Cybersecurity Awareness Month - Secure Our World
Senior Manager, Technology Risk and Assurance, Dave Iverson joins the podcast to discuss cybersecurity awareness, including:
- Social Engineering
- Secure Password
- Public Wi-Fi Perils
- Avoiding Updates
- AI Emerges
Follow the podcast on LinkedIn: The Advantaged Investor
Please subscribe, rate and review. Reach out at advantagedinvestorpod@raymondjames.ca
Transcript
Chris: Hello, and welcome to the advantage investor, a Raymond James limited podcast, a podcast that provides perspective for Canadian investors who want to remain knowledgeable, informed, and focused on long term success. We are recording this on October 11th, 2023. I'm Chris Cooksey from the Raymond James corporate communications and marketing department today, senior manager, technology risk and assurance. Dave Iverson returns to the podcast. October is Cybersecurity Awareness Month, and Dave and I will be discussing ways to secure your digital world. Dave, welcome back to the podcast. I hope you're doing well. I'm sorry I didn't get you a card for Cybersecurity Month, but I wish you well.
Dave: Chris, I appreciate that.
I was hoping more for like a Vestro Blazer like they give out on Saturday Night Live for returning hosts. Fair, fair. That's it.
Chris: Yeah, that's above my pay grade, but maybe next time we'll, we'll go in there but obviously we got a lot to get into. So we'll jump right in. And I guess every year they come up with a theme and this year it's secure our world.
And of course, the goal is to remind people that the internet is a global village and security and vulnerabilities and exploits can have you know, very real consequences to us as individuals and much beyond our own borders as well. We at Raymond James. You know, we, we, we believe in the importance of this and emphasize the importance of taking proactive steps to conducting good cybersecurity, both obviously with us at work and with everyone at home.
So split into five weeks, maybe we'll just cover some of these topics and the first one being social engineers. So maybe just go over that and what that entails.
Dave: Sure. So social engineering is In its simplest terms is one, I'll call them cyber criminals or criminals trick you into giving out information you would not normally give out.
And they do that by playing on your weaknesses, right? They engineer the answer out of you, so to speak, hence the term social engineering. Okay.
Chris: What can we do to make sure we're not falling prey to this sort of scam?
Dave: I think the best thing to do is have a skeptical mindset. So if you receive an email or you receive a text message that you weren't expecting, question why you're receiving that email or text message, particularly if the email is coming in saying, Hey, click on this link to receive the latest offers from Amazon, or click on this link to receive the latest office from offer from a big retailer that you've shopped that recently, the old adage of, if something sounds.
Too good to be true. It probably is applies in many cases. I think if you keep that mindset going into many of the interactions you have, you'll be better off ahead.
Chris: Make sure it passes the old smell test, so to speak.
Dave: Exactly. And if you do think it sounds really good, you're like, gosh, I really would like to be able to shop at this, whatever vendor it is that sent you the text message.
I really hope this is true. Don't click on the link. Actually go to the website yourself, you know, type in the URL, or better yet, I think the old fashioned method of picking up the phone and calling the retailer to say, Hey, I received this notification from you. Is it actually valid? Is a safe way to go.
Chris: Okay. Now one that we've heard about for years, but is obviously still a very important thing, the security of your password. I've been recently told QWERTY across the top is, is not a secure password or ABC123. Apparently these are easy to guess, but maybe just touch on the importance of a secure password.
Dave: Sure, and one of the things we're trying to get away from is actually referring to them as passwords. I'm trying to encourage people to think of past phrases because a password, you know, you think is something short and sweet, might be the name of your pet, might be the model of car you drive, it could be something that means something to you.
Whereas if you go to a past phrase, something such as, my favorite holiday was a vacation to Vancouver, It makes it a lot easier, harder for cyber criminals to guess as well, you want to avoid using a same password over and over again. And the reason we make this recommendation is because, say, for example, again, I'll use Amazon just because it's 1 everybody's familiar with, but I don't mean to imply that their security practices are worse than anybody else.
But I just want to say, you know, for example, say, you use the same password at Amazon as you do on Twitter, or I believe it's not called X as you do on Facebook. We'll see. Twitter experiences a security breach, so the password you use at those three different websites is now out there, and if a malicious user gets access to that password, they now have access to all of those accounts.
So, if you're using a unique password at each of those three websites, Twitter gets popped, passwords are released, at least you know that your access at the other two websites is secure because you're using a unique password.
Chris: And if you get that notification around we've had an issue. Please change your password.
