup versus my other Facebook one and you can label them as such and because I have three different logins that I was using there's dot dot three and it has each one of them and each one of them has a completely unique password so matter of fact they don't have the same username either of course so different username password combinations can be saved for a single site so you can sign in and out of a site for different things two factor authentication this is critical like I said it's supported in the last passage pretty much supported universally at all the major websites you go to Google Facebook Amazon Microsoft Office 365 and many of your business applications so pick any two something you know something you have something you are so what you want to make sure is that you have different methodologies by which we can verify who you are so that methodology is perhaps a rolling number in certain authentication methods and a rolling number is referred to as TOTP authentication where every 60 seconds or is it 30 seconds yeah 30 seconds the number changes that number means something on my phone changes and you have to know what those numbers are at that moment so when I log in I'm prompted for that number on my phone it's a dedicated number and I give that number and it lets me log in so I had the username I had the password so what if someone breaches that site they have the username they have the password but they don't have that rolling number therefore they don't have access to it biometrics are another options biometrics are something you are where you have username password combined with a biometric like a fingerprint now same thing someone get to username password as long as they don't have your fingers you're good duo is a pretty neat company and there's other companies that have copied them I'm just bringing them up because we've used them many times for many of our clients duo is a dual factor authentication system that prompts your phone so when you log in to certain things and we've set this up for like people's computer logins someone logs into the workstation your phone turns a green or red button pretty simple green means continue logging in red means stop and I've reminded people especially when I'm doing this talk in a conference sitting here and you're watching my conference and you're not at work but someone prompted to log into your workstation unexpectedly don't press the green button you now know two things if that green button comes up and you're not at your workstation and you're not the one logging in that someone has your password that you should change your password and the red X stop them from getting in we have had this where people use common passwords or weak passwords and the guessing systems out there is you haven't got to the point of compromise you've stopped them from getting in by hopefully hitting the red X I've had people call us wondering if they should hit it and we you know no, no, no stop everything you're doing don't hit it at all at least it took the time to call us or call or help us for that but yeah this is an indicator that you may have been compromised well not an indicator that you have pretty much a notice that you've been compromised or probably a better way to describe it so unless you're so how do you do this in Google Google offers this two-step verification if you go to Google go in the top corner and click on security there's an easy way to turn it on and of course they support a few different ways including and I brought up physical security like a fingerprint but they also support these things called UB keys UB keys are a physical device that has to be plugged in your computer like a little USB device that will plug in and allow someone to authenticate so you log in to Google you plug in a UB key and it now lets you be secure Microsoft of course supports this as well they have an application called Microsoft Authenticator so you can log in to your Office 365 and it's going to ask you for these numbers here I think that's how it still goes you get these and you set the numbers up they also have another prompt one that you can do but you get the idea Microsoft does support this Facebook supports it you don't think about how critical your social media might be maybe you just use it to post silly things and cat pictures but it may be somewhat important to you that people don't assume your identity so having it turned on for all of your two factor for anything that's supported Twitter, Facebook, etc. it is supported unfortunately to this day here in 2019 Facebook still doesn't use a normal authenticator I'm sorry Twitter doesn't Twitter wants to send you a text message to me that's better than nothing but still not great and this has caused many compromises where people from targeted attacks will clone your cell phone they'll contact the cell phone companies and get them to switch who or where your text messages go by cloning a phone and therefore be able to have access to you via a SMS message this is dangerous but it's better than nothing so I still recommend turning it on even though it's not the best methodology let's talk about how the digital you deals with social media and this is something really crazy to think about so 1.59 billion people on average login to Facebook daily and are considered daily active users the Facebook DAU stat as of June of 2019 this represents an 8% increase year over year and Facebook employees just under 40,000 people as of June of 2019 I'll say 40,000 now I think it was like 39,000 and 800 something on the stat that came from asafora.com but yeah I'm sure they play over 40,000 right now it's amazing to think that 40,000 people that are generally pretty young are in some way influential to 1.59 billion people this is a stat that I really it's one of those scalability internet especially when you think about the US population only being not 100% of the US population is on Facebook but only being somewhere a little over 300 million 320 I believe at the last census so there is an incredible number of people this is kind of like a real time experiment to humanity Facebook did connect to humanity it was one of their goals they wanted to put a bunch of people online and have them easy interact with each other we don't know what this means we're all