Ep. 9: Cybersecurity – The Good, The Bad, & The Ugly [TRANSCRIPT]

Abby Rose Esposito, Marketing Specialist:

Welcome back to the MediSked podcast. We are pleased to welcome MediSked’s Cyber security team to the podcast today. Let’s have you guys introduce yourselves before we get started.

Shayne Champion, CISO:

I’m Shayne Champion, I’m the Chief Information Security officer at MediSked.

Sara Sofia, Cybersecurity Engineer:

I’m Sara Sofia, I’m a cybersecurity engineer.

Luke Franzelas, Cybersecurity Engineer:

I’m Luke Franzelas. I, too, am a cybersecurity engineer.

Kirsten Hanson, Cybersecurity Analyst:

And I’m Kirsten Hanson and I’m a cybersecurity analyst.

Abby Rose Esposito, Marketing Specialist:

Awesome. We’re glad to have you on the podcast today. I am Abby Rose Esposito, marketing specialist here at MediSked and I will be your moderator today. October is cybersecurity awareness month. So we’re going to cover four key behaviors that you should keep in mind. Passwords, software updates, multifactor authentication, and phishing. Let’s get started with some common questions for our team. So first of all, within passwords, what is the problem with passwords?

Shayne Champion, CISO:

Well, the interesting part about this is that if you ask most people, even if they’re not in cyber security, what would make a good password? You’re gonna probably get the same answer, at least 8 characters, at least one uppercase, one lowercase, at least one number, one special symbol, right? Everybody does that. The funny thing is that was never supposed to be a standard. In 2003, the National Institute of Standards and Technology (NIST) published a document in this special publication 863 and an Appendix A, an analyst named Bill Burr wrote what he thought would be good general guidelines and that became like the rule for the rest of the world. And it’s sort of been an embarrassment for him through this career actually in 2018 they had the 15 year anniversary of that and he actually published a retraction apologizing for the password rules cuz they were never supposed to be the standard of password rules for the ages. And quite frankly, they haven’t aged well.

Sara Sofia, Cybersecurity Engineer:

And on top of that, users having to reset their passwords constantly leads to them having creative ways to document those passwords, which tends to be like to write them in a notebook next to their computer or sticky notes or other things. And in general people can be pretty bad with managing that many passwords and therefore they tend not to have different ones. They tend to reuse passwords over multiple locations, which is increases the vulnerability of everywhere they go. Cuz if somebody gets one account credentials, they get all of them at once. So this is why we’re moving towards a passwordless society one day.

Abby Rose Esposito, Marketing Specialist:

What do you mean, “passwordless?” What does that mean?

Sara Sofia, Cybersecurity Engineer:

You can actually see this on some websites already doing it. They’re going away from just having something like a password where they’re sending out multifactor authentication codes instead.

Shayne Champion, CISO:

Traditionally passwords have been the way that you get into an account or get into your network but they just don’t last very well. They’re very easy to hack. There are a lot of open source free tools that make it very easy to compromise users’ passwords. So the industry has realized, actually the profession has realized that that’s just not an effective way, particularly if it’s the only security tool that you’re using. So there are a lot of alternate methods including multifactor authentication that are becoming much more prevalent. And quite frankly, it’s a great idea to do for your corporate network or your own life, like your bank account and whatnot.

Sara Sofia, Cybersecurity Engineer:

I do know there are some retail sites already employing it. Like Anthropologie, when you go to their website, they no longer have you use a password. They have, they send you a text message to verify that you are who you are supposed to be.

Abby Rose Esposito, Marketing Specialist:

So just the text message, you don’t use a password.

Sara Sofia, Cybersecurity Engineer:

Right. Put in my email address and it sends me a code.

Abby Rose Esposito, Marketing Specialist:

Cool. Well what about here at MediSked? What’s the primary tool that we use to keep people out of our network?

Shayne Champion, CISO:

That’s Sara. Sara just scares people away from doing it.

Abby Rose Esposito, Marketing Specialist:

<Laugh>. It’s true. I can confirm.

Luke Franzelas, Cybersecurity Engineer:

I’m scared of Sara.

