Want some final take-aways about avoiding viruses? And what to do if your computer catches one? We've got you covered

 

Transcript

Davis: Thank you so much for joining us for this series of episodes. I’m wondering if you wouldn’t mind reflecting back on the series. What would you say are the top two or three biggest takeaways?

Dan: Well, first and foremost, being compromised can happen to anyone and will happen to many. It’s not a matter of if but more of when. When it does, notify your IT or security team, or take action immediately if it’s on your own system. Think in advance how you might react if a particular account is taken over by someone else. Next, be prepared with your technology. Use antivirus, hard-to-guess passwords stored in password managers, and multi-factor authentication as ways to keep your system and your network secure. Don’t click on links or open attachments unless you’re sure where they came from and exactly what they’re for.

Davis: Excellent advice. Thank you. What resources might you recommend for folks who want to learn more?

Patron data is held very near and dear to the library, so taking preventive actions also helps protect your constituents. And if a compromise happens, fast action can limit the impact.

Dan: I think the best thing to do here is to go to your organization’s policies and procedures and read them and get to know them. Also, build a strong relationship with your information security and IT teams in advance of something happening. You can also find lots of detailed information on places like sans.org and security awareness sites like Wizer and Curricula, which have very useful but easy-to-watch training that helps on a personal level as much as it does on a work level.

Davis: Dan, we’ve come to the end of our time together on this project and so here’s my final question for the libraries out there. What advice might you give just in general or specifically about information security, whichever you prefer?

Dan: Well, based on similar advice I gave in series three, use the ethos of the library to inform and educate the community on better security practices. Being proactive in protecting your systems and your actions means that the difference between having data put at risk, and not. Also, patron data is held very near and dear to the library, so taking these preventive actions also helps protect your constituents. And if a compromise happens, fast action can limit the impact.

Davis: Thank you so much for all of your words of wisdom across these two series, Dan. I can’t wait to see you again on a METRO production sometime. And before I too say goodbye until series five, I’d like to thank my wonderful project partners at Brooklyn Public Library, The New York Public Library, and Queens Public Library. This project is funded by the Mayor’s Office of the Chief Technology Officer. Thanks so much and I’ll catch you all next time for our fifth and final series.

What to do if you've fallen victim to malware?
Read on for advice!

 

Transcript

Davis: Hey, Dan, what do we do if we’ve already been hacked? What happens if we fall for a scam? And, by the way, I know you’ll agree that there’s no shame in that. As we discussed in our second episode, people earn their livelihoods this way and they’re very good at it

Dan: Yeah, as you said, don’t be ashamed and get your organization into action. Tell your IT or your security team immediately that something happened, what you saw, what you experienced, and what information you provided to an attacker. The sooner you let someone know, the faster that they can start taking action to limit the effect. Even if you just have a feeling or a sense that something’s amiss, call your service desk or your security team to let them know right away.

Davis: Thank you so much. What happens if this befalls you in your personal life and you’re not at work and you don’t have an IT department at home?

Don’t be ashamed and get your organization into action… The sooner you let someone know, the faster that they can start taking action to limit the effect.

Dan: Consider the information you gave and do what you can to get it back under your control. If you gave out a password, go to that site or that system and change the password right away. In some systems, you can see and manage what other devices are logged into that account. Find the ones that aren’t you and boot them out. Better yet boot, them all out and log in again. Also, use multi-factor authentication whenever it’s offered, which, in my opinion, should now be all the time on all sites. It’s getting better, but it’s still not a hundred percent yet. But if it’s there, use it as a way to make it so that if your password does get out, the attacker still can’t get in automatically.

Davis: What should folks do to prepare for the future?

Dan: It’s not too late to install antivirus software. Modern computers are really complex, including both Windows and Mac, and it’s easy for attackers to find ways in and places to hide. Having a piece of software that’s just listening and waiting to identify that they’re there can mean the difference between catching it early and not at all. The other tidbit is to make sure to use a different password for each application or service. When you use the same one, it can be used by an attacker to get into other places you used it. Store them in a password manager, make them hard to guess, and as I mentioned before, use multi-factor authentication anytime it’s offered and available.