learning it in real time as part of this game we don't have two planets with two similar populations where we AB tested this so we go here's what happens when you don't connect people here's what happening you do we have connected people now what and that's kind of what we're seeing it's a very fascinating statistic that people think about this tweet old from the satire account GS elevator if you really want to get to know on a first date just ask them about their first pet favorite teacher and then read all their emails this is the problem with a lot of social media back to that comment I had about two factor authentication forever ago back in the earlier days of when I remember signing up for when I bought my first house long before the days of the where we were doing everything online you know they wanted different factors of authentication they wanted to know some personal thing about me what was your favorite teacher these were things that the power company asked me so that way they could verify who I was you know you would call them and you would set up these second factors well and the transition to social media and Facebook people started just posting everything on there 68% of people with public social media profiles shared their birthday information 63% shared their high school name shared their phone number 18% 12% shared their pet's name and this was popularized when people and even celebrities have been hacked because we know a lot about them these same questions that are asked of things like their power bill or their social media their emails their password reset to your email when you set it up especially the early days of I'll use Yahoo Mail which was really popular a while ago and this led to politicians and celebrities getting many of their accounts attacked because that information is publicly available but this also leads to individuals being attacked for those same reasons this information was easily available to them you were able to do some open source intelligence and look on someone's Facebook profile and have the questions I need answered very quickly to their entire you know get into their entire email system wherever we wanted to go as a bad actor the other thing to think about with social media job hunting this was over from Career Builder and this is an excellent post I really like this the only slide I have that has a lot of words on it because there's a lot to read here but it's very interesting so job hunting 54% of companies did not hire a candidate for one or more of these reasons and this isn't that persona you're projecting online this is where I'll reference back to me thinking about computers from that early TRS old Tandy computer I am always thinking about the narrative and that these systems if I put it online and making it public I'm controlling the narrative and how people perceive me someone who's been online for a long time since the earliest days of dial-up I'm always thinking about the narrative and shape I create of the you know my aspects my digital footprint I leave online and what you think about me based on what I post online so anything linked to me politically online I think about all of these things and I always have a lot of people do not they just think of it as any other social outlet so the conversation we have between two friends that we may think is private may not be so private and can be easily exposed based on this so these are some of the reasons people didn't get hired candidate posts of provocative or inappropriate photographs or videos or information think about what you're sharing online when you do that maybe that selfie at the bar wasn't a great idea while you were doing something maybe that was unflattering candidate posts information about them drinking or using drugs job hunters think about this do they want to hire someone who's you know broadcasting out there you know hashtag 420 wasted and jumping up and down about it it's a persona whether or not you do those things and whether or not you do those things and brag about them can be perceptive changing to people candidate had discriminatory comments related to race gender religion people love ranting online and sharing their opinions online it's been a reason people don't get hired they go to this person a good fit for our office while they really hate other people of different races and genders and ran and bled on about it or they have strong opinions that they want to voice about religion you're putting a persona out there and you're posting it out there that may not be a fit for the place you're working that you're planning well not getting hired at it sounds like candidate bad mouth their previous company and fellow employees yes it's public and many times this is something an oversight about work think about that this information whether or not you've had it private we all have vented about work many people though in the social media vented about it online it can affect your career maybe you forgot you friend and co-worker so then screenshot and share it this can create a real problem you shouldn't be doing it think more consciously about it and especially when you're building an online persona candidate lied about qualifications yeah that happens happens in my industry a lot it's about lying online um and you know putting a bunch of information out there once again if you post about things and you were called out on the floor that it wasn't your resume or that it just wasn't true the social media is part of what they scan when you're doing a job here in 2019 and of course it's only going to be more important in the future candidate had poor communication skills yes this is a um how you write online and people are going to develop a perception on there of how you communicate with people and not just this is going to play into it candidate was linked to criminal behavior don't brag about criminal behavior don't do criminal behavior to begin with but then bragging about online although it is amusing to see criminals who do this and people who make those poor choices and brag about bad things they do um obviously it's going to affect your career a lot candidates share confidential information from previous employers this is especially true in a medical industry where I've seen people post things and