Sara Sofia, Cybersecurity Engineer:

I’m only five feet tall. I should not be that scary to people.

Shayne Champion, CISO:

What we really do is we focus on zero trust networking and that ends up being a much more effective solution, particularly when you’re cloud hosted like we are.

Abby Rose Esposito, Marketing Specialist:

Well, what is zero Trust networking?

Shayne Champion, CISO:

Well, I’m glad you asked Abby. It traditionally people thought about defenses in their network starting with a firewall and that was kind of like having a gate around your house and it kept everybody out and only the people who have the key to get in. But that has proven not to be terribly effective, particularly in a cloud based world. And MediSked itself is a software as a service based solution. Our people are physically located all over the country, so having a gate around the whole country doesn’t work. It’s just not practical. The Zero Trust networking says we’re going to not only authenticate you when you log into the network to make sure you are who you say you are, but then you also have to make sure that that individual and the computer that they’re using are authorized to get at every point of the network. They’re running into every application, every set of data, and that puts the gates everywhere and it’s really the only practical solution to do that.

Luke Franzelas, Cybersecurity Engineer:

I have a story that gives an example of that that might be relevant and will tell you basically how old I am. I once worked at a company that had firewalls at all its edges and individuals that worked within the network that would take their laptops home with ’em and then come back to work with them the next day. And so the firewalls gave us like this crunchy hard outer shell and then everything inside was, I don’t know, kind of like a, a Goober piece of candy Soft and squishy. Soaround the time I was working at this place there was a worm called Blaster that basically infected the entire world in just a very, very short amount of time. And these people came back onto the network with their, with their devices infected and the blaster virus would, or worm, would scan the entire network and find other vulnerable devices and infect them. So very hard, punchy shell with very little security on the inside caused the entire network to shut down and no users should be able to do anything.

Abby Rose Esposito, Marketing Specialist:

Oh dear. No thank you. So I’ve heard something about Executive Order M-22-09? What is that and why does it matter to us?

Shayne Champion, CISO:

Well you sound like you’re very familiar with that. Executive Order M-22-09 was actually an executive order that Biden signed started in January, officially went out in May. And basically he realized that Zero Trust was not just a, a good idea in general, but the direction the federal government should go and the way that this tends to go is the executive orders and cyber security tend to percolate into NIST as standards and most federal contractors as well as the federal government have to comply with those standards. And eventually that will encompass schedule, whether we’re doing business in the federal or state level. It may take a couple of years. Right now they have a two year implementation deadline for a, the zero trust features within the governmental information systems. But that will be coming to us one way or other through our clients.

Abby Rose Esposito, Marketing Specialist:

Gotcha. And what impact does Zero Trust have on MediSked and our clients?

Shayne Champion, CISO:

Well, you know, just the other day you were telling me how much you like putting your password every five minutes in MFA. No, seriously as you log into different parts of our network, if it requires a different level authentication, it is going to ask you again to log in or it may mean that your credentials don’t last as long if you are in a highly secured environment. But one of those look like there are things that security is doing to make our life as users inconvenient. The reality is, is that those short timelines like for example with a two minute timeout for our computers, those are all built to give the bad guys less time to focus in and compromise our systems and get in. And it keeps not just MediSked systems but the data for all the people we’re supporting Secure.

Sara Sofia, Cybersecurity Engineer:

From our side too, it’s driven us to add additional layers of security that don’t necessarily also have to be user impacting. So some of the scenarios just brought up here were your MFA or your credentials, but things that we put into place like checking whether you’re on the right device, that’s something that can be an additional form of identification that the user doesn’t even realize is occurring. On top of that with Azure AD and some of the features they have, we can set our own compliance policies that say you have to be on this device and it also has to have other security settings that we have in place. We can add a lot of things and really customize it for our environment and really make it very little impact on the user while adding additional hurdles for any bad actor out there.

Abby Rose Esposito, Marketing Specialist:

Cool. So let’s talk about software updates. Why do they happen so often and why do they matter?

