 We will get this rolling. Good to go. Hello, everyone, and welcome to Become a Cyber Security Ninja, our 10-part webinar series. Today is session five on the move, Mobile Security and While Traveling. At the end of the session, as I was telling folks, we will be halfway through. Those of you who've been on us for every session, God bless it, it's awesome. And hopefully you feel like you're getting good information here, and we're getting this stuff out there. So we've covered threat modeling and risk assessment. We've covered network security basics, firewalls, VPN, vulnerability scanning. We'll be talking about VPNs again today, but in a different context. We've talked about authentication passwords, password managers to factor authentication. Talked about encryption, and that's going to come up again today. And today is on the move, Mobile Security and While Traveling. And then in two weeks, we'll have Don't Feed the Fish, Fishing, Social Engineering, and Ransomware, which we expect to be a very popular session. I, of course, am Joshua Peske. With me is Ben Gardner, also from Roundtable. And Roundtable is a team of dedicated technology professionals operating out of Maine and New York. And we work with hundreds of organizations to help them achieve their missions through effective use of technology. Our learning objectives today, we're going to talk about risks around mobile use. We're going to talk about protecting some ways to protect yourself. We're going to talk about using public Wi-Fi and practices when you're doing that related to that. Encryption and VPN. We're going to talk about mobile device management. This is probably something that's aimed more for larger organizations. But some people actually have access to mobile management tools already. And I'll walk through those just a little bit. We'll, of course, have our usual checklist of best practices and resources for further learning without further ado. Let's throw out our first poll. I'm curious as to what people are protecting their smartphones with currently, and just kind of if there's anyone out there that doesn't even use a password yet. So I'm curious as to how many people out there are using four-digit passcodes? How many people are using six-digit passcodes? How many people are using pattern lock, pattern lock? Whether people are using Touch ID? And how many people maybe don't want to respond here? We'll leave this open just for a little bit to see what answers we get. Let's go ahead and close that and take a look at the responses then. All right, so most people are using passwords, but we do have a few, a little under 10%, that are maybe not using a password on your smartphone yet. And all I have to say for those of you who do not currently have a password on your smartphone is please, please, please go ahead and put a password on there. Ben, let's go ahead and close that up. And off we go. WISCs with mobile technology, this little cartoon, actually kind of covers one of I think the big risks that a lot of us think about, which is that I go into a coffee shop, I go into a hotel, I go into an airport, I go maybe even to a friend's house or to a neighboring organization and get onto a Wi-Fi network that I don't control or manage or have a confidence to secure. What's gonna happen to my information? And so this little cartoon, I think somewhere is that very well. And this is a quick aside. I actually was working from a coffee shop in my neighborhood last week. I actually had gotten there for cybersecurity work that I was doing on a couple of projects that I'm working on. And sitting there was someone who had a network scanning tool that I recognized. Ben, it was an enable product and was running something. I just wanted to stay up too close. I sort of said over their shoulder, but I was like, interesting, someone sitting in this cafe running a network scanning tool and quickly ran through my own checklist for myself and kind of was thinking, is there anything I'm doing that this person is gonna be able to get access to while I was there? And just for folks who wanna know what I do, I actually, wherever possible, when we'll get to this later, I don't use public Wi-Fi networks. I have an unlimited mobile plan and I try to use that wherever I possibly can in all these public Wi-Fi networks if I can't get my mobile to work because there's no signal there, but we'll cover that later. What are some of the risks that we kind of commonly think of around mobile security and if anybody thinks I'm missing something here, this is a great place to throw your ideas into the chat. But obviously we're worried about our devices, our laptops, our phones, our tablets being stolen. We're worried about losing them, just leaving them in the cab, leaving them in the restaurant. We're worried as that cartoon demonstrated about being on insecure networks where information can be compromised or our passwords can be compromised. BYOD, for those of you who may not know that, that's bring your own device. And I think this is probably one of the biggest challenge areas for organizations is how almost every organization allows their staff to access things like email and documents and Salesforce applications and other things from their personal mobile devices, from their home computers, from their laptops, from their smartphones and tablets. But those are devices over which there typically is no corporate control. They're not things that are part of the corporate environment and aren't managed in that way. And there are then concerns about all those devices or the networks on which those devices are running or both insecure. And so, you know, me and my home, we can be either a cybersecurity professional, I can hopefully have a secure