You only have to change it the one time rather than the 47 times you used it across the internets.
Dave: Exactly. And good luck remembering all the different websites you have used where you use that password. We do also recommend a couple of things one wherever possible. Enable two factor authentication.
So quite often this will involve when you log into a website, they'll send a text message to your phone Asking you to type in usually a series of six numbers, but it could be a combination of numbers and letters So what we mean by two factor authentication or multi factor authentication is there are three forms of authenticating yourself on a [00:05:00] website One is what you know, so I know my password One is what I am.
So it could be like an iris scan or my fingerprint. And the other method is something that I have with me. In this case, it would be my phone. Obviously, if I'm logging into Amazon online, they can't scan my iris. So the second best way of doing that is by sending a text message to my phone. So again, the way this helps is that say for some reason somebody does get my password they're unable to log into Amazon because they don't have my phone with me.
So Amazon will send me a text message and I'll be like, whoa, why is my phone asking me for a text message on Amazon? I'm not trying to log in. And that'll alert me that somebody has gained access to my account. And then I'll want to log into Amazon and change my password. So that's a good way of doing it.
And to your point you know, it is difficult to sometimes remember all these different passwords on our 47 different websites. So I do recommend using a password manager. These, these pieces of software or browser plugins are great, because what you do is you enter your password once into the password manager, and then when you go to that particular [00:06:00] website, the password manager pops up and says, you're back to website ABC.
Your password that you used here was And then I'll automatically populate that for you. So really, you only need to remember one password, and that's the master password to your password vault.
Chris: Okay. Now, anyone with children above a certain age knows the first question you they ask when you get to a restaurant is, what's the Wi Fi password?
So maybe let's just touch on some of these public Wi Fi,
Dave: The potential danger in those public Wi Fi is very dangerous, and the reason it's dangerous is because malicious users can set up either a fake Wi Fi spot. So again, I'll pick on Starbucks here just because it's an example that many people are familiar with, but I don't mean to say that why Starbucks is any more insecure than say your McDonald's or your Tim Hortons or any other.
Organization that offers free public Wi Fi, but if I go to Starbucks and I sit down with my computer or even my cell phone and I want to use the Wi Fi, I bring it up. There might be something there called Starbucks, which could be legitimate, legitimate Wi Fi for Starbucks. And there could be something called Starbucks free Wi Fi, which could be a fake hotspot set up by somebody who is a malicious user.
And what they're going to do is they're going to track all of my content, anything that I send to that Starbucks free Wi Fi hotspot. They'll see all the traffic that goes through. So, if I decide to log into my banking, if I decide to log into Amazon, they're going to intercept all that information and they'll get my password.
They'll get my information. And so, obviously, this is very bad. So, public Wi Fi spots are very dangerous, which is why I try to discourage people from doing any serious Internet surfing on a public Wi Fi. Don't, you know, type in your credit card, don't type in anything that's sensitive by all means.
It's fine for, say, surfing on instagram, you know, on your telephone, anything like that. But I just wrongly discourage people from doing anything on a public Wi Fi network.
Chris: Alrighty, now we all know someone who you see their phone and you see they are 900 updates behind. Obviously it's very important to, to, to update your, your software as needed or your operating system as needed.
So maybe just touch quickly on why it's bad to avoid the updates.
Dave: Well, I wouldn't say it's necessarily bad to avoid the updates. You just want to make sure you're updating from a legitimate website. So Microsoft is very good about pushing out patches. They call it Patch Tuesday. It's usually, I think it's the first Tuesday or second Tuesday, don't quote me on that of every month where they patch all of their systems, all of their devices.
Apple's another very good manufacturer that pushes out software updates fairly regularly. For example, I know they just pushed out a new operating system for the iPhone. It might be iOS 17 or 16. I can't remember which 17. Yeah. And and they've already patched out. I think it's already up to 17. 0. 3.
So again, I'm downloading updates directly from Microsoft or directly from Apple. I know the legitimate, I don't really have any concerns. Where you might sometimes be concerned about updates could be around third party or fourth party plugins. So, if I have a plugin on my Google browser or my Firefox browser, say that plugin is doing something to help me block ads or is doing something to track Amazon sales, let me know when the time is right to do a purchase.
I'm not entirely sure what's happening in the background with those updates. So again, if I do have automatic updates turned on, it's possible that there'll be a pushed out update from a vendor for one of those applications, and it might not be a legitimate update. So in that case, what I usually recommend doing is going to the actual, you know, say, Google Play Store or going to the Firefox application store and seeing, hey, are there any updates?