they really shouldn't about patients that you're dealing with and ranting especially if they get anything specific you're you're talking about that and it's not hard for co-workers or people to infer especially if they know what you work what you're meaning even if you didn't specifically name names so you may have not violated a specific law but you now have in general done things like that and it's obviously something to be concerned about and I'm actually happy in many hospitals I've noticed have now added in elevators please do not as a medical practitioner you are going to discuss things with your colleagues a client you work on but if I'm standing in elevator too I've now become privy to a conversation that maybe I shouldn't but of course this can extend further in forums where people discuss this online and if those public forums are in social media this may not go well if you violate laws especially you could be in legal trouble not just trouble for getting hired can it light about absence that's a frequent look yeah that's not that's not going to go well and the candidate posts too frequently some people need to chill out on social media people look at it they go it seems like during your other job you post like 12 times a day during normal business hours when you should be working so that candidates that do that will be looked at and go well you seem to have plenty of time at your old job to post maybe you'll be posting here so this creates some problems Facebook you're in charge of working together now Facebook is well few agreed to terms and conditions I don't believe anything they say about that and I bring this up because some people will nod their heads during that part where I talk about candidates and go but I set the privacy button I set the privacy thing yeah if they find a way to monetize it it's not a ascribing agency to the data but to this guy who is looking for always you know new and interesting ways to monetize things and sell data that you don't pay for therefore someone pays for it with ads and ways to monetize the data has made Mark Zuckerberg very wealthy but also sometimes things unscrupulous happen part of the challenge with Facebook is you have a not done making excuses for them but you have a large group of people able to influence a large piece of society with algorithms and they're all very young they don't have this is not some great-haired guy here this is someone who's you know grew up doing this has been doing it for a while to understand the ramifications or have a lot of wisdom in this not to mention it's also one of those 1.59 billion people we've never done anything we've never connected this with people at once so it's like a big science experiment that they're playing games with and you know we don't know what's going to happen next well we do know that although they have this whole button about being public that we learned that many companies had access to some of this data now unfortunately I can't do a live demo of this site because StockScan was very recently blocked because Facebook used to allow this and enter the profile link or person you want to check you could choose some options here and a lot of options and what this is getting at is you could say things like show me events Tom checked into show me hotels Tom checked into show me Tom's class mates and it would then allow through this is not actually wasn't done on Facebook this was referred to as their Facebook graph search for a while this was public facing and I've heard people to use StockScan to very quickly pull and allow that data together now just because they blocked access access to StockScan recently doesn't mean there won't be some other way for this data to get pulled back out or that other companies besides StockScan which was set up completely just to prove the point that there's so much data about you it wasn't even a paid service it was someone's project to just show just how much data could quickly be correlated about you just off of Facebook and check-ins and filtered in search engine still doesn't to find something you had done previously but you could go to StockScan and try to find something specific that you posted on a certain date and it could pull it up which I always thought was really wild that they were able to index it that way well were and it may come back again so just as of right now I know it's blocked that could change my rule is for social media if you don't want it online don't post it to social media sites you don't want your parents to see it don't post it to your employer to see it or potential employer don't see it you don't want some AI or machine learning system to see it don't put it online the rules are really simple I think about this all the time I think about this even before I take the picture of something I think is this something I'm going to post is this something for personal or do I want to post this what is the persona that I'm what is the perception I should say that people it's a it's a hard thing to think about but constantly thinking about it and being visual about it will help protect yourself online and once again hopefully in the future I won't have as you don't want to have regrets it's hard it's really hard I'm not saying that's going to be possible but don't post it is you know if you're not sure by the way don't post it that's always that's one of my other things but I'm not sure if this is questionable I try not to post it what if you didn't post it this is one thing that's so far knock on wood that they have stayed true to is timeline attacking you can say who can post to your timeline only me and what this is is because on a daily people think I need to be tagged in every silly thing they come up with and maybe things I don't want to be tagged in so I will at least try as long as Facebook keeps allowing this you can turn this only me can do the tagging this works really well because only me means not I get tagged in that photo and then they can't post to my wall like they did before so hopefully Facebook stays true to this but obviously this is a challenge where someone decides to tag you in a photo that's going to happen sometimes but at least this is some mitigation for it as of right now protecting your devices so we talked about having your phone