It’s not too late to install antivirus software.

Davis: We talked earlier about how this is financially motivated in large part, so what are your recommendations for what to do if it’s your bank account that gets compromised?

Dan: Well, first call your bank. While you’re on hold, change your password to that account to something you’ve not used elsewhere. Timeliness is key. Money moves fast these days, so the sooner you act the more ways there are to prevent it from being irreversible. And contrary to what you see in popular movies, there are ways to reverse wire transfers, but only if you act fast.

Davis: And so what happens next? Are there lasting consequences for being on the receiving end of a financially compromising hack?

Dan: Not to scare, but there are increasing cases of the long con, where access to a system or network happens and lets an attacker look around for a while, get to know the environment, and then after a while make their actual attack. They can do this to make sure that backups that have been used, that might be used to restore, all contain their malware, giving them yet another way back in after the restoration. So if you have a system compromise, the most reliable way to recover is to wipe it and start over. Which is another reminder to keep good backups of your data, and remember the 321 rule: keep three copies, two of them local but on separate mediums, and one off site, even in the cloud.

If you have a system compromise, the most reliable way to recover is to wipe it and start over.

Davis: This is such an important topic, Dan, and I know people will want to know more about keeping their accounts safe. So as a bonus to episode four, where might you suggest people go to learn more?

Dan: Well, take a look at annualcreditreport.com from the FTC and the US Government. They use the three main credit providers here in the US, and you get one copy of your credit report free from each every year. And some states have laws on top of that. They give you even more. You don’t have to wait for an attack to use this service. Stay ahead of the curve and notice when someone uses your data to extend credit in your name, and it costs you nothing.

Davis: Thank you for that tip. I love a free resource. Dan, thanks so much again. And we’ll see you one last time in our final episode together, episode 5, which is on how to help library patrons and where to go to learn more.

Wondering how to stay safe from malware? Sneak preview, it's possible to protect your data with a little bit of forethought and a whole lot of patience

 

Transcript

Davis: Welcome back, Dan. In our last episode, we discussed how folks might fall victim to scams, especially through social engineering. What are some ways that we might have these sorts of issues off at the pass?

Dan: Be skeptical in everything you do. Is this email really from the person who it claims to be from? Why is this person calling, asking me to help them in a strange way? Is my bank really calling to confirm my account data? Also, when asked for things about you, never give information when the calls come to you, especially unsolicited. If you want to do business with a bank, you call them on their posted phone number. If your mobile phone company sends you a message to confirm a SIM change, go to their website and use the official chat mechanism to ask them about it.

Don’t use the phone numbers or emails or addresses or URLs that you get during the social engineering call, because like I mentioned in a previous episode, these attackers have whole organizations that they use to make their claims look real, including answering phone calls and answering emails as the people who they claim you should be calling, all to make it seem real. If you get a call to you, make the person calling tell you the information that they want to confirm. If they want to know your phone number, ask them to tell you the one they have and you’ll confirm if it’s right or wrong. Don’t give them information, especially if the call came to you and you didn’t call them.

Don’t give suspicious callers any information, especially if the call came to you and you didn’t call them.

Davis: That is incredibly savvy. What sorts of research can we be doing to identify these types of scams?

Dan: The hovering over the link to see where it will send you is a good one. Look for fake versions of domains with small spelling errors like microsoft.com but with a zero instead of an o, or additional domains added on to the end, hoping you’ll just look at the first part see microsoft.com and think, yep that’s okay, and click it anyhow. Same with email addresses: look at the real email address of the sender. If it comes from gmail or a strange address you don’t know but pretending to be someone you do know, expect it’s fake. Also, check the links in the email to see if they go to the real domain. They’re supposed to be equally if not more skeptical with attachments before you click to open them.

Davis: Now that we know what to look out for in email, what can we do to prepare our devices?