For this particular application, that's a plug into my browser, downloading that straight from the Firefox store as opposed or the Google store, as opposed to depending on, say, app updates taking place in the background that I'm not entirely familiar with.
Chris: All right, that makes sense. And let's just finish off here.
A big one. With chat GPT, I think Tom Hanks has recently come out and [00:10:00] said, don't believe the video you see me in. It's not me. There's been a few things. So let's just talk about AI. We've heard about the grandparent scam where they have the voice of someone making it seem legitimate. So maybe, well, not touch base.
This is a big one. So talk about AI and it's dangerous here.
Dave: So AI, we're just at the forefront of what's happening in AI right now and it's really gaining momentum. We're seeing kind of an, I'm going to call it an arms race, if you will, between many of the big players, the Googles, the Microsoft, the Facebook.
They're putting a lot of money into developing AI technology as they see this as the wave of the future, but there's also a concern with that. So much of the knowledge base that's being used to build these AI services is actually built on copyrighted material. So we're seeing right now a lot of those people whose content was used to build the AI engines, such as authors, such as graphic artists such as, you know even vocal artists.
They're now asserting their copyright on that information. So A, there's a question of do you own the information that is coming out of the AI system when you ask [00:11:00] it a question? And B, you're also asking yourself, is that information even accurate? So we're finding that some of the information that is coming out of those systems is not accurate.
So you can't use it and say like a university paper or anything like that as well as concerns from a security perspective, because right now people who are trying to lure you into clicking on links or are doing the it used to be called the Nigerian print scam, right? I help them and Nigerian prints.
I'm worth millions of dollars. But I need a down payment of X before I can act as my millions, please send that to me. Quite often those email scams were easy to detect because the spelling was poor, the grammar was poor, capitalization was incorrect. There's a concern in the security community that as the AI gets better and better, we're not going to be able to detect those poorly constructed emails anymore.
And it's going to be hard to determine what is a legit request, say from your grandson or from your granddaughter versus the ones that are fake. I always recommend verify the source. So [00:12:00] just like we talked about with social engineering, this applies to as well. Keep that skeptical hat on. If you do get a phone call, or you get something in the mail that looks legitimate.
You know, there was a common 1 a little while ago that you're, you know, your grandson, your granddaughter was in trouble with the police. They needed 5000 dollars, you know, to be released immediately. Like. No police in that I'm worried anyways, but like pressure you to all of a sudden turn over that money with the next 24 hours or else they're going to be deported or whatever the case might be, or and they would never ask for that information in gift cards.
So, again, have that skeptical mindset. If you do think something smells wrong, hang up the phone, then dial your son, dial your daughter, dial your grandchild, you know, talk to them in person to find out what exactly is going on.
Chris: Someone actually mentioned to me they have like a family word they use, like a safe word that they've they've decided that if anything's under control or seems a little off, then they can ask this weird word that they've come up with.
I mean, it's a real word. Obviously, they didn't tell me what it is [00:13:00] because they're security people. But the you know, they have a word to sort of say yes or no, and it's not a word obviously someone would guess. So I guess that's another option.
Dave: That's a very good option to have as well. And you know, I've heard of other people doing that too.
So I think it's a good idea.
Chris: Awesome. Well, Dave, thank you for sharing this great information. I always want to make sure we're, we're, we're browsing and doing things online as safely and securely as possible. And I hope you'll join us again. I will.
Dave: Thanks for the invite. I appreciate being here. Alrighty.
Chris: Reach out to us at advantagedinvestorpod at RaymondJames. ca. Subscribe to The Advantage Investor on Apple, Spotify, or wherever you get your podcasts. Please contact your advisor with any questions you have. On behalf of Raymond James and The Advantage Investor, thank you for taking the time to listen today.
Until next time, stay well.
This podcast is for informational purposes only. Statistics and factual [00:14:00] data and other information are from sources Raymond James Limited believes to be reliable, but their accuracy cannot be guaranteed. Information is furnished on the basis and understanding that Raymond James Limited is to be under no liability whatsoever in respect thereof.
It is provided as a general source of information and should not be construed as an offer or solicitation for the sale or purchase of any product and should not be considered tax advice. Raymond James Advisors are not tax advisors and we recommend that clients seek independent advice from a professional advisor on tax related matters.
Securities related products and services are offered through Raymond James Limited, member of the Canadian Investor Protection Fund. Insurance products and services are offered through Raymond James Financial Planning Limited, which is not a member of Canadian. Investor protection.