home network, but what about all of the other 22 people that work for Roundtable and my confidence that they all have secure home networks where they're doing a lot of their work from? Am I confident that they're all engaged in best practices with their personal mobile devices? Well, that's a real challenge for Roundtable and for really any organization. And in secure practices, people writing passwords and post-it notes and leaving them on their monitors is like a classic one. People emailing sensitive information and plain text, emailing passwords in plain text, emailing passwords generally, going on to insecure networks and conducting sensitive transactions, do banking transactions, other kinds of things. So insecure practices in general, and that's what I could go on. And a concern that I would say no one really thought about very much until the last month or so, which is crossing international borders in particular I would say returning to the US from abroad and wondering about what privacy implications there might be in terms of doing that. And I will touch them out a little bit today. Things experienced ninjas have learned already. So things that folks who have attended these sessions already know and that apply here. Number one, using password managers. If you have strong passwords, you're not reusing passwords, your passwords are 30-digit, complex alphanumeric things that are not, you know, plain English words that are gonna be easy to guess. Those that helps using two-factor authentication, 2FA helps a ton in terms of if your password is compromised, it's a lot less of a problem if you're using two-factor authentication. They encrypt their devices, they encrypt sensitive communications, and they keep an eye on their stuff. So you don't walk away from your computer, your smartphone, even for a moment while at a cafe or in a public place. Ben is just raising that there's a question. Let's see here. Sorry about that, I've missed that there's a question. Ah, this is a great question in here. I am gonna cover that, but I will cover that later. It's a question about hotspots and things. I'll cover that when I get to wifi networks. Thank you for raising that, Ben. Sorry I didn't have that open. New for today. So we'll be talking about those handy public wifi networks. We'll be talking about what to do if your phone is lost. We'll be talking about virtual private networking, as we'll spend a fair amount of our time, and mobile device management, and what mobile device management does, how it can apply to your organization. Those are probably the two most complex. We'll get through those first two relatively quickly. Last week we had a quote about encryption. I'm forgetting the name of the person it was, but about the importance of encryption to a free society, and how strong encryption is kind of one of the cornerstones to having a free society. And Edward Stoden, I'm assuming most people are familiar with. And this was really relevant in the news that came out two weeks ago. I think it was literally during the webinar, or roundabout, but there was a wiki leaks of a lot of NSA hacking tools, essentially, and vulnerabilities that they'd be able to take advantage of. And one of the things that was widely misunderstood in that report, I saw a lot of news reports basically saying that the encrypted application signal had been, you know, that the NSA had a compromise for that, or discovered a vulnerability in that that they were able to exploit. And that was absolutely, just to be clear, not true. But to Edward Stoden's point here, because there were so many vulnerabilities in endpoints, which are your laptops, your computers, your phones, and your tablets, if your phone, let's say, is completely exploited, and someone has remote control of it, remote access to everything that's happening on the screen and can record that, then of course whatever, or maybe not of course, it may not be obvious to everybody, but whatever encryption you're using isn't going to help you if someone can actually see literally what's on your screen. Because you need to decrypt that information out of you, and as soon as you decrypt it, then whoever has control of your device and is seeing what's on your screen has now seen the encrypted message as well. And so the exploits that the NSA had did not in any way reveal vulnerabilities in signal. They were not breaking the signal encryption. It was simply that if your device that you were using signal on was owned, so to speak, or pwned, if you wanna use the cyber term, then it doesn't matter that you're using signal. Hopefully that makes sense to everybody. And the main point to make here is endpoint security, or the security of these different devices that you're using and the networks that they're on, that's where all of the weaknesses are. Encryption by itself, which we talked about last week, is actually quite strong, especially if you implement it well. Let's ask this question. Does anyone here in this webinar regularly use a virtual private network, or a VPN, when you're working from home, or from public locations? We can add in while traveling. Curious as to what folks' responses are here. Do you regularly use a VPN or virtual private network when working from home, or from public locations? We'll leave that open for a few more seconds and let's go ahead and take a look at the response. And we've got pretty overwhelming responses. Wasn't totally sure what to expect here. This is pretty in line. Most people are not using a virtual private network. And before we turned on the microphones, you can go ahead and close that up then. Ben and I were talking about traveling internationally. Ben, I don't know if you wanna repeat what you said. I thought you