Dan: First, have up-to-date anti-malware or endpoint protection installed on your machine, and keep those definitions up to date. It’s worth it, as those packages get constant updates on new attack types and could prevent them from executing if you do click on a link or open the attachment, but it also means you can’t get careless with attachments and links either.

For a long time, Macs had been thought to be immune, and not necessary to have endpoint protection on them, but that’s not the case. For a long time they really didn’t have enough volume of devices to make it worth building attacks for. Forward 20 years and now there’s Macs everywhere, so the malware is being built for them, just like Windows machines. Equal opportunity attackers.

Also, install and use a password manager. This is a place where you can store your passwords and autofill them into websites. The legitimate sites, of course, when you need to use them password managers also have great random password generators, since we as humans are not very good at being random when we create them. And having a place to store them means you don’t have to remember them all, which also lets you make them really complex. And only use each password one time for one service.

Have up-to-date anti-malware or endpoint protection installed on your machine, and keep those definitions up to date.

Since you should never reuse passwords, I do get asked a lot about whether it’s okay to write passwords down, and the answer is my usual: it depends. If you are at home and you have one machine that you use there and that’s all, go ahead and put them in a notebook if it means you’ll use stronger passwords and not reuse them. You’re not traveling with those passwords and the data and system all stay in your house. If you’re out and about and have a laptop or mobile phone, then it’s probably not a good idea to have your passwords in your bag along with the laptop that it’s protected by those passwords. If the bag gets nicked, they get a device and the passwords all together. Not a great idea. Use the password manager on the device make. And remember: the one difficult-to-guess password to get into the password manager and then be on your way.

Davis: On the tip of installing software, how can I tell which anti-malware software is trustworthy?

Dan: Use consumer products like Norton or McAfee or BitDefender or others you find at consumer technology stores. There are some free antivirus and anti-malware technologies, but you generally get what you pay for, and I can’t stop thinking about the adage “if you’re not paying for the product, then you likely are the product” whenever it comes to software.

When installing any software, make sure you get it from a legitimate source like the manufacturer’s actual website or the official device store like the Apple App Store, the Google Play Store. Alternative stores can be more risky, so use caution. Also, don’t install hacked or cracked versions of software, as they often also contain malware or spyware that’s added to them when the license keys were hacked away. Plus, violating license and copyright laws is against the law.

Davis: Any suggestions about how we as human beings approach technology in a philosophical sense? By which I mean, in my experience, the speed of connectivity has definitely influenced my behavior, and I sometimes approach my phone or my computer with some degree of haste.. Any suggestions for how I can make sure the sort of behavior doesn’t land me in hot water?

There’s no such thing as a stupid question. When it comes to security, we have an obligation to ask if something seems suspect or unusual.

Dan: For sure. We live in a rush rush world, and with faster speeds we get even more anxious. I grew up on 300 baud modems which transmitted slower than the screen could print characters. So always be slow and conscious about the actions you take online, whether it’s to click on a link, open an attachment, accept terms and conditions, or anything else. Think twice, act once, as we talked about in the last episode. Don’t fall victim to the urgency that comes during a social engineering attack. That urgency is trying to get you to override your own common sense about whether it’s a valid request or not. Ask questions, confirm the request, and then help out. Humans are funny creatures, but we’re also susceptible to being manipulated in this way. If we slow down, it’s much less likely that we’ll be taken advantage of.

And, finally, remember there’s no such thing as a stupid question. When it comes to security, we have an obligation to ask if something seems suspect or unusual. Ask it even if you think your question may come off as stupid. Ask how something works or why, if you don’t understand. The more we know, the harder it is to be taken advantage of. Bad actors prey on people not wanting to look or feel stupid, so they put you in situations that make you less inclined to ask. I promise you that the security and IT teams would rather you ask the question than have you get compromised in some other way.

Davis: Thank you so much for your advice, Dan. I’m looking forward to continuing our conversation in our next episode on what to do if we’ve already found ourselves on the receiving end of a hack, or if we’ve inadvertently downloaded malware so i’ll see you then.