The ALPS In Brief Podcast

ALPS In Brief — Episode 47: Guard Your Data Like Gold and Other Practical Tips from a Hacker

June 24, 2020

We are using personal devices for work (and working from home) more than we ever have before. These are both big risk factors as cybersecurity threats have soared during the pandemic. So, how do we make security sustainable and not live life at the hackers’ mercy? ALPS Risk Manager Mark Bassingthwaighte sits down with Sherri Davidoff, CEO and Founder of LMG Security and the latest addition to the ALPS Board of Directors, to give you some practical advice in guarding your data like the gold it is.

TRANSCRIPT:

Mark:

Let's rock and roll. Hello. Welcome to ALPS in Brief, the podcast that comes to you from the historic Florence building in beautiful downtown Missoula, Montana. I am really excited about our guest today. I have heard her speak and have read a book about her. And let me just share, our guest is Sherri Davidoff, the CEO of LMG Security. And I believe, Sherri, that is short for Lake Missoula Group. Is it not?

Sherri Davidoff:

It's true. We're named after the lake that we're sitting at the bottom of.

Mark:

For those of you, it's worth looking up in Wikipedia or Google or something to get a little bit of history of Lake Missoula. That's a whole nother story. But Sherri is a noted speaker, trainer, white hack, excuse me, white hacker, and author of the recently released book, Data Breaches, Crisis and Opportunity. As a recognized expert in cybersecurity and data breach response, Sherri has been called, and I love this, a security badass by the New York Times. I just think that's fantastic.

Mark:

She has conducted cybersecurity training for many distinguished organizations, including the Department of Defense, the ABA, the FFIEC, the FDIC, and many more. She's also a faculty member at the Pacific Coast Banking School and an instructor for Black Hat, where she teaches her data breaches course. She is also the co-author of Network Forensics: Tracking Hackers Through Cyberspace. It's a Prentice Hall publication, out in 2012. And this is a noted security text in the private sector and a college textbook for many cybersecurity courses.

Mark:

Sherri is also a GIAC certified forensic examiner, a penetration tester, and holds her degree in computer science and electrical engineering from MIT. She has also been featured as the protagonist in the book Breaking and Entering: The Extraordinary Story of a Hacker Called Alien. And so welcome, Sherri. And I can say I love the book.

Sherri Davidoff:

Thank you so much, Mark. It's a pleasure to be here with you.

Mark:

It was a lot of fun. It was a good read.

Sherri Davidoff:

Good.

Mark:

What you and I had been visiting about in terms of just having a conversation today, obviously in light of all that has happened in recent months with COVID-19, global pandemic, and this fallout of a very rapid move into working from home did not overlook lawyers. Many, many had to immediately jump and try to figure out how to make this work. And it seems some were pretty successful at that. Others, there were a few struggles, but they got there. But what I really want to focus on is the security side, the security piece of this.

Mark:

I think remote security is exposing not only lawyers, I think businesses of all shapes and sizes, to unexpected or perhaps a broadened way, broadened their risk, their exposure just because we have at times home systems. And I guess initially, would you agree, is the remote work setting a concern for you?

Sherri Davidoff:

Well, absolutely. There's an expanded attack surface now that so many people are working remotely. And I'd say that's for two reasons. Number one, because many people have moved to the cloud, or have started logging into work remotely, and therefore poked holes in their firewalls and things like that in order to facilitate it. And everybody did what we needed to do keep going and to keep business up and running. And that's fine. I'm here to tell everybody it's all fine.

Sherri Davidoff:

Our goal is progress and not perfection. But now's the time to step back and think, "What do we do?" And start cleaning things up, start thinking about, "How do we sustain this potentially long-term?" Because I think remote work has been here for a while and has definitely ramped up, and is here to stay. And the other reason why the attack surface has expanded is because a lot of people are using personal devices for work more than we ever have before.