said it very well. Let me at the end, do you remember? Stay there, I'll go ahead. I don't remember specifically. You were basically saying that a VPN was like as fundamental to like as a travel. Yes. At this point, it's like your charger. Yeah, I would say that a VPN, at least for your mobile device, your smartphone, or in most cases for a laptop as well, is really as vital and as fundamental as your passport or a visa when you're doing international travel. Because as prevalent as, say in Josh's example, someone sitting in a cafe scanning your phone or your computer is in the United States, it may be more depending on where you're going. So it's very fundamental and it's not really, you're really not doing yourself any favor if you're not signing up for VPN. Most VPNs are pretty cheap, $10 to $20 per month. And you can select where your computer or your smartphone connects to and they're specifically designed to be very easy to use. So you're really, it's almost a required item at this point for all digital devices when you go out of the country. Definitely. Awesome, thanks Ben. Sorry I put you on the spot there, but thank you, that was perfect, it was awesome. All right, virtual private networks. We're gonna walk quickly through how they work. The cornerstone is that it allows you to browse the internet privately. You're securing your data, you're hiding your device, so to speak, from the network you're on. And there's a few different ways to explain it. One is that whatever network you're using, if it's let's say, I always like to use the Starbucks, you're just using the Starbucks down the street. If you connect to Starbucks Wi-Fi because it's nice and fast and convenient and doesn't cost you anything, and then boot up your VPN, you've created your nice own little private network, and that's actually where the term comes from, right? It's not actually a private network, you're actually on the Starbucks network, but you've created a virtual private network for yourself, and that's literally what VPN means. And so virtually, you're on your own network that you're using, and that's really, really handy for security. Quick note, actual bears are really involved in VPN, that's what I'm gonna make that. It's very clear in case I'm confused. Sometimes people say clouds are actually part of cloud computing, so bears are actually part of VPN. Using a VPN, and the next few slides, I'm gonna just show quickly how you would do this, I'm not gonna do a live screen share, I'm just gonna, but I will give you some screenshots. I'm gonna show a product called Hyde VPN, and for only one reason, and I wanna be really clear, it has nothing to do with reputation, I do not endorse Hyde VPN, in fact, Ben and I will give you some VPNs that we do like. Hyde isn't necessarily one of them, I don't dislike it, it's not one I particularly recommend, but they use Ninja in their branding, so really what choice did I have given that we're doing this security Ninja series. You can trial any of these, they're pretty easy, and the way it works is, once you have your VPN service connected, you sign up for it the same way you would sign up for anything else. You give it an email address, which functions as your username, you give it a password, a lot of the services will create a username and a password for the VPN that is different from your email address for privacy reasons, which makes a lot of sense, and if privacy is important, which for most of you it is, that's probably an important service, so it's a little bit, I put in my username here, because that's what people would see, but in most cases it'll be a gobbledygook username, and then a password, hopefully, it's equally gobbledygook, and that'll be your username and password, and then you log in and you connect, and once you're connected, you'll have some options as to, or once you're logged in, sorry, to your VPN service, then you would wanna connect to the actual VPN, you have some two different options about what country you wanna use, we'll get into that in a little bit. There's what's called an application killer, or a network killer, where if the VPN becomes disconnected, it stops your network traffic. That can be important if you're using the VPN because you're doing sensitive transactions. You don't want if the VPN service goes down, now suddenly that transaction is going over that public Starbucks network. This often goes by the term kill switch, meaning if the VPN connection drops, if you lose that connection, the VPN application will go ahead and kill your network, kill switch, until it reconnects again, which can be very helpful. And I'm sorry, once you're connected, I've missed the screenshot here, then you'll see usually in your system tray or in your toolbar, you'll have a little clock that just shows the time that you're connected, and that serves as a confirmation that you are connected to the VPN. As long as that clock is running, it'll show you how long you've been connected for, and as long as that continues to run, you are connected to that VPN, and that's easy to traffic. Couple of things, there are two broad types of virtual private networks that you might be able to take advantage of. If you have an option for the first one, a corporate, if that's provided to you by your organization, I would strongly recommend you take that choice with one caveat, and I'll get to that in a moment. But it would be provided by your company, it would still have a client-side application that you would run, so you would first connect to the public Starbucks Wi-Fi network, and then immediately boot up your office's VPN client, it would connect to the VPN service, and then you can begin browsing in that way. They will typically have a per-seat