be involved in a second factor authentication therefore this is a targeted in some cases I have an on Tesla happens to be the keys to my car so keeping this thing locked down and secure is an important aspect and pretty much everyone either has a Android or Apple device this makes up the majority of the market protecting your devices with a pattern this is your first bad idea we know it's convenient now granted what's on your phone think about that first so some people say well there's nothing on my phone still might be pretty important to you all the time I recommend a six digit or more pin number versus the patterns on here that's one of those things to think about that if you have security on this device a lot of times you can just tilt the phone look at the finger print smudges and make some assumptions about what it was especially you know when someone just goes like this it's just a matter of figuring out what button they started at if you try and you're in one of the patterns in one of the corners just one of the corners in general bottom top right or whatever most users use only five nodes and a significant amount only use four there's a whole right up here over an Android authority that talks about all the predictability of the lock patterns and over 10% of the lock patterns were made in the shape of a letter often representing the initial of the person or a loved one so yeah if for some reason what about finger prints that's something you are couple things about finger prints the early models granted I know this attack someone's probably you know raised in a fist gun this isn't possible anyone you would be correct the gummy bear attack was the fact that we found out that yes they're using not just pictures of your finger print but they're using texture well gummy bears have texture and if you press hard enough on a gummy bear and they're pressed it against devices and early ones they call it the gummy bear attack and this was to defeat a lot of different finger print devices and finger prints are authentication except for the fact that you could easily be compelled there's been case rulings where because finger prints are something you are not something you know where the government or the even a stop can ask you to put your fingers on the phone because it's something you are to unlock your phone so just think about that from a threat model and of course those scary movies where the bad guy removes people's fingers to make the phones unlockable yeah kind of scary but that's definitely thoughts about using finger prints on there but aren't they more advanced and it would be very difficult and they check things absolutely this is the new Galaxy S10 and this person was able to fool the S10 granted this was more advanced they took a picture though of a fingerprint picture by the way printed a fingerprint using a special type of 3D printer and yeah it's kind of interesting the process they went through so these attacks only get better and once again biometrics is something you are so once you've decided to use biometrics you can always figure out a way to eventually emulate that cause you can't change not easily I should say you can't change your fingerprints I had a teacher that burned his fingers so ended up a new fingerprints technically a science teacher it was a cool story what about facial recognition this is pretty cool that they're getting better because once again they're not just using a picture they're using the depth to try to create an image of your face and these keep getting higher and higher resolution but back to it's just another form of biometrics and something you are and I've been granted these are a little bit trickier to do where people found out by creating these masks and manipulating the masks in certain ways they were able to create face ID and twin mask attacks of there so if someone were to maybe try to get you to unlock the phone or whatever with it and you tried to fight it they could find a photo of you and create a depth perception so there's ways at it back again it's a biometric system now one of the things that comes to us really at our store is I lost all the photos on my phone because the phone got smashed I dropped it in the water or whatever and our phones take amazing photos they have really over the years I've come to someone who has a background in loving digital photography it's amazing the photos we can take with our phones now it's really so as we decimated the standalone camera market because the best camera you have is the one closest to you at the hand and well our phones in our pocket all the time so when opportunity strikes we take a picture of it how do we back it up Google Photos is an amazing way to back this up but I will first those of you that are upset that I even bring this up of Google's serpent up my data once again this free when we see the word free you're probably the product we know that so yes Google gets to have some data which I know so any photos taken with my phone are ones before I even take the photo and I even get into posting online are ones I don't mind that Google has I want you to think about that I mean that say you recommend Google Photos and personal photos I have are now uploaded to Google and I get what they're saying but yes that's a concern so if you're going to take intimate or personal photos that you would never want online then don't put them in Google Photos Google Photos is an amazing free backup service that will allow you to quickly index all your photos automatically back them up from your phone as you take them you can set this based on your data plan to say only backup over wifi and it gives you an indexing for photos and I mean really amazing find your photos faster dog, wedding and sunset you put these in and it finds those things and I'll give you examples here when I put in sunrise it immediately finds a bunch of photos I took of sunrises so I was really impressed including video by the way it can it indexes video now as well so any videos I take on my phone things like that but this comes back to that being conscious of what I do on my phone I'm always thinking about what pictures I take with my phone no google's getting access to that data it's one of those awareness things not describing agency to google's you know what