Advancements in technology in recent years have also brought about new cybersecurity threats. But despite the complexity of many targeted attacks and scams, one cybersecurity expert said that cybersecurity breaches are often the result of simple mistakes.
Jason Pufahl is a cybersecurity expert with 20 years of experience in infrastructure and information security. Pufahl is the VP Security Services at Vancord, an Information Technology and Cyber Security Company based in Connecticut. He said many people are still making the same errors in cybersecurity.
“One of the biggest mistakes I see routinely is somebody using a single password frequently or maybe just a variation of that same password,” Pufahl said.
Large-scale security compromises are common with websites that require users to log in. A few years ago, LinkedIn suffered a database breach that compromised millions of usernames and passwords. Pufahl said the intent of that compromise wasn't to gain access to the account, but rather to exploit people who reuse the same password across multiple log-ins.
“They understand that everybody uses the same password for everything. So if they can get them, they can try them at your bank, they can try them at your healthcare provider, and different places,” Pufahl said.
In addition to unique passwords and password managers, Pufahl said people should use multi-factor authentication and be vigilant of email phishing. That’s when fraudulent emails try to trick people into responding or providing sensitive information. He said these emails often pose as a bank, a doctor's office, or another service provider.
Pufahl said wearable technology, like smartwatches and health apps, is an area where some users might not realize they’re sharing personal information. He said people who use services connected to third-party apps should be wary of agreeing to certain privacy policies. Companies have sold users' personal data, which is why Pufahl said it is essential that users routinely check their privacy settings.
“Those platforms succeed by the broader distribution of information and data. So they’re going to change their privacy settings and their sharing settings pretty regularly. Probably a couple of times a year.” Pufahl said. So you really want to go in and make sure that the privacy settings are set the way you want them.”
Pufahl said young people, in particular, can often make mistakes online that leave them vulnerable. He said they should be mindful of what they post online. Photos, videos or social media posts could have an impact on their careers or personal lives in the future. Once something is posted online, it is difficult to remove it from the internet. Even if a post is deleted, Pufahl said it could still exist online.
“Once something is made available digitally, it's easy for people to copy it, and it's easy for people to share it. It’s very difficult to sort of globally and permanently expunge data. I always counsel people to be very mindful of what they post,” Pufahl said.
More info:
Featured Guest: Jason Pufahl is a cybersecurity expert with 20 years of experience in infrastructure and information security. Pufahl has spent the last 15 years dedicated to information security and privacy. He earned a Master’s Degree in Education Technology from the University of Connecticut, holds numerous industry certifications and frequently speaks on topics related to information security technology and awareness.
Resources:
- Jason Pufahl is the co-host of CyberSoundTM, a podcast that features conversations with cybersecurity professionals.
- The National Cybersecurity Alliance provides guidelines for setting strong passwords and other best practices to stay safe online.
- Multi-Factor Authentication and how it works.
Roman: What are some fundamentals to secure our digital information, sort of good habits that we need to have as a standard?
Pufhal: So, the first thing that I would tell anybody is to ensure that you have unique passwords for really, for any site or login that you have. One of the biggest mistakes that I see routinely is somebody using a single password for everything, or maybe just a derivation of that same password. You really want to think about being unique anytime that there's a compromise, and we see large-scale compromises all the time. A few years ago, LinkedIn had a multiple-million-user username and password database compromise, and the intent isn't necessarily to be able to capture those and log into LinkedIn. It's that they understand that everybody uses the same password for everything. So if they can get them, they can try them at your bank, they can try them at your healthcare provider, you know, different places, make sure you have a unique password.
And the second thing that I would say is anywhere that you have data that's sensitive. So again, your bank, life insurance, doctors, you know, things like that. In particular, make sure you're using multifactor or second factor, so that you have a secondary way to validate who you are. Those are both really critical, sort of critical things. The other thing that I would say is phishing still works, and for people who might not know what phishing is, right, it's getting a fraudulent email that's essentially trying to trick you into responding, probably providing your credentials. But the objective is, can they pretend that they're your bank? Can they pretend that you're their doctor's office and trick you into providing your credentials? So, of course, they can log in as you pay attention to that; it still works. It probably works a little bit better nowadays, even with AI, because you don't have to, you know, you don't have the opportunity now as a recipient, to really see grammatical errors and spelling errors that you know traditionally existed, because AI takes care of a lot of that for you.
Roman: Now, can we talk a little bit about other areas where data may be collected, things such as apps, wearables, and home security systems? What are the ways that we are unknowingly sharing personal data everywhere?