Luke Franzelas, Cybersecurity Engineer:

Software updates for me, the most important part about ’em is the protection they offer against security flaws and vulnerabilities. They allow us to better protect corporate and personal data from things like ransomware or data being leaked outta the environment. And the longer flaw exists, the more likely it is to be taken advantage of by bad actors. You got your really sharp guys that could probably get to it in zero day and eventually like the rest of us bad guys like to automate things and then they become part of scripts that other people can take advantage of. So the longer that you have vulnerabilities out there, the easier they are to take advantage of and the more likely they’ll be taking advantage of.

Shayne Champion, CISO:

Back in the late nineties when I first started working in the internet industry, I was worked for a large regional internet service provider and if there were three or four viruses that came out in a month, it was such a big deal that the news stations would come and interview me. Now it’s nothing to get hundreds in a day or thousands even in a day. I mean it is just the way the world is. So, cause there are so many more viruses and worms out there taking advantage of every gap in every piece of software, it makes it that much more important. We keeping updated as quickly as possible.

Sara Sofia, Cybersecurity Engineer:

One of the interesting things that also occurred because of the pandemic was a lot of workers went remote and some of the things we’ve already covered about zero trust networking and how we’ve moved away from the traditional office building network platform, which has led to attackers having to find new methods to get to users’ computers or get their credentials or anything else. So one of the things that you’ll see is that you probably notice for example, your browsers have had more critical updates happening than probably ever before and that’s because they’re under constant attack right now. One of the things that happened at the beginning of the pandemic was Zoom had a lot of critical vulnerabilities out there because Zoom was video conferencing equipment and it’s kind of interesting, I had used it as a past company before and not a lot of people who I talked to knew of them and the minute the pandemic happened, they blew up. And not to be unfair to Zoom, that was a huge level to scale at that timeframe. And so because so many users were switching to that immediately of course they became a target for hackers. So once you end up under attack, if you haven’t found your flaws, they’ll find ’em for you and then you’re patching <laugh>.

Abby Rose Esposito, Marketing Specialist:

So since they’re attacking browsers, you’re saying I should probably not store passwords in my browser.

Sara Sofia, Cybersecurity Engineer:

That’s not necessarily completely fair. Like Google and there’s companies like Last Pass and they definitely focus on password security, especially if, I mean when you’re going through options of how to store your passwords, am I gonna tell you to put it on a sticky note? Absolutely not. Things like Google Password Manager, they do have additional security features like they are scanning to see if your credentials got leaked anywhere and are letting regular users know that and it’s very valuable. And they’re also telling you when you’re using your passwords in multiple locations, anytime using a password safe, these these companies do focus on the security and yes, of course they’re gonna be attacked, but sorry, so is everything else. So it’s better to do it in a safe place where you know, people are actually trying to protect it rather than some of the bad behaviors.

Sara Sofia, Cybersecurity Engineer:

And then some of the other things too that you’ll notice with using any of these passwords safe with browsers is they’re encouraging you to have at least the best password management possible by suggesting strong passwords telling you to use a unique one every site. All of these are additional hurdles and actor will have to go through to get your accounts or at least if they do get an account of yours, they get one account, they don’t get your bank and your credit cards and your utilities all in one. They might get one, they’re not getting them all and that that’s critical to protecting yourself. So no, I’m definitely not saying not to use password safes available in browsers. Not saying all of them are safe, I’m saying that look into it.

Abby Rose Esposito, Marketing Specialist:

Got it. I guess my question was more about keeping it right in like Google Chrome, like when I’m typing in a password and then I just hit save or like on Safari on my phone it asks if I wanna just save the password, I just hit save it. I’ve always kind of wondered if that’s actually not a good idea.

Luke Franzelas, Cybersecurity Engineer:

Better to use the password safes that actually have extensions that go into most of those browsers last pass or any of the other ones will have that stuff. And mobile apps that will both sync with your browsers on your, on your computer and on your, on your phone since you have those passwords anywhere you want. Those are, it’s a better option.

Sara Sofia, Cybersecurity Engineer:

I think you’ll also find if that’s something you look up, you’ll see everybody fighting over what the best method is. But in general, the password safes offered through browsers or browser extensions, like LastPass are preferable to the creative options that users have used in the past

Abby Rose Esposito, Marketing Specialist:

<Laugh>. Got it. All right. So any other reasons for software updates that we hadn’t talked about?