they're gonna do with it and for the most part if you're taking some random photos I don't mind I took a trip to New York and if I type in Marcus Lawrence my son New York here we go there is Marcus eating pizza there's actually more if you scroll down lots of my son New York to him was a place with a lot of pizzas his favorite food so it's kind of neat that you can type over the place anyone's I took once again these are personal photos I have I do have them back locally on my computer the ones I want but it is convenient the fact that google will back them up on there like I said awareness is important and this is both compatible with android and iphone by the way so great way to back up your photos it's better to have them in google in my opinion than lose them all together cause a lot of people just take a lot of photos you know kids whatever's enough of sharing them with google for in getting that free access to them versus not having them back to it all I'll let you weigh that option but your computer sometimes runs into a problem that couldn't handle now needs to restart and you can search this error and it's something very serious and a restart in seconds right yes computers do crash they are like any electronic device there's a lot of complexity to them and then people call us and I really have a lot of important stuff on here my computer can't even there's a couple places you can store your data now this is more of a personal perspective than a business for business we recommend a more thorough enterprise backup plan but we'll talk about things you can do personally here and these are things you can do for free microsoft one drive offers storage of a lot of files at the time of this these that you have on your computer you can upload them all to microsoft office uc 5 and they have a free version like I said it's pretty reasonable and you get quite a few documents in there which is great and that's a lot of times all people want if you're just doing it on a personal level maybe you just have a handful of things you're keeping track of like I said recipe list just personal data you create microsoft has a way to store it on there I do recommend keeping a local copy whenever you use any of the free they may start charging you for it so I recommend a local copy but if you only have a little copy in your computer crashes you have no data where you were soft so the free one's a good way to start with microsoft google same thing google offers a personal 15 gig of storage same exact concept you can sync your documents on there and have a place to store it and it goes up from there if you want to buy the paid versions of it it's pretty reasonable priced iDrive is a little bit you know they give you 5 gig for free which I think is kind of cool they still have the free option but iDrive is a company that's been around for a long time we recommend to a lot of personal backups for people and there's been some people who go hey I'm not really ready for a solid full business continuity plan we understand that but maybe they're a single contractor working out their house that does some side gigs so they have some data iDrive is an easy way to back that up and it's like 52 bucks a year so I will admit they do get you the first year $70 next year but you're not talking about breaking the bank here to have your documents backed up and some people if it's just a couple files that are critical maybe a couple spreadsheets you have yeah the 5 gig free is not bad and you know iDrive like I said been around a while we've recommended to a lot of people home users that go just looking for a simple backup plan we found their software to be fairly easy to use and reasonably intuitive it's no substitution that's different but this is some suggestion for personal use and the reason I bring them up compared to some of the other ones they offer if you get more advanced they actually have encryption options even with their basic most basic plans encryption options to make them compliant what that means is you encrypt the data before it goes up to the cloud this is what avoids that problem with Google where you're sharing your data with Google or Microsoft because they technically could have access to it before it leaves your computer when similar to the last pass method iDrive would only be installing the encryption encrypted derived data from there not the actual data therefore they don't have access to it and by the way this is unfortunate but we've had people who've come to us after you've suggested iDrive and I can't restore it because I encrypted everything and I lost the password that's true iDrive can't help you if you lose the password and also if the computer you're backing up you save the password anyway we can't restore that computer because we need the decryption password you saved on desktop that's a scenario that's happened actually more than once so if you choose to go this route and because you're concerned about security awesome downside is the you're going to have problems if you don't know that password don't forget it don't lose it so this was my protected digital uTalk thank you if you made it all the way to the end of this video if you work in the tech space and feel you want to do so I recommend this hopefully you learn something hopefully you gain some insight about the digital persona and the digital footprint you leave online like I said there's a link to my slide deck if you wanted to go through any of it or get directly to any of the links where I gathered some of this data but this is going to be always changing so I don't know if I'll do a new video each year but I do know the slide decks will update randomly based on whenever I get booked for a talk that I give at a conference so just look at the data on the first slide to know what version you're looking at alright and thanks and thank you for making it to the end of the video if you like this video please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like YouTube to notify you when new videos come out if you'd like to hire us head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on if you want to carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free also if you'd like to help the channel in other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time