Sherri Davidoff:

And so all of a sudden, you have sometimes very sensitive data on your personal device that you also share with your kids, or your friends, and you play games and this and that. And there's a different risk level that we have in our personal lives versus what's appropriate when we're handing this very sensitive information, so we have to balance those issues.

Mark:

Yeah. I like sort of two comments here, briefly. Initially, I like that you're saying lawyers haven't done anything wrong, in other words, by transitioning. It's so tempting to try to scare the bejeezus out of everybody and say, "You're not doing anything," but they did what they needed to do. And now is the time because I think you're absolutely right, this work from home evolution in terms of the rapid rise of it, is here to stay in a lot of ways. And so now it's time to say not, you've done anything wrong, or you're bad, but let's try to fix it.

Sherri Davidoff:

How do we make it sustainable and not get hacked all the time?

Mark:

Yeah, yeah, yeah. And I want to come back to here a little bit down the road, but I do really appreciate the comment of personal devices. And I think that's worth exploring a little bit. Where I'd like to start, if we may, and I don't know if you agree or disagree with this, but even again today, I have come across additional articles talking about an exposure that is I think for so many, flying under the radar. And that is simply the wireless access points, the routers and whatnot that all of us typically have in our homes. And do you feel, is that an overblown risk? Would you have any thoughts about some basic things that staff and lawyers should be thinking about?

Sherri Davidoff:

Well, it depends where you are. I used to live in the middle of Boston, and there were a zillion people around my house all the time. Now I live in the middle of Montana, and wireless security is always important, but less of a concern. So first of all, consider physically where you are and who might have physical access to that wireless network. And absolutely, your network is only as secure as the devices that are on it. And we've seen time and time again that if a computer gets infected, it will try to infect all the devices around it. So if you have a neighbor that starts using your wireless network, and they happen to have a computer that's been infected, that could absolutely cause risk for systems on your network as well.

Mark:

Very good. And thoughts about, are there any just practical steps you think folks might be able to take to minimize that likelihood?

Sherri Davidoff:

Sure. Well, as we were talking about ahead of time, there have been a number of vulnerabilities in common routers and wireless access points. So step number one, make sure that your software is up to date, your firmware is up to date on those devices. And you can do that either, sometimes they have an app that's paired with your smartphone, so you can update it that way. Or you can go into the device itself in the administrative interface and do updates. So every now and then, sit down, have a glass of wine, whatever, update your router. It's fun. It's easy. And change that password. Make sure that the password is not a default, that it's secure, it's not your phone number or your address, because guess what, people know that.

Sherri Davidoff:

And also that the name of your wireless network is something that does not draw attention to you, that it's a little bit under the radar, boring. Make your network look boring.

Mark:

I like that. I like that.

Sherri Davidoff:

Really slow wireless, that's what you should call it. Nobody will want this.

Mark:

I think your idea of maybe having a glass of wine to do this isn't a bad one because there have been times where I've been trying to do some things in terms of ... I take security very, very seriously because I've been telecommuting, and boy, there are times when certain things aren't as easy as they should be. And just instead of throwing the computer, you could have a little sip of, just relax.

Sherri Davidoff:

Yeah. Well, risk is your job at ALPS, so I could imagine it's something you take seriously.

Mark:

That's right. That's right. For a moment, let's just say that I am a lawyer. I'm the owner of a small firm, couple of staff. And we have made this transition out, and everybody's at home for the time being. May or may not be coming back. We'll just see how this all evolves. But as the owner of this small business, what kinds of things really should be on my radar that may not be? What should I think about?

Sherri Davidoff:

Yeah. The number one thing to think about right now is two-factor authentication. And I know that's a big word. I cannot even tell you how important that is because we're living in a world today where all of your passwords have been stolen, just assume that, because if you get a virus on your computer, it's going to steal all your passwords first thing before you even know it. And you're not fooling anybody by keeping it in a Word document with a totally different name. I know that it's there and so do the criminals, and they're just going to grab it.