license fee, it's usually connected to the firewall that your vendor, that your company uses, so if it's a Fortinet or a Sonic wall or something like that, those VPN clients usually are sold through that firewall or through that vendor. They will usually work for all platforms, you can use it on a Mac, you can use it on a PC, you can use it on iOS, which is iPhone, you can use it on Android devices, and the privacy, and this is the one caveat, if you use your company's VPN, then of course you're subject to whatever your company's privacy policies are, so your company may still be able to monitor, well not may, they definitely have the ability to monitor whatever you're doing over that VPN connection, whether or not they're doing that, of course it depends on what systems they have in place, but they certainly have the ability to monitor your communications and your activities while you're connected on that VPN, just the same way as if you were in their office, you have virtually routed your computer's network connections through your corporate office, so it's like your computer is sitting in the office connected to a physical LAN cable or the wireless network in the office. The private VPN services hide VPN is one of those, and in the resources section I have a bunch of others, what's it been, I know you might have to unmute for a second, what was the one that you, you said you were using one you liked quite a bit? I use a product called NordVPN, like Nord, is it like Norwegian, NordVPN is the name of the product. Yep, and ViperVPN, it's another one I have in there, and we'll have links for all of these for you, so if they don't worry about that. This is something that you would just purchase yourself or you would have your company purchase for you. It will protect your individual privacy, so your account is yours and yours alone. Heads up, if you go start looking at any of these websites, they will seem a little shady, and here's what I mean by that. A lot of the client base for VPN has historically been people who are doing things that are not super legal, so examples of things that aren't super bad but are still illegal are, you know, trying to have eight different people share one Netflix account. A VPN can be very helpful for that because you can pretend to be on lots of different networks, even if you all live in the same apartment. Another example of a VPN is maybe I want to stream live sports and I live in the United States and I can't do that unless I'm a subscriber to a particular cable provider so I can stake like I'm in another country and now I'm allowed to watch this live stream because I'm not in the US. That's something a VPN can do for you. Another thing it can do for you is if I want to illegally download through torrent sites different kinds of movies and television shows then a VPN service can hide my IP address from authorities. These are all things on the shady side and the VPN services market those very clearly. So when you go to these, you might feel a little bit dirty playing the order but I want to encourage everybody that there are plenty of legitimate legal reasons Ben walked through a few to be using VPN services and I want to encourage everyone not to be put off by those things. VPN services are an absolutely reasonable thing to be using. Cost wise, it'll typically cost $50 to $100 a year IP vanished by for VPN nor VPN if you don't have them there. Express VPN is another one. Those are some of the most popular services. I'm going to just take a minute because we do have a lot of questions in here. Okay, I'm just going to try to get through a couple in here. The prices you're quoting user per monthly. The price is very quite a bit but I would say on average you could say at the high end of VPNs can be $10 per month per person. That's about as high, at about as expensive as any VPN service I've seen and then things can go down from there. Another question in using Google apps has greatly decreased my org's use of VPNs because so much of Google apps or business is encrypted in there and that's great except I would say that there's still a lot of things that people are doing outside of Google apps and also the encryption within Google apps protects you from things that are not Google but Google of course can still be quite aware of all the things you're doing and some people may not be super delighted about that so that's another reason to want to. And again, there's differences. We haven't done the privacy versus security version of this but there are two different things to kind of worry about and privacy is very, very different from a threat model perspective than security. And then a great question here from Roberta is a personal hotspot on iPhone as secure as a MiFi device or something like that. So MiFi devices or tethering to your phone those are equivalent in terms of security. The big difference is the other people that are on the network with you so if I can explain this as succinctly as I can if I'm using my MiFi device and I'm the only one who's using that device at the moment then the only other people that are on that same network with me are me, I'm the only one. If Ben and I, you know, if Ben and I are working the same place and I pull up my MiFi device and I give them the password now the only person I need to worry about you know, cracking myself is Ben. And on the MiFi device you can actually see how many people are connected so it's very, very secure in that regard because if someone, you know, if you thought you were the only person there and you look on your MiFi and it says there's two people connected you're like, huh, who's this other person? Probably it's your phone and your computer so they're both you but you know, you still