 So hello everybody and welcome to the best free one-hour security awareness training overnight. Put any pressure on ourselves or anything, but we are hoping to deliver what everybody here will experience as the best free one-hour security awareness training ever. If you're not familiar with go-to-webinar just very quickly. If you enter questions into the at the bottom of your go-to-webinar control panel, there's a place there to get questions to us. We will be doing our best to get to those questions throughout and at the end of the webinar. We cannot promise that we'll get to all questions. We also will endeavor to leave a few minutes at the end of the webinar for Q&A where we can unmute people and let folks talk, but everybody is going to be muted by default throughout the webinar. We're here on video just for the first few minutes and then we'll see you again at the end, but you will hear Destiny and I's lovely voices throughout. I'm Joshua Pesca, Vice President of Roundtable. I also have with me Destiny Bowers. Hi, I'm Destiny Bowers. I'm our client relation manager and project manager and so let's get started and learn a little bit about security. And behind the scenes we also have Ben Gardner who's handling all the tech and also is in charge of all snarky comments that need to be added to Destiny's webinar. So off we go. So icebreaker, we're going to start with a nice quick survey for everybody. So we've got this nice little cartoon, the security desk and the insecurity desk and as we go on to the first poll, what we want to ask everybody here is at which desk do you feel like you belong? Do you feel like you're at the security desk or do you feel like you're at the insecurity desk? I was a little slow on that. I forgot that I'm doing polls for this one and we're going to let everybody throw comments. So which desk everybody is at? We'll leave this open for just a few more seconds. We've got, most folks have voted five, four, three, two, one and it's a kind of 50-50 split. So we've got a, it's almost exactly a 50-50 split. So it's kind of interesting. So we've got some people here at the webinar feeling quite secure and some people feeling not so secure. So we're hoping by the end we're going to change those numbers for everybody. Okay so moving on to the very next slide. Why are we here today? Well cybersecurity can seem overwhelming, complex, scary, but what we're going to be talking about today is how much it's mostly about people and behavior and it turns out that there are some pretty basic things you can do to make both yourself and your organization significantly more secure and one of the great benefits of security awareness training for organizations is that it helps the security not just of your organization but of the individuals. So when you're giving your staff security training you're not just helping your organization but they're less likely to be victims of identity theft, of other kinds of fraud, of security breaches within their own personal you know computers and devices. So you're helping the individuals that work at your organization as well as your organization itself. And as we go on to the next slide we're going to just quickly what we're going to cover today is who is after your information, why they want your information, how they get your information, and those things we're going to be covering pretty quickly because we believe that to make this the best free one-hour security awareness training ever we really need to focus on that fourth bullet point which is what you can do to make yourself more secure. So that's where the bulk of this is going to be today but we did want to kind of set some groundwork for everybody and then we'll have some next steps that people can take. Next slide we're going to make a promise to you and the promise is that no fraud. So what is FUD? FUD is fear, uncertainty, and doubt which is shorted to that acronym which is a disinformation strategy that can be used by organizations like Roundtable if we were unscrupulous to kind of scare people and providing misinformation in order to convince you that you have to hire our services or buy our product in order to alleviate some risk that you may or may not have. And the information we are presenting today is not that. All right we are doing our absolute best to present what we see as the legitimate risks and where you don't have this. So having said that as we go on to our next slide here with a little Larry David having said that we do want everyone to be aware of what threats there are out there in the world and what they can do to protect themselves. We also want you to understand that you can't eliminate all risk. One look at the news right we got a LinkedIn breach that hit the news yesterday. Now it was back in 2012 so anyone who hasn't changed their LinkedIn password since 2012 does have cause for concern today but hopefully no one at this webinar fits into that category but you will see breaches in the news all the time all right. So you can't eliminate all risk but there are things that you can do that can make a big difference and we're going to revisit this slide toward the end of the webinar when we've kind of given you the tools and tactics and strategies to to implement these things at your organization. So you can nurture a security culture at your organization. We're going to talk today a lot about what that means and attending this webinar is a great first step in that in that process. You can educate yourself and others about the tactics used to steal your info and the information we're going to give today will give you a lot of that where you can protect your accounts and devices with secure practices. Now we can't do that for you today but we will give you some strategies and tools to protect your accounts and your devices and you can verify a couple of months ago we did a webinar called tenure inbox which was about inbox management and we provided in there the one word security training and that one word was verify and I verify and if there's one thing you take away from today's webinar about security awareness it is that when in doubt any doubt verify and we'll talk a lot about what that means today and I think that is where I hand things to Dustin. No, you're on a little board. No, I'm still on for three more slides. All right, I was turning in. All right, oh that's right three slides of boring stuff. All right, so if anyone can take a quick nap or anything like that we're going to go three slides of boring stuff and we're going to talk in a little bit of detail about cybersecurity because it's a term we all see it was used in the promotion of this webinar today and so we think it's important to contextualize it's only three slides we're going to go fast so you can if you need to take a little bath and break or something this might be a great time otherwise if you really want to learn a little bit about cybersecurity here we go. All right, let's start with the definition what is cybersecurity it's the protection of an organization and its assets from electronic attack to minimize the risk of business disruption. All right, so we're it's the protecting the electronic stuff we will talk in this webinar today about paper stuff stuff that falls outside of the you know technical rubric of cybersecurity but it's primarily concerned about protecting electronic information. So where do people fit into cybersecurity so let's think about this if we look at this triads we're going to give you two triads in a row and this is remember the boring stuff. All right, so there's the kind of as we're thinking about security we're thinking about the physical protections we have locks in the doors we have locks in the security cabinets we have around the filing cabinets in the server room we have physical protection spaces maybe of security guards and you have people and the people and practices and the policies that they are implementing are helping with security and then you have the cybersecurity which is all the technical stuff that we think of