Sherri Davidoff:

The other thing is if you reuse passwords on different websites, and one of those websites gets hacked, criminals have automated tools that will try your password in a zillion other websites. It's called credential stuffing attacks. And Akamai, which is a big tech company, reported that there were 61 billion credential stuffing attacks just in the past 18 months. So assume somebody's going to steal your password. You're not going to know about it because that company may not even know they have a data breach. Or if they know, maybe they'll report it to you six months to three years later.

Sherri Davidoff:

And in the meantime, you need to protect your accounts. The FBI recently reported that the number of business email compromised cases is going up because of coronavirus. Scammers are using tactics to try to trick people out of their money, so they're breaking into email accounts. They're finding examples of invoices, or payments, or things like that. And they're saying, "Oh, due to coronavirus, that bank account is being audited, and I really need these funds. Please send it to this other place."

Sherri Davidoff:

So you should guard your email account like it is gold because it is. You have valuable information in it. And remember with lawyers, information is your business. Right? If it's valuable to you, or if it's valuable to your client, it is valuable to a criminal. They can leverage it somehow. So protect that email account like it is gold. And your email account can also be used to reset your password on anything else, and the criminals know that, so they're after your email.

Mark:

That's a great point, that really is. Can you take just a moment or two and explain just a bit more about what you mean by two-factor authentication? I'm not sure that everybody in our audience, I think a lot do, but I know that there are more than a few that really don't understand. And I assume we talk about this, you're really saying we want to use this if we can in any and every setting, so email account, bank account.

Sherri Davidoff:

Yes. Cloud, you name it.

Mark:

Cloud, right, right. But can you just share just a little bit more to make sure everybody's with us?

Sherri Davidoff:

Absolutely. This is my favorite question, Mark. Thank you so much. So two-factor authentication is what you need to know. Authentication means how we verify someone's identity. So online you might have your identity verified with a password. Passwords are dead to me now. In the real world, you might verify your identity with your driver's license. Right? Two-factor authentication is when you use more than one method of verifying someone's identity together. And it makes it a lot less likely that your account will be broken into. And you might not know it, but we use two-factor authentication all the time. I don't know if you can think of a place where you use two different methods of verifying yourself.

Mark:

Well, the one that comes immediately to mind to me is just a debit card at the ATM machine.

Sherri Davidoff:

Yes. I'm giving you a prize. I have to rummage through my swag and drop it off at your office. Absolutely, yes. You're the only person I have ever worked with who's gotten it right off the bat. But yes, your debit card. And when ATMs first came out in the '60s, they did not all have a pin number associated with them. You were in England, you'd get your punch card. And if you lost that punch card, some criminal could pick it up and get your money. And it actually took over a decade before all the ATMs in the world had pins. But now, if you had a choice, if your bank said, "Oh, you don't need a pin on that ATM card," how would you feel about it?

Mark:

I would have a problem with that.

Sherri Davidoff:

You'd have a problem with it. And it's going to be that way on the internet pretty soon. People will be like, "Really? You don't have two-factor authentication? That's so dangerous. I can't believe it."

Mark:

Yeah.

Sherri Davidoff:

I can give you some examples of what you can use for two FA if you want.

Mark:

Sure.

Sherri Davidoff:

Okay. So when you're logging into your email for example, some of you are probably familiar with the case where you get a pin on your phone. Right? You log in, it sends a pin to your phone. That's better than nothing, but it's not the best because those are not encrypted. I don't know if you've heard of simjacking attacks, where attackers can take over your phone, or they can get your phone number sent somewhere else, so those are not the best.

Sherri Davidoff:

What's better than that is an app on your phone, like Google Authenticator, which is free, or Microsoft's Authenticator. And it'll show you a code that you type in. Or even better, it'll just pop up a message that says, "Do you want to authenticate, yes or no? Is this acceptable?" And so you type in your password and then you hit yes, or you type in your code, and then you get in. And so the criminal actually needs your phone and your password in order to get in, and that is so much safer than just a password.