could easily be aware of that. And the same thing when you're tethering from your phone, that's secure. When I join a Starbucks I have no idea how many people are connected to that network, I can reasonably assume that all the people I see in the Starbucks that have glass tops open are on that network but there also could be lots of people I can't see who are in apartment buildings or offices that are close enough to access that wireless network and I have no idea who's on that network and that's the fundamental difference between using your personal wireless device versus using a public Wi-Fi. I hope that answers that question. Okay, onwards. Oh, bumping up against time pressure. All right, so next poll. Does your organization use a mobile device management platform? Again, I'm expecting not to be a lot of folks. Oh, first answer and someone is using a mobile device management platform and if you happen to know which mobile device management platform your organization is using, I would love it if you would type that into the chat. I'm very curious to know which ones people are using out there. And we've got one saying the MDM G Suite which makes a ton of sense since that's free and there's another one, MDM G Suite so that makes less sense. Those of you who are using G Suite for non-profits that does have a mobile device management function built in same thing with Office 365 although they're more robust one which is called Intune it's something you have to pay for separately. Then let's go ahead and close that up. And this is why I love these polls. I'm surprised that as many people as are using MDM that's great. That makes me very happy. Still vast majority either don't know or are not using MDM. Let's go ahead and close that up then. And let's talk a little bit about what, oh it's a little break, a little comic break. This is a worth actually a friend of mine made up and I just want to share with everybody this is like an addition to vocabulary. While we're talking about mobile security of course the thing that everybody worries about the most is dropping your phone and having your screen cracked and then being one of those sad people that we all see who have the crack phone that they're still using and hasn't gotten the screen picked. I always just my heart breaks a little bit every time I see someone who's working on the crack phone. We all of course drop our phone a few times a month or more frequently because some of us. And there's that moment after you drop the phone where you're not sure if the screen is cracked or not. And so my friend came up with this word, she's a linguist and she came up with this word vergan crack, vergan crack, which is that feeling of apprehension. It's that and it describes that moment between when you drop the phone and it's laying face down on the sidewalk and you don't know if it's cracked or not and then that apprehension where you pick it up and find out whether it's broken or not. But I just wanted to share that word as a little comic interlude before we get into the nitty gritty of mobile device management. That's a word you can all go ahead. I'm sure everybody will be saying vergan crack a lot now but in my family we actually say it. I like how to big vergan crack today. All right, mobile device management. What does mobile device management do? Well it secures, monitors and manages mobile devices. That certainly makes a lot of sense. But if we get into the nitty gritty, apologies for the billions of words on this slide. This is just a screenshot of Microsoft's Intune and just one section of the settings that they allow you to apply to iOS devices or iPhone. And this is an example of the kinds of things if you're using an MDM. So how does this work? If I'm an Office 365 customer, if my organization's using Office 365 and I pay for Intune, then when people add our Office 365 to their phone, I now get the ability to do all of these things. I can require them to have a password so that 9% of you that don't have a password on your mobile device, you'll now be required to have one. I can even require a type of password, an numeric only or alphanumeric. I can require the complexity, length. I can decide when it expires, I can allow fingerprint unlock or I can disable fingerprint unlock. I can set the minutes of activity before the screen turns off, before it asks for a lock. So there's some of the basic things that I can now deploy as a policy to anyone who wants to access our information from their personal mobile device. More advanced, again, this is maybe one-tenth of all the settings that are available through Intune for iOS devices. I can restrict the apps. I can do this either I can list, I can blacklist certain apps and say these apps are not allowed, so I can say you're not allowed to install Signal, no encrypted messaging if I decide about something I want to do. Or I can do it the other way around, which is a lot easier from an administrator perspective, which is to only allow listed apps. So people actually have to submit an app from the app store to be whitelisted, I'll whitelisted, and then you can allow it to be installed in your device. I can even control Siri and decide whether or not they're allowed to use Siri. And this is, at its most basic level, this is the idea of what mobile device management is doing. It's giving you some level of control over people's devices if they're going to access your organization's email documents, applications from those mobile devices. They then, before they can put, you know, their Office 365 email on their iPhone or Android, they have to agree to this mobile device management and then that gets enforced on their devices. It also will almost always give me the ability to remote wipe