as a bunch of highly sophisticated technical people coders security professionals people with all kinds of certifications after their name and the reality is that people are in all of these places so people fit in everywhere within the thinking about security for your organization whether it's cybersecurity or not that's a really important concept to understand. All right next slide we're going to look at another triad and this is going to be even more boring but I think it's it's an important concept to to explain which is that as you think about information that you're trying to protect within your organization this CIA which is super easy to remember right security triad which stands for confidentiality integrity and availability and the easiest way to think about this is when you have a piece of information the confidentiality is how bad would it be if that information was exposed so if you think of something like your website not bad at all in fact it is exposed it is designed to be exposed you want that information to be public on the other hand if it's personal health information or credit card numbers it'd be pretty bad if that was exposed and you certainly don't want them out on your website. Second how bad would it be if information was lost so if we go back to the website here pretty bad if you lost all of the data and all of the designs and graphics and everything on your website and it wasn't recoverable for most organizations here I think they would consider that to be pretty bad so it's not at all bad if your website it is exposed but it's really bad if the information is lost and then the third thing to think about is availability so how bad would it be if the information was not available for some period of time so again if your website was unavailable for an hour not great most of us not a catastrophe down for a day starts to get pretty bad down for a week starts to get borderline catastrophic for a lot of organizations so those three areas are really important to think about in terms of how important information it is to protect and that is the end of our three boring slides you all made it if anybody still didn't lose anybody fantastic all right and now I hand off to destiny take it away okay so one of the terms that you will hear us mention and you've probably heard on your own before this is fishing and fishing is the attempt to acquire your sensitive information password credit cards information and other items like that masquerading as trustworthy sites be it be an email or a redirection to a website and in a lot of cases even text messages and if you're curious why fishing starts with a ph it's because some of the earliest hackers out there were known as freaks with a ph and this is because they exploited telecom systems and since phone starts with a ph you well you can guess the rest and the ph just carried the tradition on so now a lot of these terms will use the ph for fishing or anything with the sound and this also moves into the concept of fishing which is voice fishing spear fishing which is targeted fishing and there's a couple of other different kinds to as I mentioned through mobile phones and through social media posts but this is going to bring us to our first slide poll which is a little game that we like to call fish or not a fish and the rules of the game are on the next slide we're going to bring up a website and we're going to leave it up there for a few seconds and then ask you all to look at it and tell us if you think it's a fish a fake website or not a fish a screen grab of a legitimate website one thing you'll notice is you may see a watermark that says fish tank on the images that does not signify whether it is a fish or not a fish that's just one of the services that helps you go through some of the training on fishing to help recognize these so let's go ahead and bring up our website we're going to leave this up for a few seconds everyone take a look at it okay now let's launch the poll and put your vote in whether or not you think it's a fish or not a fish and we've got about 70% of people we're up to 80% of people voted believe it open just for a few more seconds and we've got about a two to three margin believe that is a fake website about 37% of the people almost almost a little over third believe that it is legitimate okay and the answer is next slide it is a fish and moving on we're going to show you why it's a fish one of the ways and some of the way that you can look at a site and recognize what fishing looks like so one of the first things you're going to see in the website address itself is there's no HTTPS which means that this is not going through a secure channel and you'll see over to the right the actual american airline site has the HTTPS and the browser has recognized this and authenticated it another thing that you'll see is the url itself where it may be easy to spoof a web pages look such as the graphics and the words and everything else the actual address of the page is something that's a lot harder to spoof because legitimate organizations have control over their legitimate organizational name so when you're looking at a url take a look at what comes after the expected name in this case a and you would think that it would just be a american airlines dot com but when you see a lot of the additional words after where it's something dot something else dot something else dot com that can be a trigger for you that this may not be a legitimate site and one of the other things to pay attention to is the fact that you often have typos or misspellings in these where you'll see that member is not spelled correctly and a lot of times it's because organizations have caught on to what fishers are trying to do and they will try and purchase misspellings of their own domain names to make sure that people are redirected to the correct location on the next slide we're going to talk about who or what is out to get you we know that fishing is out there in the wild and we know that this happens a lot and frequently so who is it sometimes it's bad guys sometimes it's programs or bots created by the bad guys every now and then it's also bad code which is an error in the programming language that actually creates vulnerability is that the bad guys then exploit and you'll see this is one of the reasons why you have things like windows updates or every now and then your browser will ask you to refresh it to put in other updates and whenever they locate these vulnerabilities they update the code and try and close up that hole and then you also have your own people this is not necessarily disgruntled or unhappy staff but it could be because somebody has lost their equipment or their phone that has the information on it or they're logging into other people's machines that may not have a proper antivirus or may already be infected with malware and you have human error where people sometimes send the wrong information to the wrong people be it via email or even via fax and there's also human nature and human desire where people say well i really want to get on wi-fi so i'm going to find an available network it doesn't really matter if it's open or not or oh i would like to get a free program or not have to pay to do certain things and so they bypass their common sense of going this might not be the most secure thing to do but it's something that i want and now we'll talk about the why and when it comes to the bad guys usually the why comes down to the most common reminder which is money and people want to steal your data to make money off of your information such as credit cards or to sell your data to someone else such as identity theft to make money or extort your data and if you've heard of the crypto locker virus which basically encrypts your data and holds it hostage until you pay somebody to get it back that all comes back to money and there are people who just want to make trouble and if you recall the melissa virus from a couple of decades ago now that was just to impress a girl and we're not kidding that's