Mark:

And I want to follow up. You had talked as we started this discussion a little bit about they're into your email and they're capturing your passwords. One of the things I want to underscore for our listeners is that you don't know they're in your system monitoring and capturing all this stuff. I still run into a lot of people that say, "Well, I've never been hacked because the computer still works." Nobody's going to send you a thank you card for doing something silly and saying, "We've been in. And thank you, we got all this."

Mark:

But you made the comment about passwords. And one of the things that I hear from time to time as I talk about password policies, long passwords, passphrases, complex passwords, those kinds of things, and the pushback you always get. How in the world do I remember all this? And your comment of a Word document is absolutely not the way to do this. But I have talked about password saves. And one of the questions that comes up from time to time is, well, here I am putting all this information into a file. And sometimes these safes, I have one, Iron Key, that's a jump drive. But they're also cloud-based. And what are your thoughts about the security of that? Because I had a lot of pushback of people saying, "How in the world can that be safe if they're hacking in?"

Mark:

I certainly have my thoughts about it. But I'd love to hear from your ... I mean, you do the pen testing. How reliable are these password safes in terms of helping us try to be as secure as we can?

Sherri Davidoff:

Yeah. So you're probably thinking, "Well, why would I want to put all my eggs in one basket?" And then hackers know they're going to attack that basket. Right?

Mark:

Exactly.

Sherri Davidoff:

The reality is that it's more complex than that because first of all, that basket LastPass, Dashly, OnePassword, you name it, they are especially designed to be hardened against attacks. For example, they're resistant to the common attacks. They're constantly researching it. And if they autofill a form for you, they're using different hooks in the operating system that make it harder for the attacker to grab that compared with a regular web browser, for example, so that's the first thing.

Sherri Davidoff:

The second thing is I use password managers not just for their ability to store passwords, but for their ability to generate passwords. And that's perhaps even more important. You need a unique password for every single website, maybe not the really junky ones that you don't have anything important in them. But most people underestimate the importance of an individual account. Ideally, you want a totally different login for each website because you never know which website's going to get hacked. Right?

Sherri Davidoff:

And the human brain is not designed to remember 20 billion passwords. I mean, it's probably all we can do to remember three passwords. And so then you get people picking the password fluffy1984, like their dog and their kid's birthday, which people can totally guess, or spring2018bicycles, and then that changes to summer2018 when you have to change it. The hackers are onto you. They have automated tools that will automatically try different variants on your favorite password that they have already captured. They'll put an exclamation point at the end. They'll put a one, and then a two, and then a three, and then a nine and a 10.

Sherri Davidoff:

And they'll change spring to summer and 2018 to 2019. So those ways that people modify their passwords are not very secure. So use your password manager. Use two-factor authentication on it if it's in the cloud. And if you hear, LastPass, for example, was actually hacked several years ago. And what happens in that case is you want to change at least your master password if [inaudible 00:21:58] passwords.

Sherri Davidoff:

But it is so much better than keeping your passwords in a file on your computer because people get their computers infected so frequently. And that's the first thing that goes out the door. The criminals are automatically stealing your files, and then you won't even know you've been hacked until your money's been missing, or a spam email goes out to all your clients.

Mark:

So what I'm hearing then as the owner, I need to be really concerned about authentication and protecting passwords, strong passwords. Are there other concerns that come to mind as the owner?

Sherri Davidoff:

Ransomware. A lot of attorneys are hit with ransomware. Ransomwares steal your information often before they hold you for ransom. And that's the thing that a lot of attorneys don't think about because I've seen many law firms even put up out of office messages that say, "Hey, we have ransomware. We'll get back to you tomorrow." That's not cool for your clients.

Mark:

No.