the device if the device is stolen, to lock the device remotely, to change the password for the device if I need to. So there's a lot of implications here again around privacy, but from a security perspective, it's obviously very, very helpful. The most common mobile device managers, Microsoft Intune, which pairs with Office 365, G Suite Mobile Management, which is free with G Suite for nonprofits, and VMware AirWatch is the most popular and highly regarded paid version, and I believe that these run about three to $5 per user, and each user gets up to three devices that can be managed as part of that. This is not massively expensive stuff, and a lot of them will also include things like malware detection and heuristics to let you know if the device is sort of doing things that indicate that it's been compromised and other alerts like that. And just as a FYI, I'm not just not going to out who the person is, but we have this enabled for round table and we get alerts and someone at round table who was experimenting with one of their phones, actually two phones enrolled in our service, they rooted their Android phone, meaning they changed, and this by the way is not something I recommend, especially if you want to keep your phone secure, but they essentially replaced the factory operating system on it with a different build, and so I got a bunch of alerts saying this phone is doing some pretty strange things, and we're gonna look into that, and that's another example of something MDM can do. All right, we said our 230, I apologize that I'm going to go a little bit over, but this has, I've been getting this question a lot over the last couple of months, and I wanted to talk about it. So advice on crossing international borders, and the question that I specifically have been getting probably a couple of times a week for the last couple of months is someone says I am going out of the country and I'm nervous about when I come back in, what should I do? Should I wipe all my devices? Should I not bring my devices? Should I, if someone told me I should run them out of batteries so that when I come across there's no battery on it, someone else told me I should bring a burner phone, and I'd be very reluctant to sort of give clear advice other than it's kind of a personal choice about what you want to do, but as long as you're not doing anything illegal and don't have major concerns about privacy, I would say just go, come back across the border if they ask you to take a look at your phone and decide whether you want to sit in detention for a long time, or whether you just want to let them look at your phone and be on your way. Basically, it's complicated, and I would really, in the links, I have a link to an article that says, please, everybody stop giving bad or made up advice around this sort of thing, and I'm going to adhere to that as well, and just give some links. The Electronic Frontier Foundation, who I highly respect, they have a very new primer that they have made on exactly this issue and how to sort of protect yourselves and the implications of doing different kinds of things, and there's another great article there that walks into what legally the border patrol can and cannot do, and if anyone has concerns around this, I certainly want to give you as much good information as I can, and I'm more than happy to talk to you and help you walk through the various issues, but I would suggest those two things, both of which are in the resources as the places I would start. They are the smartest, most reasonable things I have seen on this topic. And with that, we get into our wrap up. Oh my gosh, lots of questions here, okay. Key success factors, as always. Use two factor authentication wherever possible. It's nothing new. You're gonna hear me say that about a billion times. Encrypt your devices. Keep your devices up to date. Password protect your devices. Enable location services. If you want to be able to track your losses, again, privacy versus security. From a security standpoint, I'd love to have location services enabled, so if someone grabs my device or if I lose it, I can know where it is. From a privacy perspective, I may not want to have location services enabled all the time. This is a trade-off. So I've talked before about how there's trade-offs between convenience and security. Well, now there's trade-offs between privacy and security, which is really fascinating. There's a really interesting thing I found in my research called Pre-Project, P-R-E-Y Project that is an open source project that allows pretty cool. I wasn't able to get a lot of independently verified sort of reviews of the service, although generally it seems to be well regarded. But not only does it let you track your phone after it's taken, but it lets you do stuff like start taking photos, start recording, start using the phone obviously as a forensic tool to immediately be capturing information about wherever the phone was left. So you've turned your phone into a nifty little remote spy device. So you can just leave it at a friend's house and then act like it was stolen from Pre-Project and start recording everything that's going on there, which is kind of horrifying, but also cool if it was stolen. So people are welcome to take a look at that. When you can use your data plan for your mobile device over public Wi-Fi or if you need to use public Wi-Fi, use VPN. Don't just use public Wi-Fi without a VPN and consider mobile device management solutions, especially if you're a larger organization. Last poll, what are your biggest challenges around mobile devices, remote and travel? But then if we can throw that up, we got bring your own device policies, bring your own device management. This is one where you