Luke Franzelas, Cybersecurity Engineer:

Yeah, there’s a, there’s a bunch of ’em there. I mean you get bug fixes that aren’t security related. If you have a, you know, a gooey and a button doesn’t work the way it’s supposed to or, or a query that doesn’t pull up the right results that you want in something that there’s bug fixes that fix that stuff there’s updates that improve performance so that you know, you’re not getting to the data or information that you want. With, with performance issues, slowly it speeds things up. There are also compatibility issues surprise Microsoft drop windows 11 on everybody. And now some of the features that I used in Windows 10 don’t work in the new environment, so I gotta wait for the software companies to put out a release to fix those things. And there’s supportability reasons too. So, you know, as they upgrade these features, they don’t want to support every single version in perpetuity. So they usually have a time window of, you know, a year or two that they’ll support something and then they end of life it. So you wanna stay in the in the area that, that is supported when it comes to feature releases and, and software updates.

Abby Rose Esposito, Marketing Specialist:

Well how can you avoid threat actors abusing the concept of software updates?

Shayne Champion, CISO:

Well, you, you really can’t because every time an organization publishesa CBE, which is a listing of a known vulnerability, they’ve identified every basically them a recipe for how to abuse it. There’s some studies I’ve seen that have said that even through actors who weren’t abusing those vulnerabilities and weaponize an alert within three days on that bridge. So you have a, the, the clock starts tick immediately once they release a bulletin that there’s an update out there because the bad guys are working to use it against you if they’re not doing it already.

Sara Sofia, Cybersecurity Engineer:

Right. Actors might send you a phishing email letting you know that a software update’s available and this could be one way where you can avoid it is that instead of just believing the email that you received, you could go directly to the website. So for instance, if you have a thing that says Adobe has an update, either go directly to Adobe’s website to update or go directly to the program installed on your computer and complete it there. Don’t click links that might be suspicious

Shayne Champion, CISO:

As we talk about doing training all the time. If you see something, say something, if something seems a little bit, you know, unusual or outta whack, let somebody know about it.

Abby Rose Esposito, Marketing Specialist:

Yeah, I always report things even if I’m sure half the time they’re not fishing, but I’d rather be safe than sorry

Shayne Champion, CISO:

And we would rather you do that too. We’d rather you report, you know, report a thousand false positives than missed the one that really counted because at the end of the day we can’t really keep the bad guys out of our network if they really want to compromise us. What’s important is that we identify that they’ve gotten in as soon as possible and start remediating that and we can’t do it if people don’t let us know.

Abby Rose Esposito, Marketing Specialist:

Got it. All right, let’s talk about multifactor authentication more commonly known as just MFA. So why should MFA matter to me, to our clients, to our company?

Kirsten Hanson, Cybersecurity Analyst:

Well there are numerous advantages to using MFA or multifactor authentication like you already noted for us. MFA adds a layer of security to your everyday password. MFA helps to protect against phishing, social engineering and password brute force attacks. And it also prevents logins from attackers exploiting weaker stolen credentials. So when you’re using MFA, even if login credentials are compromised, the password alone will not be enough to break into the account. So all in all, MFA elevates the protection of both the users and organizations that employ it.

Abby Rose Esposito, Marketing Specialist:

Got it. So what types of options are there to use MFA and are some of them better than others?

Kirsten Hanson, Cybersecurity Analyst:

In terms of the types of MFA that exist, there are the things that you know, such as a password or a pin number, the things that you have such as a badge or a smartphone. And then there are things that you are such as a biometric like fingerprints or voice or facial recognition. Believe it or not, even though it’s the most common MFA method, receiving a code by SMS or text is actually one of the least secure methods of mfa. These are much easier to potentially access the code via spyware on a connected device or even through a cloned SIM card. Now one of the most secure ways to authenticate is a one time password. This is a unique code or password that can only be used once, some can even only be used within a certain period of time before it is invalid. And then a new one time password generates this one would be called a time based one time password. These passwords are not unbreakable but the chance of breakability is very low in the period of time that the password is valid. And one of the most common ways to receive those one time passwords right now are through authenticator apps.