why he really didn't so how are we going to combat the bad guys how are we going to look at our security in a new way to help us fix this so through the the different terms that we're going to look at and this is how the people get it people get this through phishing which we went over social engineering which josh was going to talk about next malware which is programs that are installed on your computer to um access your information then there's theft which is the physical theft of your device is physical theft of information such as paperwork laptop cell phones or even the credit card swipe that the electronic credit card information that you have embedded in your credit card and then there's also the error which i mentioned where these things are done by mistake or by tricking people into it and then there's the actual physical theft through dumpster diving which is big on identity theft where people will go through mailboxes or trash to find things like credit card and bank statements and then use those to steal your personal identity and other information so it's always a good idea when it comes to that to make sure that you shred or safely dispose of that kind of personal health and personal financial information and then lastly which we also spoke about the exploiting of the vulnerabilities in bad code or security code holes in operating systems and in web browsers and for this i'm now going to hand off to joshua to talk about social engineering thank you so much destiny and social engineering is the manipulation of our human instinct to help and it is quite frankly when we talked at the beginning about how so much of this is about people all right is that the social engineering is really how most of the security breaches are being perpetrated and they're being perpetrated by you know fooling people with phishing or spear phishing attacks or with the phishing which we're about to talk about uh or through just you know calling people on the phone and getting key information from them and we've all seen this in movies in a billion different ways it's usually done you know comically in a lot of things or or in you know in action movies you know the hero will often use social engineering to try to get themselves into a building it's really common uh put in cinema and in real life but in real life probably a little bit harder to identify all right so as we look at the next slide it really is the lack of employee awareness is the most dangerous uh social engineering threat to organizations and you look at phishing which is a form of social engineering uh those two by themselves constitute over uh three quarters of all of the of the threats to social engineering threats to organizations so we're really hoping to make that much reduced for everybody that's in this webinar today and hopefully you'll bring this back to your organizations and your organizations can can benefit from that reduction in risk as well and so in the next slide we're going to take a little bit of time to go through and these are when we think about social engineering there's actually some really basic things that you can look for and one of the challenges is that all these kinds of things are things people you know like me when i'm trying to sell you something i might do you know some of these things so i might initiate a call to you i might offer you something for nothing i might tell you if you don't buy this today you know the offer is going to go away i might tell if you don't buy this your organizations at risk i you know those are all things that that a sales person will do but it can also be things that someone who's trying to take advantage of you can do and there's a great book which is i have at the bottom there called gift of fear which has nothing to do with information security but has everything to do with personal security that deals a lot with how social engineering works and how to think about it but the six things to get your spidey sense tingling right if it's not initiated by you so initiation means something comes to you with a request or or something they need from you right so that number one thing is just and again none of these things are a reason that you should automatically not trust the person it's just a reason to start you know being on alert a little bit and kind of seeing if there's something to worry about here if someone's offering you something for nothing you want something you will win something you can get a free something you won this prize and you just have to give us this information right that's that's a big warning sign right um urgency if you don't you know give me this today or sign up today or give me this information right now something bad will happen and you will lose out on some opportunity that you that otherwise you get if you don't take this other people will right fear all right so if you don't do this something bad will happen to you something bad will happen to me something bad will happen to our organization and that can be combined often with authority so my boss your boss said this needs to happen so if you do not give me this information you will get in trouble with our boss or i represent a big government organization and if you do not give me this information you will be in trouble with the government i am authorized by the government to get this right and then the last thing is when people want information from you that doesn't really make sense so if they start asking for your social security number your driver's license number your credit card information right those are all things to to kind of put you on alert all right and we're now going to do a wonderful little role play and so Ben don't forget to unmute yourself for this and we want you to note the characteristics of this uh little uh fictional but not totally fictional roll uh phone call that we will do now hello this is ben from the irs you all federal government taxes and it's very important that you pay now or you could be sent to prison um i don't think i owe any taxes but what do i need to do you can do wire transfer or pay by credit card on this call i know that you're really calling me from the irs ma'am i am government agent you must do as i say or go to prison if you need to co if you need to you can call us back at two one two five five five zero one two three and use your social security number to look up your case you know what i think i'm going to go ahead and verify this information see you in prison click in our little round table theater presentation here you'll note that the caller used some of the things that we spoke about which is they initiated the call they gave that sense of urgency they tried to put the fear of prison into me and they tried to assert their authority and even though i knew that i don't owe money to the irs or i don't owe money to whatever a credit agency might be calling or i didn't initiate calls to microsoft support services or anything like that they can be very persistent and scare you into taking these actions so on the next slide what do we do if we receive a missing call the first one is if you didn't initiate a call never give out personal information in that call even if someone claims to be a representative from a bank or your credit card and you will on occasion receive calls from your credit card about fraudulent charges and they may say we noticed this activity on your card did you really make this purchase now since they're not asking you for your credit card information they're not asking you to bear anything verify anything other than a purchase whether or not you did it then you can recognize that those may be legitimate but anytime they're asking you to then verify your card with your mother's maiden name or your social security number or your account password that's when you start triggering the spidey census tingling and say i don't think that this is legitimate let me initiate a call back to this particular agency by looking up the information on their website or from a bank statement or other verified