can select as many of these as you like, lost theft and or damage, being secure while traveling, while working remotely, crossing borders, what are people worried about? So a lot of lost theft or damage, people are going in. We'll let people continue to vote for a little bit and then we'll open up for Q and A. I'm looking at the questions and there's a lot of them in here unless a lot of them are comments. So we might be here for a little bit. I'm fine until about 10 minutes to three, so I'll hang out. Ben, you can go ahead and close that up. Being secure while traveling seems to be the biggest followed by lost theft and or damage theft. Pre-Project might be something folks definitely want to look at. And I would say again, having passwords on your phone, on your mobile devices and having them be encrypted, which on smartphones is essentially the same thing. Huge thing to do about protecting that information while being lost, all right? Oops. Here are the resources that I talked about to that EFF, digital privacy at the US border, protecting data on your devices and in the cloud. What customs and border officials can and can't do that article and then the article that I read that if those of you take a look at that, you'll see I basically took that little meme of we could stop making up advice, that'd be great. I just borrowed it straight from that article. I like that article a lot. I'm still waiting for the follow up where he said he was gonna give actual advice. The mobile device managers and then of course theft protection. Two weeks, we'll be doing Don't Feed the Fish. April 4th, 2 p.m. I look forward to seeing folks there. We'll also be talking about ransomware on that and social engineering, which is one of my favorite topics. And with that, Q&A. Ben, thank you so much for your help today and everybody thanks for a great question. And I actually, as Josh mentioned earlier, I've done the border crossing in the last week. So I may have a unique perspective if there are questions about that specifically. So if you have a question about that, I'm happy to answer. But basically my general experience is it has way more to do with the time of day, the apathy of the border crossing official and then obviously what country you're actually a citizen of. The best advice I got the day before I left was if you're a United States citizen and you're not going overseas to do anything illegal, then you have nothing to worry about. So just be aware. Don't try not to act suspicious because if you haven't done anything wrong, you really have nothing to worry about. If you do get selected for extra screening, listen to their commands, comply with any of their requests. And if they do ask to see your phone, that's fine. Just use the password manager that we talked about a few sections ago and maybe update your passwords or change them if you're concerned about access. So it's all pretty common sense stuff, but the other thing that I tried to do as well is in the week leading up to my travel, I actually did a little bit of research and actually read that article that Josh gave links to. So just making sure that you're informed and aware and not doing anything illegal. And obviously if you are going overseas to do something illegal, then you've already made that decision. So we're not here to help you with that. Right, right, right. And obviously, since we have a lot of folks who are nonprofits and maybe doing things to advocacy and lobbying and things that may be contrary to government agencies or policies, then just be aware of that and contact your counsel or your in-house lawyers to figure out your best path forward. But again, like I said, if you're just traveling for vacation or just general international travel, if you're a United States citizen and you're not doing anything legal, you generally don't have anything to worry about. So that's my unique perspective. There we go. Totally uncontroversial perspective. Yeah, yeah. We're watching a lot of West Wing. It's a lot about pandering and, you know. Exactly. All right, so if we get to some quick questions, I accidentally deleted a question and I actually don't know how to restore a deleted question and I didn't see what it was, so I apologize if someone doesn't get the question answered before we wrap up. I'll hang out just for an extra minute. One question was if you have a, or this is a comment from someone about, you know, border stuff being complicated. If you have a relationship with a cyber security vendor, you can certainly talk with them. Advice can be country specific and that's absolutely true. Depending on where you're going and the nature of the work you're doing, advice may vary around different things you're doing. Other places you can look, Electronic Frontier Foundation is great about this. Another place to look, if you're doing international travel and doing human rights work or things where your security profile is, you know, a particular threat model, accessmal.org is another really great organization and source of information on things of this nature. All right. Other questions, does NordVPN or other private VPN services require a firewall vendor such as Fortinet, Cisco, et cetera? No, and it's typically an either or. So if your organization is using a Sonic wall or a Fortinet or a Cisco firewall, then those firewalls come with VPN clients that will allow you from your remote device, your phone, your computer, connects to your organization's firewall and then be browsing through your organization's internet connection behind that firewall. And it's, again, imagine it if I'm sitting in my office behind my office's firewall, right, I'm protected by that firewall, seeing that firewall is correctly configured. If I'm