Abby Rose Esposito, Marketing Specialist:

So do I need to have MFA on all accounts or just like really important ones?

Kirsten Hanson, Cybersecurity Analyst:

MFA should be used in every possible place. The protection that it provides to your accounts and information is unprecedented. For example, in May of 2021, the pipeline colonial attack was possible because hackers compromised one poorly protected VPN account that did not have MFA in place. This one password break that the hackers $4.4 million. This is just one example of how securing all accounts without exception can only boost protection.

Abby Rose Esposito, Marketing Specialist:

Is it common in the industry to enforce MFA or I mean I know that MediSked does, but is it common for everyone or is it just us being extra protective?

Shayne Champion, CISO:

Well, you know, it’s interesting that it should be common because most of the people that we work with have requirements because of the HIPAA information. They deal with the protected health information, personally identifiable information that they should be using MFA but light note just because they feel it’s inconvenient, it takes a little bit more time but it, it really should be more common than it is.

Luke Franzelas, Cybersecurity Engineer:

And I would say that it, it’s starting to become common enough that we are starting to see a attack by bad actors against MFA infrastructures. There was a a release just recently about Microsoft teams storing the resulting tokens that come from MFA in clear text and the way that people are trying to get access to those things. So it’s gonna be one more thing that we’re gonna have to stay vigilant about.

Sara Sofia, Cybersecurity Engineer:

They do know that like SMS MFA options are already being compromised so things like authenticators and everything are better for that. But still having SMS is better than not having MFA always. Security is always about layers and the more hurdles you can put in front of the bad guys, the better off you’re gonna be or the more likely that they’re gonna go move to an easier target cause there are plenty of them out there. And turning on MFA is one of the ways that you can make yourself not an easy target.

Abby Rose Esposito, Marketing Specialist:

So I will be honest <laugh> that I have like a password that I was using one in like high school that I will still use for like an account that I don’t think matters, like something that doesn’t have any payment associated with it or just a random website that I don’t think I would care if someone got into why does like does it actually match? Should I actually be caring about my those passwords and about MFA for a site that doesn’t seem to have any like any payment information really I’m always thinking about like is my credit card in there? What if my credit card isn’t in there And I don’t think that it is like going to affect my finances or anything like do I really need to worry about passwords and MFA on sites like that?

Shayne Champion, CISO:

When the conversation starts with I still use the same password from high school, the answer is twofold. Number one yes. And number two, thank you for your time Abby Rose, it was good talking to you.

Sara Sofia, Cybersecurity Engineer:

Abby Rose about to get signed up for more training.

Shayne Champion, CISO:

Actually you’re about to get signed up for Sara coming over your house and having a long conversation. <Laugh>

Shayne Champion, CISO:

Actually about 30%, a little over 30% of the people you use the same password for everything And it’s incredibly wise because there are a lot of vendors that you trust who don’t have great security practices, like Luke was talking about, even Microsoft with all of their sophistication with storing tokens in plain text, which means it’s not encrypted. Anybody can go and take a look at it, grab it and use it. I mean it’s not smart And when you use the same password all you have to do is have one of your accounts get compromised from 15 years ago and all of a sudden the bag guy is have the keys, keys your accounts.

Luke Franzelas, Cybersecurity Engineer:

But we have an example of that. Right here, right here in med. Somebody had access to a website that they don’t even remember anymore and their credentials from that website have been leaked and have been sold and resold and people from all over the world in the country are trying to log in using those credentials to our current environment in at MediSked. Now it’s failing because thankfully the person is a, not using that same password in our environment and B we have MFA but there’s actually a very legitimate reason to change passwords and not use ’em in the same place and to have MFA for that very reason.

Shayne Champion, CISO:

Like another part about this that people are missing, you know, 10 years ago was you had had to worry about some individual finding it and some hacker in Czechoslovakia, you know, getting bored and using the password from account A and saying well I wonder if I’d be use that same password for account B. That’s not true anymore. Machine learning where everybody calls artificial intelligence is automating all of that, they can look at thousands of accounts almost immediately and try all of your known passwords and it’s working really well so you have to be on your guard for it because the bag guys are absolutely willing, able and currently exploiting those very vulnerabilities.