Pufhal: You know, the first thing everybody, and I do it, everybody does it, right? You log into a new app, and you simply hit okay to whatever the privacy policy might be; they'll share your data wherever they can monetize it. I mean, that's just the reality. And so you have to assume, you know, frankly, any app that you're using is selling your data. And depending on the type of app, I think there's potentially more risk to some. You know, I'm a big Strava sort of sports fitness app user. There is tons of information there that has relevance to insurance carriers regarding your health, right? Whether you're exercising, whether you're not exercising, you have to assume a lot of these providers are selling your data, even if it's a, even if it's a paid subscription that you've got, right? You can guarantee it. If they're free, if they're paid, though they're still monetizing your data in other ways,
Roman: We hear a lot about artificial intelligence tools like chatbots, image generators, and writing assistants. What are a few things that we should be mindful of when engaging with these types of platforms, from a cybersecurity perspective?
Pufhal: My biggest concern, really, for AI right now is the ability to spread just misinformation or disinformation. Certainly, that's not a new phenomenon, but I think AI makes that a lot easier. And it's very difficult for people to discern, you know, a real video from a fake video, or, you know, real content or manufactured content, even if it's not actually accurate, right? And one of the things that I see all the time are people just trusting the results that, you know, chat GPT, or you know, their AI bot of choice provides them not to say that it's, you know, typically giving wrong information, but you know, if you're trying to research a topic that you have no familiarity with, you know, people just trust the results that they get, and sort of have this blind Faith that it's accurate and correct all the time, which just isn't it isn't necessarily the case. So I think you know, the blind faith that the data they get from an AI Chatbot is accurate is definitely problematic, and you are seeing some threat actors now. Are essentially injecting information into some of these AI models to intentionally return malicious code and malicious results. So I think we do have to be vigilant to that type of misuse as well.
Roman: What are some ways that listeners can safely navigate social media? Or as a matter of not being on social media?
Pufhal: So if you had asked me this question a year ago, I would say, with social media, you really want to be mindful of what you share, and this still holds true; you want to be mindful about what you share, right? Because not everybody that you're sharing with might know everybody, right? So if you're on vacation, try to make sure that family photos and things you know about the fact that you're traveling are shared to a smaller audience that you actually know, rather than a giant public community. Because there's risk there, you know, publicizing that you're away for an extended amount of time, you might not want everybody to know that. And those platforms succeed by the broader distribution of sorts of information and data. So they're going to change their privacy settings and their sharing settings pretty regularly, probably a couple of times a year.
So you really want to go in and make sure the privacy settings are set the way you want them, and to make adjustments periodically, because, similar to our earlier conversation, they're updating their app features all the time. They're probably updating them to share information more broadly, right? They're not looking to keep your data private. It's incumbent on the user to make sure the settings are configured the way you want. Fast forward now to the day of AI and and I'm not a huge social media user, but I feel like I have a lot less interest now in wading through all the AI generated content, all of the sensationalized content, all the things that you see people pumping out, because it's really fast, really easy, and, frankly, really high quality. So it's sometimes difficult to know, you know, whether I'm looking at an avalanche that occurred on a highway in Denver, or if it's fake. And you have to spend, you know, frankly, precious seconds of your time trying to figure that out. And I think it's just getting more and more cluttered with falsity, and I think it's a less compelling space in most cases.
Roman: We all have some kind of digital footprint, but if there is information that is found out online that maybe someone doesn't want to be online. How? How can they go about deleting information about themselves online? What's the best way to approach that?
Pufhal: Yeah, it is difficult. You can certainly reach out to, I'll say, reputable providers. So you can reach out to Google, if there is, you know, say false if there's false information that maybe has been written about you, right? They might be able to do some take-downs if there's a legal process, typically, to follow something like that. So as long as you're talking about some of your more established, more reputable sources, they will often have a formal way to essentially file a complaint, ask for data to be taken down or expunged, and it will probably be a lengthy process. It probably won't be super easy to do, but there is a way to do that, if you're talking about some of the more you know, maybe fringe social media sites. That probably gets a little bit more complicated. They aren't built necessarily with legal teams and processes that are as robust. But it's going to be different for each platform. It's never going to be incredibly straightforward. And the cynical part of me sort of says, once something is made available digitally. It's easy for people to copy it. It's easier for people to share it, and it's very difficult to sort of globally and permanently expunge data. I always counsel people just to be very mindful about what they post, and young people in particular, you'll understand that everything you're posting when you're 18 that seems, you know, cool and appropriate might not be so cool and appropriate when you're 21 looking for a new job, and people are starting to use social media to see what kind of person am I hiring, and that's just part of The job search and a job hiring process now, right?
Roman: What is one thing that listeners can do right after listening to this to better secure their data or digital devices?
Pufhal: If you can listen to this, walk away and at least know that you need a unique password for everything. I'm not saying you should, you know, turn this podcast off and change every single password you have, although that would be great if that were the outcome. But you know, every time you log into a new website, change your password and make it unique. There are great tools out there, like 1Password, Dashlane, and LastPass, that will help you keep track of those unique passwords. So I think part of the reason people often have one is that they feel like, well, I don't want to have to remember, you know, 10, 30, 50, 100 passwords. But if you use an app to track them, and these apps are secure, that will make your life, you know, both. It'll make creating, storing, and referencing the passwords easier. So my advice would simply be, get a unique password for everything and use a password manager to manage it.