methods of communication and then you go to them saying i received this information please let me know if this is true or if any action needs to be taken and you can also report these kinds of things to agencies to help eliminate them going forward all right so this is going to bring us into our next fish or not a fish poll and on the next slide you'll remember our little game rules which is we'll put a website up and we'll leave it up for a few seconds and then launch the poll and see how everyone did so the next website so we're going to take a look at that let us know or think about whether you think that's a real site or not and we're going to launch up the poll do you think that was a fish or not a fish and the votes are coming in and all right so 83 percent of the audience believes that it's a legitimate website and 17 percent believes it is fake and what is the real answer and the real answer is not a fish that is actually the con ed website it's just a really poorly designed website but you will have noticed in it where you saw the https and you saw the expected con ed.com and you saw the same browser verification which helps you display or helps you recognize legitimate sites but on the next slide one of the other things that we want to mention is you may if you're a con ed customer have received this mailing or seen this on their website and this is one of the in person type of events that we spoke about where there are people who will come to your door pretending to be con Edison time order cable or other utility people or sometimes even unfortunately medical or police services in order to gain entry to your house to again steal things along the lines of laptops and cell phone other things that you may have so whenever you have someone showing up at your door who is not expected again verify don't just look at their credentials if it really tingles that spidey sense of I don't know why these people are here call and verify and make sure that they are legitimate this is also a question of personal safety in some instances as well and on the next slide we're going to talk about some of the targeted items and this is called spear fishing now spear fishing is somebody targeting a specific person within your organization with information coming from a specific person and a lot of times this information is found from your own website where you may list your officers who your cfo is who your ed is and other things that will allow people to say okay I'm going to direct this spear fish to the finance person from the executive director in hopes that they will find it legitimate and in this scenario we have coming from the president of roundtable a message to our finance person then requesting a wire transfer and asking what details they would need in hopes that Ben would reply with wire transformation and banking information and things like that if you receive an email asking for this kind of information not through normal channels this is something that you absolutely would want to verify and go back to the requester to say did you really do this is this a legitimate transfer and sometimes it's even recommended to set up a code word where if you are going to have any kind of request for fiscal transactions or sensitive information that in person face to face you establish with the correct people if it doesn't have the word banana in it or something else then you know that it's not really a legitimate request coming from someone within your organization and spear fishing can happen over the phone and through the various methods that we spoke about not just email and very interesting to mention about this specific email yeah so this specific email was sent to us by someone who actually attended the team your inbox webinar that we talked about two months ago and literally while they were in that webinar a person at that organization received this email purportedly from their executive director they then came back from our webinar where we have the one word security training which was verify and thought i will verify this and they walked into their executive director's office asked did you just send me a request for wire transfer the executive director said of course i did not why would you ask me that i've never even wouldn't even know how we do a wire transfer and the person then forwarded it to us quite proudly saying hey thanks for your training and we in fact you know stop this through your one word security training verify so we thought that was pretty great and this is literally other than we've changed the names the literal email that that person got just with their name in the in the uh two and their own executive director's name in the crowd and with that we're going to uh let's see what are we talking about next passwords all right so let's uh leap into passwords all right so um passwords could honestly be its own webinar and uh if people are interested in a sort of password password management uh multi-factor authentication webinars its own thing uh you can let us know that in the comments or in the survey afterward for now we're just going to do a fairly quick overview so some things about passwords first of all length is more important than complexity so i'd much rather you have a password that was something like i went to the store on thursday period a fully punctuated sentence then a password like xj9 dollar sign dollar sign three which is shorter and complex but actually much more much easier to crack and that leads us into past phrases which are you know full sentences or phrases are great passwords they're much easier for human beings to remember and because it's an easy way to add length to a password they're it's a really good practice to use past phrases instead of these horribly complex short passwords um using password managers like last pass dash lean key pass can hugely improve uh your password performance i don't want to spend too much time on it now except to say the linkedin thing which which we'll talk about and we've got a linkedin passwords there um most of us have passwords at at this time you know well over a hundred different sites which sounds insane until you actually start looking at all the different sites for which you've created accounts and passwords and if you use the same password in multiple places then this uh password breach that happened at linkedin or at ashley maddison uh that password's now out there tied to your email address and now people can try it on all the other accounts and platforms that you're on and using password managers is a great way to keep you from reusing passwords at different places because the password managers will tell you you're using this password somewhere else don't use it in this place um so don't reuse them don't give them to other people there's almost never a reason to give your password to someone else and this is another great thing about password managers is they give you a secure way to share your credentials with someone else for example um if i'm working on go to webinar uh and i want to have ben log into my go to webinar account but i have a password that you know is my own private password that i used for my go to webinar but we both use last pass well i can share my password with him on last pass without him actually seeing the password so his last pass will then log him into my go to webinar account without him ever actually seeing what the password was then he can go do whatever it was that that he needed to do in my go to webinar account and when he's done he lets me know and i revoke the shared password and now i've given him access to the system revoked access to the system never had to share a password with you can't do that unless you're using password managers um and then the last thing is don't do what 120 000 people on ashley madison did who are probably trying to remain private uh but not too hard because they had one two three four five six as their password and at linkedin 750 000 people in 2012 had the password of one two three four five six and what we're