Sara Sofia, Cybersecurity Engineer:

Also the websites that you spoke of, which are ones that don’t have financial information is are still gonna have account information on you. You’re still inadvertently giving them your name, your email and potentially other information like your address. Considering that they don’t have any kind of payment systems or maybe they don’t have any healthcare probably means they’re managed by a company that most likely will not care about security as much as a company like ours does. So they’re more likely to get breached because of that. And then that leads to all that information being out there. My friends are always horrified at what I can find about out about them online.

Shayne Champion, CISO:

That’s ’cause you’re a stalker Sara.

Sara Sofia, Cybersecurity Engineer:

Well they ask me so I don’t think it’s technically fair to call me a stalker because if they say what can you find on me as a dare? And I’m like okay, you asked for it, here you go.

Shayne Champion, CISO:

If you invite the vampire in, whose fault is it?

Abby Rose Esposito, Marketing Specialist:

Wow. Alright, well I’ll have to change my club Penguin password and all of my other passwords.

Shayne Champion, CISO:

<Laugh>, I thought I dated myself.

Abby Rose Esposito, Marketing Specialist:

<Laugh>. All right. You proved to me why I can’t keep using that password. But what about, so like what about something like Home Depot? Do I really need to use MFA for something like that?

Kirsten Hanson, Cybersecurity Analyst:

So for the same reasons that Sara was just describing, it still has information like your name, your phone number, your email, your address most likely. And that’s stuff that I wanna protect mine and I don’t want that to just be out there for everyone as much as it sort of is anyways.

Sara Sofia, Cybersecurity Engineer:

One of the interesting things about Home Depot just I don’t know why that they are involved in so many kind of hacker schemes, but people, these hackers for some reason really like to send people to Home Depot to get a gift card from Home Depot to pay them. And I remember I was leaving the Garden center one day and there is a sign that said like, the IRS will not ask you for Home Depot gift cards as payment. And I was laughing cause I’m mean.

Shayne Champion, CISO:

I actually saw on national TV last night, the IRS is running ads saying that.

Sara Sofia, Cybersecurity Engineer:

Right. And I said to the cashier, I said, Who actually thinks that? And she said she had stopped three people that day. And that kind of is one of those things that is like terrifying that the cybersecurity are something that’s preventing users from falling from scams. Is the Home Depot cashier in the garden center saying, Nope, I’m gonna get a manager, why are you buying a thousand dollars gift card?

Shayne Champion, CISO:

But all honestly, I mean it shows you bank guys really are preying on the weak. They especially love to extort the elderly, you know, who are just terrified of the IRS coming down on them so they do anything they can to keep the feds away. I mean, it it, as much as you want to joke about it, it’s really horrific and it’s very real.

Abby Rose Esposito, Marketing Specialist:

Yeah, my grandfather has been targeted a bunch of times, but you know what, it just shows you that even hackers want to work on their house, you know, they need Home Depot.

Shayne Champion, CISO:

Just go share your Club Penguin password and fix everything up

Abby Rose Esposito, Marketing Specialist:

<Laugh>. All right, let’s talk about phishing. So I know we’ve said it a bunch of times and there could be some of our listeners who have no idea, but what is phishing in relation to cybersecurity?

Sara Sofia, Cybersecurity Engineer:

So phishing in its very general sense is just a method that attackers use where they are sending emails or they could also be doing voice calls, which is actually called phishing or they could be sending fake SMS messages missing. But it’s basically an electronic communication that’s attempting to scam people and they use tactics in here like trying to create a sense of urgency or telling you that you’re going to get in trouble if you don’t do this. So there’s a lot of social engineering involved in these emails and essentially what they’re trying to do is either get users credentials or get payments of some form. So phishing is just the method of email that they’re using to attack humans.

Abby Rose Esposito, Marketing Specialist:

Got it. What can I do to avoid being a victim of phishing?

Sara Sofia, Cybersecurity Engineer:

So the best thing that you can do is really just take a second and really look at the emails that you’re receiving. So the minute you receive an email with something that’s making you nervous or making you feel like you need to react quickly, just take a second and breathe and really think about it.