Sherri Davidoff:

That means chances are their data was stolen too. And the trend that we are seeing in 2020 is that criminals have started to realize that people have better and better backups. And if you don't pay them the ransom to get your data back, they will threaten to publish it. And in that case, you've got two options. You can either say, "Okay, we'll pay the ransom," in which case, they could come back to you in six months and say, "Pay us again or we'll release it again." You can't trust them.

Sherri Davidoff:

Or you don't pay the ransom, and all your data's published. And what does that mean for your clients and your relationships and your status as an attorney? So you really need to protect yourself with ransomware. And you do that with two-factor authentication, super important.

Mark:

Yes, right.

Sherri Davidoff:

And making sure you have a secure method to connect to your data. So for a lot of people who have just poked holes in their network and they're going through RDP, remote desktop protocol, that's not a secure way to do it. There's other better ways to do it, like using a VPN. Or you can, if you choose to store your data in the cloud, there are some benefits to that, especially if you use two-factor authentication.

Mark:

Let's talk a little bit about this. And for those of you listening, if you're not completely sure, VPN stands for virtual private network. And we're really talking about disguising our location at times, in terms of what servers, when I use my VPN for instance, I am picking servers in Canada and other parts of the United States. I can go all over the world if I wanted to. So you're hiding your location a little bit, but it's also encrypting the data stream, so that's what we're talking about in terms of any remote connection. And I think it's particularly important in the wifi space.

Mark:

But there are a lot of free VPNs available and a lot of other just tiered pricing of all kinds of things. Do you have any thoughts about is it unwise to use the free VPNs as opposed to spending a little bit of money? I hear at times the VPNs that are free, they may be monitoring and monetizing the information they're learning about what you're doing. But I truly don't know. Do you have any thoughts on that?

Sherri Davidoff:

In general, there's no such thing as a free lunch in our society. Right? If you're not paying for a product, you are the product, so they say. So I would be careful about that. In general, I would get an experienced IT person's advice when you're setting up your VPN. I wouldn't do it on your own because if you make a little mistake, again, it's all your data on the line. There's some pretty serious consequences. Also, consider if you really need a VPN. Are you just trying to get into one computer? And if so, is it just a certain type of data that you need?

Sherri Davidoff:

Personally, I am a proponent, I've become a proponent of using the cloud. And I was a slow adopter. Being a security professional, I was fairly conservative about it. But you have some really strong options like Microsoft Office 365 is a great option for attorneys. There's a lot of compliance. There's a lot of regulations that they adhere to, and you can get them to sign off on that. There's other providers as well that are very good. And again, if you're using that two-factor authentication, they have some very advanced security features built in. They are maintaining that software, so I think it takes a lot of the pressure off of small and solo practitioners to just use the cloud. And then you don't have to worry about somebody remoting into your whole computer.

Mark:

One question that comes up every once in a while from lawyers as they start to think through some of the things we're talking about, but in the context of ransomware the cloud, they're learning. And I think for the most part they have as a profession, have a pretty good understanding what ransomware does at a basic level. And it can infect the network and this kind of thing. But I think some believe one of two things, but first, the cloud one is if I put things in the cloud, I'm safe there because there's this break. Would you put that to rest?

Sherri Davidoff:

Yeah. I mean, if you can access it, so can criminals. Right?

Mark:

Oh, yeah.

Sherri Davidoff:

Especially because often we see people click on links in phishing emails. Their computers get infected. And the criminals will even install ransomware in your cloud drives, like One Drive. If you can get to it and a criminal has access to your account, then the criminal has access to it. And there are times, in fact, I have a little video example that we took in our laboratory, where criminals will deliberately remote into your computer and use your computer to break into your bank accounts or your email accounts because you have your password saved there. And you don't have ... You've clicked trust this computer, so it's way easier for them than trying to break in from Thailand, or Russia, or wherever they happen to be.

Mark:

And I want to respect your time here, Sherri. The stuff you're sharing is just awesome, awesome stuff. I want to just take a few moments and shift a little bit now. So we've talked about some really good security things that lawyers, business owners, firm leaders need to be thinking about. And of course, all of this needs to apply to everybody. But let's talk about the home place. So what do I need to think about in terms of making sure my employees do, or understand? Do you have concerns about what the individual is actually doing in their own home?