going to talk about next is multi-factor authentication so multi-factor is becoming a standard and at roundtable we actually now enforce it for all roundtable personnel are required to have two-factor authentication for our google apps accounts uh in order to protect our information and our clients information and so the multi-factor authentication means a combination of two out of the three things described here so most of us have always just been using the first one which is something you know a username and a password but you can combine that with something you have which in most cases is going to be your smartphone with either something that gets texted to you or a six digit code or an eight digit code that gets changed every 30 seconds could also be a usb key could also be a physical key um you know something you have with you and then the third thing is something you are fingerprint voice recognition most mobile devices as i'm sure many of you have noticed now support biometric or or something you are authentication meaning you put your fingerprint on it using multi-factor authentication in in my estimation is something that everyone should be doing now and if you're not already doing it you're going to wind up being forced to do it in the next year so you're it's better for you to get out ahead of it and start getting comfortable with the concept now i can't emphasize that more strongly and on to the next thing to to kind of reinforce that point uh pci compliance and and for those of you not familiar with this it's basically a regulatory standard around how we collect and manage credit card data so if you are receiving credit cards via your website or via point of sale system at one of your storefronts if you maintain storefronts at if you you know collect donations by your website things um you are are subject to pci compliance and as of november of this year anybody who has administrative access to environments handling credit card data is required to use multi-factor authentication so when i say this is becoming a standard and will be required i'm not just making that up to scare folks it's not fun it's literally being written into regulations right now and that takes a sign sorry for that little bit of scariness um and we'll lighten it up a little bit now but that is really true so fish not a fish our third one and let's put up the uh let's put up the sample website so everybody take a look at this you i'll give you a few seconds to take a look and we're kind of hoping that people are getting the hang of this is their third one we'll have one more after this our final fish and uh i'm going to go ahead and launch the poll and see what people think about this one you believe that that is a fish or not a fish and the votes are coming in and the votes are coming in and they're very consistent this is like a uh this is like a trumpian kind of uh kind of poll that we're taking here and we will close the poll and we're going to see the results and good job everyone good job people recognize so first one the first fish we threw up there we had 37 people that missed it the second one we threw up there we had uh about 20 of people missed it the third one we got up there 100 percent of everyone in this webinar just got it correct so this is uh i don't want to get all excited but when we say the best security webinar ever you guys are getting better already so take that for what it is and with that i'm going to hand things off to just oh i'm sorry let's talk a little about where it is so um we again have the forged url so even though ebay is in there it's it's certainly not you know ebay.com uh there's no hgtps again that's a big warning if you're asking being asked for a login or any kind of credentials and things that might be a little harder to notice but are good things to keep an eye on and it's a font and design elements are actually quite different from the real ebay screen if you take a look at it and the graphics are low resolution so those are other things to look for and now destiny take it away with remote and travel so one of the things to remember particularly nowadays with the usage mobile devices with tablets with travel and everything else is that our data comes with us it's not back in the day when you had a big huge computer sitting at your desk in your office and when you left the office all of that stayed there now with cloud accessibility and mobile device accessibility and everything else your data is always on you so we want to go over a little bit of a best practices for remote working in other words when you sit down at a computer that is not your own and access your information and then also when you travel be it on vacation or to and from work or just going out to lunch how you can also protect your items so of course some of the things that we already talked about by making sure that you have multi-factor authentication on your accounts and password set on your mobile devices is the actual awareness of your environment so things like if i am in a restaurant and i brought my phone with me when i stand up check the table or when i get out of a car or a cab look at the seat next to me do i have my phone do i still have my tablet if i'm going somewhere with my laptop don't leave it on the desk when you go out to lunch make sure it's secured or in your hotel room put it into the safe or in your car don't leave your laptop bag on your front seat put it in the trunk of your car and also one of the things to be aware of if you're in an area that has large public parking lots that thieves know that people do put laptops in the trunk of their car and they often wait to see people who pull into parking lots then open up the trunk and put their laptop in at that time so these are things that you might want to take that extra moment to think about in advance same for those of us who ride the subway where you know that there's been an escalation of people grabbing phones and tablets from folks as they exit the train so again keeping your hands on your devices and having that awareness of what's going on around you is really helpful when you are working from a machine that's not your own try and make sure to log out of any sessions if you've logged into something don't just close the browser window make sure you actually utilize the log out button and if you've enabled the multi-factor authentication for that particular site that's giving you that extra layer of security that the next person can't get into it you also want to be cognizant of the machine itself how many people have access to it is it possible that it doesn't have the proper malware antivirus protection that if I'm logging into sensitive accounts such as my banking or credit cards that there may be someone or a way for this machine to capture that information so moving on to the next slide talking to about our mobile devices themselves which I just covered a little bit of is protecting your device with a password at minimum or enabling your biometrics we will talk about encryption a little bit later on and how you can protect your data that way again keeping your eyes on them and then looking at programs or apps such as find your phone or find your tablet where if it's lost or stolen you can use it to identify the location of your device the other thing that you want to do is disable services that are not in use such as your bluetooth services so you don't give another level of egress to your data on your device but people who might be able to connect to it either via an insecure wi-fi network or open bluetooth and going on to the next slide about wireless networks everybody loves to be connected all the time but there are some real security risks about doing this and the biggest one is connecting to open or unsecured networks so whenever possible if you can connect to your 4g data plan from your phone and get onto services that way that would be beneficial if you are using a free network such as starbucks or in this particular scenario shakeshack typically they will have a