GLBA: A Focus on Device Security
Part 1
Part 2
I'd like to talk to you about device security.
We have a lot of devices in our lives nowadays. Many of you have laptops. A lot of you are working off of Surfaces, and iPads, and iPhones, and Droids, and some of you went old school with BlackBerrys.
I'm very proud of those of you who still have your Nokia flip phone. It's probably the safest phone out there when it comes to device security, because I don't even think it's hackable. I mean, maybe, but you'd have to try really hard, and for what?
But a lot of you have these devices, and we have to think about the way that we manage our devices so that we can make sure that nobody can steal information off of our mobile.
The first and easiest thing that you can do to protect yourself is never use your phone for any sort of work-related activity. That is the safest thing you can do. Don't use your phone to check email that would be work-related email. Don't use it for anything that would ever link to a borrower’s identity, those types of things. Just keep it a regular phone and play some Minecraft on it or whatever you want to do. That's the easiest way to do it.
Now, I use mine for work because I travel quite a bit. A lot of you are on the road quite often, and so you'll use your device for work, and so sometimes it's unrealistic to just not use it for work.
So you might be using it – now, a lot of you work for a company that has limited your ability to use your phone, so it's got a security system on it where if you take off the security system, it would not let you check your email anymore, and that's great. But for a lot of companies, you just have your device, and you're dropping all kinds of stuff on there, and I want to give you some information on what you need to pay attention to.
The first thing I'd love for you to do is know your company's policy on your device and how you manage your device. Every company should have a policy that deals with devices, apps that you download, sites you go to, passwords, and all that stuff. You should have something that limits you in your just opening up your device for everything. So, for example, there should be some sort of password policy that says you have to have at least a minimum of – maybe it's 10 digits, maybe your company is using 4 – and maybe a fingerprint works if you've got a phone that allows you to have a fingerprint or another device that allows for fingerprint technology. That's all good stuff and it limits people's access to your information. One big thing for you to remember is if somebody was to grab my phone because I left it somewhere, I want them to not be able to get into it. So, when mine's locked, it actually is going to show you that it is locked, and you need to put your thumbprint on it.
For a lot of you, if you leave it sitting somewhere, you've got a password on it, somebody picks it up, they can't get through the password. Where that's big is there's something called Find My iPhone. So, for those of you who have Apple devices, Find My iPhone allows you to find your iPhone wherever it is. And so I can go on there, I can say, "Where is it," and it will show me exactly where it is. If I don't have a password on it, a bad guy can jump onto the iPhone if they were to grab it, and they could just simply turn off Find My iPhone. It's password protected, so they'd have to figure out how to do that. But they can just take care of that if it doesn't have a password, then they can make it so that they can still use your phone and you can't get to them.
The other thing that people are doing now is when they grab your phone, they just break it, and then they take the hard drive out of it, and then they can use the hard drive to pull all the information off of it.
So, these are areas where you want to hold onto your information, but you also want to password protect it. Just do everything you can to make sure people can't get into your technology.
Another thing that I'd like you to focus on is the apps that you download. There are so many apps now that are not real apps. They look like they're real apps, but when you download them, they actually just open up your phone for them to be able to do things in your phone. There was a bunch of them just recently that were Android apps where they have this great app, once you download it, if your battery's above 50%, it starts mining Bitcoin using your phone, and they've caught a lot of these. One had over one million hits, so over one million people had downloaded this app, and the system was using it to mine Bitcoin using their phone. And so, all these Android users were like, "Why is my battery dropping so fast?" It's because your phone was being used by bad guys to mine for Bitcoin. So, be careful when you download apps. Look at the history of the app developer, look at who makes the app, and make sure that it's a legit app before you download it, and follow your company's policy around what apps you're allowed to download.
Don't share your passwords with other people.
So, once you have your password, don't write it down anywhere. Don't share it with other people. Fingerprints are the easiest because you can just scan it, but make sure that you keep that to yourself. Do not leave any devices in an area where somebody could easily access it. So, if you leave your office for, let's say you're going to lunch, lock your office door or take your devices with you.
Never, ever, ever, ever, ever leave them in the car because that's just easy for somebody to look in and go, "Oh, I want that," and smash it.
I've been known for my backpack. I wear a backpack a lot of places because that's what I keep all my devices in, and I will be walking through the mall, I've gone to a Blazers game with my backpack on just because it's got my devices and I'm not leaving it in the car. So just get used to that.
One way I do this best is when I'm leaving the office if I'm going somewhere directly from work, I try and think, "Okay. Do I need my devices tonight? Or can I leave them locked at the office?" And if I leave them locked at the office, I don't have to worry about putting them in a backpack and carrying them around with me. So, think about that before you leave work. Maybe you should leave them locked back in your office.
If you have janitorial service, that means locked in a file cabinet that they don't have a key to. So, make sure that you're doing that.
Use common sense. There's a lot of craziness out there. Just be thinking all the time, "Somebody wants to get into my phone." If you look at what people are hacking for nowadays, a lot of times, they want to get into your phone for stuff like Bitcoin. Those are major hackers that are diving in and they've written some crazy code or script. But lately, there's been a lot of extortion-based and blackmail-based hacks where somebody sits in a coffee shop, they pick up passwords because you jumped on the coffee shop WiFi, they grab your password, and then they log in as you to – let’s say it's your Gmail account.
In a recent case, it was actually a state department employee. He actually was able to hack into all these peoples' accounts. He did it just by one phishing email where they were actually changing their Gmail password. Really, they were just sending him their Gmail password. They just didn't know it. And he actually went through their emails, found incriminating evidence, and then blackmailed them and said, "I'll release all of these pictures of you if you don't do the following." And so that's what you're seeing more of is just bored people hanging out at coffee shops, pulling off user IDs and passwords, and then logging in, grabbing confidential information, and then using it to get you to send them money or they'll release all of your data. So always think that there's somebody that wants to get into your phone, and you should pay attention to that.
If you do use Bluetooth – some of you use Bluetooth. I have a speaker that I use Bluetooth on. When I go to listen to that speaker, I turn the Bluetooth on and when I walk away, I'll turn the Bluetooth off. It's tougher to do now that I have the Apple Watch because it syncs. So, I've got to be careful that I don't have my phone accepting random Bluetooth connections because what people will do is they'll get into your phone via Bluetooth. I don't know if any of you are watching Mr. Robot, but it's crazy, and they've got a great example in Mr. Robot of hacking in through a Bluetooth. It's pretty crazy.
If you watch that movie, a lot of that is real stuff that people are actually doing. Not movie. It's a TV show. Anyway, you should totally check it out. It's crazy.
If you have Bluetooth and you see something come through that says, "Such and such wants to connect to your Bluetooth," that's potentially a hacker diving into your phone to grab things off it. They're looking for passwords and that type of stuff. It is so cool to have the convenience of everything that we have available to us just by clicking a button. It's just that you want to pay attention to those things. Just like when Facebook first came out and people put Facebook ads that were clicking and adding viruses to you, it's the same thing. The new thing is mobile, and mobile is so easy to hack.
So, pay attention to it, follow your company's policies, don't jump on any sort of public WiFi, and just be aware.
That's it.