Shayne Champion, CISO:

They’re a lot of really simple things you can take a look at. Some of them very obvious like for example, really bad grammar bad spelling because a lot of these attackers are overseas and are using Google Translate and don’t understand when something sounds awkward. But really the biggest single thing is just to pay attention to the little details because if bad guys are counting on you being too busy and trying to get through your emails really quick and not paying attention when you click on that link or open attachment that’s exactly why we do at least monthly fishing emails, testing on everybody just so that everybody’s aware all of the time you’re looking for it. It comes at random times of the month. We don’t even know what campaigns are coming out on any given month. It happens because you’ve got to be aware all the time.

Sara Sofia, Cybersecurity Engineer:

So when also when you do receive emails like this, some of the things you can do to avoid it is not clicking links, not opening attachments. If you do get something that does seem urgent, it might be real. For instance, you get it from someone you think you know, you can use another method of contacting that person in order to verify that it really came from them before actually doing with the email request of you. For instance I got a message on teams one night that was a higher level employee asking me to reset their password cuz it, I’m like, then how are they messaging me on teams right now? I’m like, I don’t trust this at all. So then I had to verify that the person was who they really were before doing anything to help them. And in general you should use good methods.

Sara Sofia, Cybersecurity Engineer:

So one of the phishing campaigns that we actually saw at the company before was actually pretty clever. The person got an email from a client of ours that was from the actual client, It was from their email. Their email had been taken over and the person didn’t trust the email. So they did at least go the step to verify that it was the right person. And they emailed back and said, Is this really you? This seems like suspicious. And then the response that came back was it automatically came back is yes, this is a trusted and safe link. And I was like, oh, the, the thing that saved the person in that scenario was that they had a relationship with the person and that’s not really how they spoke to each other. So it triggered more alarm bells, but they get really creative with fishing campaigns and I mean you hate ’em but you gotta respect sometimes the creativity of how they attack and the ways they think of things.

Sara Sofia, Cybersecurity Engineer:

So verifying that it really came from the person if automatically be suspicious of attachments and links and if you get something that’s really worrisome, reach right out to either the person or the company. So like if you get something that your credit cards like canceled, go to the credit card website, find their phone number and call them directly and you have a majority of the time you’ll find out nothing happened and somebody is just messing with you. So just don’t click things. I also avoid don’t answer phone calls that you don’t know who they are because no one really wants to talk on the phone anyways because what year is it? Like send a text message also? Well, except for now, they also like to send text messaging things, but then, then ask yourself, is that person really a person who would text me in this manner asking for those things? Is this an appropriate communication so you can live my, my rules where I just don’t answer my door ever? I don’t answer my telephone unless I absolutely know who you are and I’m probably not gonna respond to your email —

Shayne Champion, CISO:

I will just take this opportunity to say I will be officially adding professional stalker to Sara’s job title.

Luke Franzelas, Cybersecurity Engineer:

I’d point out that here at MediSked we do have tools in place to help eliminate some of these options. Some things still get through and even then we have that phish ER button that you can press if you’re not sure, that will send us a copy of the email safely and we are able to examine that for you. In addition to not responding to emails or phone calls or or texts, one of the other things that I personally do is I don’t look at my personal email on corporate devices because my personal email account may not have the same level of protection that our corporate email does. That’s I don’t think that there’s a policy against that. That’s just a personal thing that I do.

Abby Rose Esposito, Marketing Specialist:

Well, thank you guys for being here. Do you have any last words of wisdom for our listeners?

Sara Sofia, Cybersecurity Engineer:

Be hermit and don’t talk to other people or answer any emails?

Abby Rose Esposito, Marketing Specialist:

<Laugh>

Shayne Champion, CISO:

Caspar Weinberger who was a former, former, worked in the White House, had several major roles and government said that even paranoids have enemies. You know, being a little paranoid is a good thing and there are a lot of bad guys who have access to easy technology. Don’t make it easy for them, pay attention.

Abby Rose Esposito, Marketing Specialist:

Awesome. Well thank you guys for being here and we look forward to having you back on the podcast again soon. Have a great day everyone.