secondary page that is a sign-on page so once you've connected to it it will bring you to a web browser that will have a second step in the connection and this though you can spoof wi-fi connections does give you a little bit of the extra layer of security and typically you will notice spoofing again where somebody has like the starlux network or you know that you've connected to starbucks before and this does not look anything like the normal connection use that spidey sense again and if you must sign on to these open networks think about the kind of transactions or information that you're going to use do you really want to log into your banking site or into your credit card site over an open network so sometimes it's best to resist the urge to connect to these networks unless it's absolutely necessary that you do so now just add very quickly destiny if you're using two-factor authentication on those accounts then you've reduced the risk of logging into those things while on wi-fi networks because that second factor is not something that will get transmitted or it will get transmitted but it doesn't matter because it only lasts for 30 seconds so it's uh that's a quick way to improve go ahead and the other thing is if your device is lost or stolen josh well i'm going to hand it over to you for encryption okay so uh encryption is the most so key term here i forgot we've never contextualized our key term slides right encryption is the most effective way to get data security in device so to read encrypted file you have to have a secret key or a password it's essentially you know the the data is scrambled and it can't be unscramble without the algorithm that knows what you know the code to unscramble it and if you as we go into the next slide you definitely want to encrypt your mobile devices if you can and on the average iphone any newer iphone or android phone or laptop computer macbook or pc you is usually just a toggle switch and then a restart to encrypt the data and you won't really notice any difference in how the device functions or how it works or anything like that but now if your laptop or your iphone is stolen or lost and the data on all on that is safe because even if you know they can't crack your password if you're using like a biometric code it's going to be even harder and without that password they have no way of unlocking the data on it so even if they take the hard drive out of the laptop the data is still encrypted so the bad guys can't get to it so encrypting your devices is a great way to protect your data while you are traveling and we strongly recommend that everybody do that and with that we're going to go into our final fish all right here we go so final fish let's take a look at the this website everybody take a nice little look at it and we're going to give you a few more seconds and this is your last chance make us all proud tell us is this a fish or not a fish and the votes are coming in and we'll see and let's see how people are doing here we're going to close the poll up and we're going to share the results sorry and oh almost perfect we have a couple of people who missed that one that was a little trickier just so people know we actually uh i'm not sure what your experience of it was we tried to make these a little harder as they went on so you might think we tried to make them easier so that it would show how impressive we were at getting people's scores up but we tried to make them trickier as we went through because we hope that the training would would help you identify it so a couple people still missed that one uh go ahead i i broke the thing it is it was a fish uh so i have to hide the results i'm sorry then so that was a fish and let's look at why that was do we do we split on this one why it was yeah we do and i think i know what tripped people up and that is the twitter.com with the dot etc after it which is another tricky thing that fishers do yep and that forged url remember so keep keep looking for those dots and one thing that we were kind of joking about is if you uh read from right to left your urls and look for where the last dot is that tells you what the real domain for that website so all zero nine dot info is the actual domain it is not actually twitter.com but i will reiterate that anything that's asking typically for a logon and password the first thing you want to look for is that https not that every single site will have it but that's usually the very first thing to check i actually have a quick thing to add as well this is not snarky or not uh a commonly held kind of rule of thumb that you can follow too is if you if you get this uh or get a link in an email of a site that you know and have been to before rather than clicking the link in the email just go to your web browser and go directly to the site because if it's a real security problem or if it's something about your account that needs to be updated when you log in normally by going to twitter.com as opposed to clicking the link it will still alert you that there's a problem so that's another kind of really quick easy way to to kind of protect yourself against this remember who initiated this particular info piece of this particular request if it was not initiated by you reverse it and then you go back and initiate it to the site take the power back into your hands and with that we're in the home stretch so let's take a look at the slide that we looked at before and uh before it was kind of what you can do but now what you can do and we're back again nurture a security culture at your organization so what does that mean well since we did the team your inbox i can't tell you the number of people both at roundtable my family uh clients with whom i work where i've sent them an email and they've called me and said hey did you just send me this because they're verifying and i do not say well of course i sent that to you why are you bothering me you know what i say is good job thank you for verifying you had some doubt about whether this thing i emailed was legitimate you called me i applaud that so that's a quick way to just nurture a security culture is when people do things like verify check to make sure it was legitimate you make sure that that's encouraged not discouraged you don't rush people and tell them they have to do things now you tell them no we want you to verify things you educate yourself and others share this webinar share this information that we that we did today protect your mobile devices and accounts with passwords and policies and encryption and heard it a million times we're just going to keep saying it is the one word security training verify all right and we're going to just one last quick poll here which we wanted to see at which desk does everybody feel like they're sitting at now have we have we moved the needle at all in terms of at which desk you're you're sitting at so let's see what people have to say about whether people feel like you're secure and i don't just be nice to us all right that's what they really feel like you're you've changed desks here in this uh over the course of this webinar and so you're thinking about a little bit i think that's okay take your time we don't want to rush you we want an honest response and we're going to go ahead and close the poll and share the results and wow so at the beginning it was 50 50 split and we have managed to move that quite a bit and those of you are still insecure we are sorry we want to help you feel secure if we're honest with ourselves i think we all feel a little bit insecure but hopefully now we all have some things that we can do to uh to make it a bit better and we want to give a few minutes here to an organization fiscal management associates that co-sponsored the webinar today they're an organization that has particular interest in information security because they help organizations with their financial information and we have here to to talk with you steward cohen from fma steward are you here i'm here can you hear me we hear you just great going ahead well thank