Sherri Davidoff:

Yes, of course. A big issue that comes up is sharing of computers, so you need to have a clear policy as to whether it's okay to share computers. Is it okay to have certain types of documents on their personal computers? Remember that personal computers are much higher risk. You are likely to get a virus on a personal computer, especially if multiple people are sharing that. So whenever possible, keep work documents on work systems, or systems that are just used for work. And again, the cloud can help you with that.

Sherri Davidoff:

For example, you can allow people to access documents in the cloud and prevent them from downloading those documents. And it's all well and good to tell people that. But ideally, you want to actually implement that control and prevent them from a technical measure. We also see people emailing documents to their personal emails, and now it's totally out of your control. It's up in Google somewhere else. You may have violated some policies, especially if you deal with health information. You might've violated some regulations just by putting it up in Google, or violated your client's privacy. So mainlining control of your data, especially during these times, is absolutely critical.

Sherri Davidoff:

I think I would be remiss if I didn't mention mobile device management software, so if you have people using personal devices, you can deploy what we call an MDM. It's a piece of software that allows you to have some level of control over that personal device. So if that employee leaves, or if the device is stolen, it'll wipe your data from it. It can require that there's a pin or a passcode set on that device, even though you don't own that device. It can require antivirus software, and that's another one. If you do nothing else, require antivirus software. And you can buy it for employees to use on their home computers if they're using those for work.

Mark:

Yeah. The takeaway for me, and there are a lot here, and we can talk about this for hours. Maybe I could.

Sherri Davidoff:

I've been talking about it for 20 years.

Mark:

But I do like, when I think about our confidentiality rules in law, I do think saying we really ... You can't use a home computer for work that the teenage kids have access to in the evening, and the gaming. That's just victim here on the forehead if you ask me. So it underscores the value of saying, "If you have the financial wherewithal, let's supply our employees and staff and associates, whoever may be involved here, with company-owned equipment," because we can enforce the rules. We have control over that. I really like that. I but I also think that there's value in having some policies and then thinking through some of the issues that you just identified. And let's have written policies that staff are well aware of, so that if they are constantly breaking the rules, which is so easy to do because we trust our personal devices. Do we not?

Mark:

We seem to trust our personal devices a little bit more than work devices, whether it's because we know we're not being watched, if you will, in terms of just when you're on corporate device, they have the ability to monitor what's happening to the device, that kind of thing. I don't know what it is. But I think having a policy allows you to, well, not monitor, but hold people accountable.

Sherri Davidoff:

Absolutely.

Mark:

And say, "Look, if you're not doing something."

Sherri Davidoff:

Yeah. A policy's a great first step. And remember, progress not perfection. I do recognize, especially right now, a lot of people just don't have any other option besides using personal devices. And if you do that, again, that next step is to create a separate account at least. So you're not sharing the same account as your kids or as the other people you're working with. And if you can, having a separate device for work is definitely the way to go if you are able to do that.

Mark:

Well, Sherri, it's been a pleasure. I want to share with our listeners that Sherri has made available some remote work cybersecurity checklists for employees and managers. And this isn't live yet, but when it will be, you can click right there and have access to these. They're excellent tools. And Sherri, thank you very much for making that available to our audience. For those of you listening today, I hope you have found something of value. And if you have an idea of a topic that you feel strongly about that you think others would enjoy hearing, or you have a speaker that you'd be interested in seeing if we can have join the podcast, please don't hesitate to reach out to me. My email address is mbass, M-B-A-S-S, @alpsinsurance.com.

Mark:

And before I close, for those listening to the mileage score, you have to go back to earlier podcasts. I'm up to 700 even as of today, so I'm getting there. That's it. Thank you all. Thanks for listening. Bye-bye.