at home and my home network, if I'm at home and I boot up a VPN that connects to my office network, I've now, in a virtual sense, picked up my computer and put it inside my organization's office, inside that firewall in a virtual sense. That's literally where virtual networking comes from. If your organization doesn't provide that to you, then those private VPN services are what you're paying for. Another question is would you need to use a virtual private network in addition to mobile device management? Some mobile device managers include a VPN as part of their services. Some of them don't, it depends on the service. So you would have to know whether or not the mobile device management service you're using includes a VPN as part of it. If it does, then certainly use that VPN instead of paying for a separate one. If it doesn't, then you would still need a VPN there if they're kind of separate things in that regard. All right, and let's see. I think that pretty much covers it. If anyone feels like they're questioned, then we'll cover it. Destiny has a question here about the new laptop tablet then. Destiny, do you, I don't know if I can unmute you. Just share that question because I'm confused about it and I'm not familiar with the news article to which you are referring. Ben, did that question make sense to you what Destiny's asking? The only thing I could think is it's related to the current travel ban, but as far as I'm aware, that's on hold, that's enjoined. So that's not actually applicable, but I'm not sure. Destiny, I think I've unmuted you. Can you clarify that question if you're still around? Yeah, it may not have been implemented yet, but it was concerning a specific ban, not from countries the way the travel ban was, but from certain countries of origin allowing the bringing tablets, laptops, and other things directly on the plane that they can only be in checked luggage. So if there's any concerns, and that's not necessarily based on your nationality or citizenship, but really from your airport or country of origin. So it could apply, from my understanding, to U.S. citizens. And that of course, putting any of your mobile devices or other devices in checked luggage is always a concern even without other things in play. So it's I think something to be in mind when traveling now. You're saying there's new legislation that's basically saying if I was let's say flying in from Syria, that maybe my iPad, I'm not allowed to have it with me on the plane, I actually am required to put it in my check bag if I'm flying to the United States from Syria. And so your question then is, if I'm putting it in my check bag and I'm worried about customs agents or if I'm looking at it not in my presence, that's the law and that's something you'll clearly have to do. What's the question underlying that? I think the concern around that is if there's now the addition of devices being accessed without your presence, so you're not sure what's being done if there's any kind of. Okay. In many ways, I totally understand the question now and the upshot of that is that that's easier. If I have my password encrypted, if I have my device encrypted with a strong password, then they can have it for as long as they want. In theory, they shouldn't really be able to get, it would be much faster for them to just throw me in a detention center and say give us your password and then we'll let you go home. And that's what's generally been happening if they want access to the devices. I have not heard of anything that's suggesting that border agents or folks have the ability to with physical access to the device that was turned off and encrypted and protected with a strong password. There's nothing that I've heard that suggests that they're able to, with physical access to the device, get information off of it. But that is a great question. But yeah, but all those other, if your device is of course no password, then yeah, that's a huge concern but hopefully you're not traveling internationally with a multiple device with no password. Yeah. If you've been sending these workshops. Right, right. And obviously, anybody who's doing that international travel to just keep an eye on the State Department website because if things do change, if there's an updated law or regulation or something like that, they're gonna post that in big block letters on the top of the page because they don't wanna deal with massive numbers of people not knowing about that law any more than you wanna deal with not knowing about that law and having to deal with it. So like I was saying before, just use the few days and lead up to your travel if you have them. And if you have that much advanced notice to just educate yourself a little bit more about what you could see and what changes may occur. But in most cases, just keeping an eye on the State Department website or EFF, like Josh mentioned before, we'll have updates and guidance on that stuff leading up to travel. So. Or ask us. By all means, email me. Yeah, or ask us guys. I know I have 10 of these webinars. By all means, email me directly and ask me questions too. You are my friend. That covers all the questions we have. Again, I deleted someone's question. I don't even remember who it was. I apologize if you're still here and your question has not been answered. You have, I will give you another 30 seconds to retype it into the questions. So I'll be keeping a close eye on that. Otherwise, we are done. Thank you all. I'll see everybody back here in two weeks for don't feed the fish, fishing, social engineering, and ransomware, which is a very hot topic. And thank you all so much. Thank you, Ben. Thank you, Destiny. And thank you all for your questions. Bye-bye, everybody. Thanks, guys.