you very much um for doing this webinar i am appropriately traumatized now and insecure um so thank you for that we one of the things that fma we we do have very strong security and it's continually been growing and and i think this is a great um this is a great webinar that should be given a lot because i think a lot of people do not understand the reality of what everyone is facing today um around security so thank you for that and i'll be very brief with you all um just to thank you for doing that and just about fma i know some of the fma our clients are on this call thank you for coming here we love the round table people and um fma we care about controls we financial management is the center of our world and for those of you who know that that means that controls are very critical to safeguarding your resources and technology being such a strong resource for everyone today um we're very grateful for the round table folks who can help us keep safe that way if we can be of any help to you fma online net uh feel free to look us up or s cohen at fma online net uh and we'll be happy to help you with if you have other concerns about controls that are non technology we help organizations with that too so again thank you and um we look forward to seeing more from you guys thank you thank you still really appreciate it and thank you so much to fma for for helping promote this webinar and for just being friends of round table and for helping out so many non-profit organizations with their uh with their great knowledge and expertise and our pleasure okay and so on we go we're going to wrap up here and have enough time for q and a this is like we've done the best on time management and we've ever done we finished right when we wanted to finish so uh we finally did it we almost always run long but we didn't today so thank you for attending we very very much want your feedback at feedback dot rtt dot nyc so uh not right now uh but as soon as we're done with the webinar please go there and uh and give us some feedback and you can also let us know if you are interested in any of the following offers so we for people who came to this webinar uh you can get 15 off a risk analysis project where we help you think about that confidentiality integrity availability look at your existing safeguards around security maybe perhaps do some security awareness training for your staff and your organization so 15 off of that kind of project we've been getting lots of requests for those projects lately so folks that attended this today you get 15 off because and uh 50 off for any ongoing round table service and you can check those out at services dot rtt dot nyc so any ongoing round table service you can get 50 off the first month and we also we did a webinar a month ago uh and a number of organizations have taken advantage of this and they have been absolutely delighted because they're saving hundreds of dollars a month already without barely having had to do anything so you can go to ccsave dot rtt dot nyc if you want to learn more about merchant advocate they will give you a free credit card processing fee assessment basically they can potentially reduce what you pay for credit card processing fees without you having to do anything so that's pretty cool if you're interested contact us use the code best ever and uh onto the next slide ben and that's pretty much our wrap we're going to q&a we've got a whole oh yeah thanks to fma thanks to fish tank thanks to open dns uh there in the resource we we grabbed all of those except for the comment from open dns's fishing quiz it's a 14 uh slide uh 14 website quiz you can take the template for our presentation days from slides going to be like it a lot and the resources page is next and we'll leave that sitting up while we uh take questions i think and uh if anyone has questions you can enter them into the questions you can also raise your hand and we can unmute you and i'm going to start kind of looking through wow we've got a lot of questions q dot so at this point just everybody knows we are uh done and actually ben can we go back to slide 54 let's leave it there um just so people can see all the uh the links there we go uh so feedback if you're going to leave please do just take a minute to give us some feedback desi and i really do take that feedback in and try to work with it and there is a notation um that in the feedback url there is no period at the end it's just dot nyc ah thank you destiny and we're going to just basically take questions now we'll probably wind up running past two as we deal with these you can enter questions into your go to webinar control panel but we are at this point concluded with the formal part of the webinar so everybody's welcome to stay as long as they like or at least until we we leave but uh but we're uh going to jump into questions so the first question i see is what about using vpns when connected to an secured wi-fi so a vpn is actually a pretty good way to create a secure tunnel um when you're going to wi-fi the problem however can be that the actual credential for that vpn um before you're connected if you're on an unsecured wi-fi is still something that's then being exposed to that wireless network um once you've created the vpn connection everything that's now happening is secured but if that username and password that you're using to make the vpn connection is something that works for anything else that's a potential risk and uh if anyone else has other thoughts about that i welcome them but that's uh there are a few services that are becoming uh more cost effective now that actually use multi-factor for authentication for um vpn tunnels so that may be something uh i'll try to include some links here in the resources page um i need to look a few of those up but there are definitely ones that you can use an authenticator or a texter or something like that to be that multi-factor so that would be a way around the uh the big concern about sending your credentials and we have another question is there any any occurrence of a subscriber's wi-fi such as time Warner cables being spoofed and is it generally safe to connect to those networks in unfamiliar locations and i would say that um time Warner and a lot of these service providers that do have hot spots all over the city typically will have an app for your device that will use that that to find these secure locations so it's probably a best practice to put the time Warner cable wi-fi app on your device and then use that to locate these but they will also ask for your credentials to get on to them um so you should again see that same secure information i do not personally know of them having been spoofed but again you always want to be wary of making sure that it's a legitimate and not an actual spoofed wi-fi id in other words if you twcc.open or things along those lines you always want to make sure that you're finding these through a verifiable method such as the finder app that's provided to you by the service itself right another question we have is how do we know we are safe from hackers even though we might not have the information hackers typically look for in terms of infrastructure so this is a pretty common question which or a kind of general sense which is we don't really have any information hackers would want so therefore we don't you know do we really need to worry about security and the short answer is everybody needs to worry about security because you all of us have some kind of information that is worth protecting and also our infrastructure can be used for ill um and if if we don't protect it meaning people can take over our computers our networks our websites and deliver malware through them which has happened to a lot of organizations that I know of where their websites for example have been misappropriated by bad actors to deliver malware or you know collect information and that's obviously a really potentially catastrophic thing for an organization someone's coming to your website to to donate money and instead they get malware on their computer and get crypto locker right so that's that's really horrendous for you as an organization so everybody does need to practice at least the most basic best practices of security now if you're an organization that's say dealing with um you know hostile uh foreign countries where you know motivated attackers might be coming after you you have a very different security profile than 95 percent of the organizations that are here on this webinar today and you have to take an entirely different approach to security that is much more serious most of those organizations in my experience know who they are and and for the most part you know are taking appropriate actions but I will go back to the fundamental thing we said at the beginning which is you can't eliminate risk if a sufficiently motivated uh party that has resources decides to get your information they will and there's really very literally you're going to do about it and again just look at the news if if the NSA cannot keep their information under wraps right what chance does does anybody you know Home Depot Chase Bank uh Sony Pictures it's if you are going to be victimized by a motivated and well funded entity you're in trouble all right uh but we can do a lot to protect ourselves from everything short of those attacks and we can do a lot to protect ourselves from even those attacks and make sure that only the you know most well funded most motivated attackers are going to get to us then are destiny and anything to add to that well I would just say there was a second part of that in terms of infrastructure there are obviously certain things that can be done such as having active antivirus and malware protection on your companies or your organization's computers there's having layers of protection when it comes to password policy and to factor authentication usage um so there are things along that line where it's as joshua said not going to protect you against everybody but it's always better to lock the door not just close it so there are steps that can be taken to at least make the effort a little bit more difficult for people and for things like websites and even for your mobile access points to not leave the default administrator passwords and log-ons that come with your wireless access points or when you set up your website for example you're using wordpress to change those credentials right from the get go because that's public information and things that you can find simply by googling what is the default password for my link sys wireless router uh so steps along those lines even in your own home are are helpful uh in the last yeah I can answer that that question uh unfortunately it's it's kind of there's two different sets of um of devices we have to think about as far as stealing biometric or storing biometric information as far as your iphone or your android phone where you use your fingerprint to unlock it those devices are specifically designed to have a very secure encrypted uh actual physical chip on the device that is not accessible by any means by anyone other than that actual fingerprint sensor so those devices are extremely secure because companies like samsung and apple and others understand that those are going to be out in the wild however unfortunately our own government has has kind of had a little bit lack security around storing of biometrics so if it's a uh a a system that is linked to a company that you have to scan your fingerprint on your computer or at a door lock or something like that it could be a concern but as far as 95 of the people in the world with just their biometric access on their iphone or their android it's really not a secure uh or not a security concern because it can't be accessed by any external means so hopefully that answered and I just want to make one quick point which is that the the kind of security part like the nuts and bolts technical stuff that that we've been talking about here for the last you know 10 minutes um you know that's that's always changing always escalating always you know bad guys versus good guys and you know we add biometric they figure out a crack biometric we add two-packer authentication they figure out a crack two-packer authentication and it's always and that's always the way it's going to be so there's nothing you can do about that what's interesting about the social engineering that was true the same way 200 years ago that hasn't changed so teaching yourself about the social side of security and just the general human you know manipulations to look out for that is knowledge that will serve you for the rest of your life and for years to come so there's reason why the trojan force worked social engineering and so so this other stuff you know is where people like us we have to work our butts off to try to stay current with the current you know with with all the technical stuff that's going on but the social stuff it doesn't change so learn it learn it well another question and my idiot is always afraid to similar hack us is having a firewall and antivirus and password policy the best we can do can I tell him that so short answer no you can't say that that's absolutely not the best you can do I would say that's the minimum that you could do would be having firewall antivirus password policy I would say security awareness training your staff I would say doing and this will come across like fun and trying to sell out services but I would say doing a thorough risk analysis for your organization identifying that CIA triad and how that impacts your information and then what practices are in place to protect the information that is identified as critical whether it's confidential or availability or integrity and understanding what risks you face what would be the impact if those risks were realized so what if you know how how easy would it be for someone to hack our website how bad would it be if someone did hack our website how difficult would it be for someone to get credit card information from our donors how bad would it be for us if that information was exposed you kind of go through those questions and figure out where your real vulnerabilities are and what it would take in terms of effort and cost to mitigate them and by doing that and once you do it the first time like a lot of this kind of long-term strategy stuff it's a lot easier to keep doing it so you do an initial risk analysis then you update that every six months or every year you're going to be in pretty good shape but if you're never going through that exercise you really have no idea what risks you're facing right now and I can't tell you whether they're serious or not because you know unless you've gone through that thought process I think you really don't know and going back to the people's side of things to make sure that staff is trained and that security awareness is an ongoing conversation and having policies around again mobile devices and remote usage and items like that where you could have great interior security but if you are allowing staff to have access to their files and to email on their devices that go with them and you have no policy or instruction or best practices around those that's something that needs to be addressed as well as we've said the people part of this is really important and that answers all of our questions and we are now 10 minutes past two o'clock so I think we're going to close this out please everybody I'm just going to throw the link in the chat http on slash slash feedback the rgt.nyc I only sent it to the organizers that's not going to help me so please everybody go ahead and click that link and please do give us feedback we really do appreciate it please make a candid feedback we want to hear what you thought how we can improve for those of you who have attended multiple of our webinars hopefully you see that we're changing things we're trying to get better hopefully you feel that we are getting better and thank you all so much for coming today and helping make the world a more secure place thanks everyone