Tips to avoid today's cyber threats
Now, I'll turn it over to today's presenters. Take it away, Charles.
Charles Banks, and I manage our Security Briefing Center operations here at U.S. Bank. My team is responsible for both the maintenance of a state-of-the-art information and cybersecurity center, and also raising cybersecurity awareness through engagement. And that engagement is aimed at educating both our internal employees and our external client base on the cyber threat landscape. We also cultivate and coordinate proactive community outreach with a focus on STEM and STEAM education and the development of the next generation of young cybersecurity professionals. Thanks for having me. David--
Yeah, my name's--
--I'll hand it over to you.
Hey, thanks, Charles. My name is David Morris. I manage the Cybersecurity Exercise Program at U.S. Bank, where I lead exercises that enable our organizational team to be better prepared for response to cyber incidents and for the protection of our customer assets. Prior to joining U.S. Bank, I was the CTO for the Enterprise Office of Cyber Security with the state of Washington. And Tyler, the floor it yours.
Thanks, David. Good afternoon, everybody. My name is Tyler Willis. I'm a member of the Security Briefing Center Operations Team, where I serve as the senior coordinator and engagement coordinator for our Cybersecurity Incident Response Center's security awareness delivery. In my role, I both create and deliver cybersecurity awareness content that's focused on providing a practical education and ways to protect your information online, whether at home or at work.
Thanks, Tyler. Let's start with a poll. We want to know, are you currently working from home? Answer yes or no using the radio buttons on the right side of your screen. The poll will be open for five minutes.
David, it feels like there is always a new cyber attack going on. What are some of the new attacks that you are aware of?
Yeah, thanks, Courtney. And definitely, there's many cyber attacks going on. And most of these start with criminals sending a lure that is centered around a trending topic to try to draw your attention.
And these topics, they typically vary throughout the year. They can be sporting events, holidays, Black Friday, or some other big shopping day, as well as tax season, as general examples. And then this year, of course, with considerable demand for information and news about COVID-19, criminals have commonly embraced this as an overarching theme with the lures.
Now, they are generally five categories of threat actor groups. You've got fraudsters, terrorist groups, hacktivists, organized crime, and nation states. And each of these groups, they have their own objectives and their own motivations.
And generally, the fraudsters or the general criminals, these are the least sophisticated. But they're the most numerous of the groups. And these groups have been using the COVID news trend to fuel their fraud in their criminal campaigns. And the numbers are depicted here on this side. You can see the massive increases that we saw as soon as everyone started shifting to the stay-at-home orders and with the increased demand for COVID-related news.
It's very important for you, as an individual, to put a red flag on any unsolicited or suspicious COVID-related messaging that arrives in your inbox or your texts or your social media. And generally, know that any trending topic is viewed as an opportunity by these groups to try and direct you to download the malicious software that they use. So be especially cautious of trends.
One other important impact that COVID has had has been the shift for many of us, and we'll check the poll here in a moment, to working from home and also remote learning. Many of the organizations, we had to very aggressively change and tried to adjust security measures to keep up with that transition. And that shift has led to opportunity for cyber criminals as well. The connected home now and the tools that we use for remote collaboration, these are now under attack because of this spotlight. And so it's a good time to just pause and look to strengthen your home's cyber defense.
Looking at the poll results, I'm showing that we've got about 30%, 36% saying they're working from home versus not at the 24%. So recognizing that there is that shift, and that has changed the cyber attack surface, certainly. And we'll look to address that here in a few slides and during the course of this webinar.
Of course, to discuss-- to discuss cyber crime in 2020 is to discuss ransomware. And Verizon recently named this is the top-five threat. Ransomware, we thought in the security field, was going to drop off in 2019 and certainly have in 2020. But because it's been so lucrative, attacks have continued to increase. The estimated cost is $11 billion in 2020 for businesses.
Now, the FBI defines ransomware as a malicious software that encrypts or locks valuable digital files and then demands a ransom to decrypt them. And fortunately for us as individuals, ransomware targeting consumers is declining. Originally, that was the target space. But the overall infection rates are growing, and particularly among large businesses.
And I'll just talk through a few quick points about ransomware. The attackers typically ask for payment in the form of Bitcoin, which is a type of digital or cryptocurrency. And that's because of the privacy aspects that are inherent to Bitcoin. It makes it difficult to trace.
These groups, they've become so sophisticated and so mature in this ransomware business now that some of them offer 24/7 help desk support to even just walk you through, as the potential victim, how to make a ransom payment using Bitcoin if you've never done that before. So that's where they're at. They're definitely aligning themselves as a service provider, as a-- sort of very strong organizational maturity. Now, the FBI doesn't support paying a ransom in response to ransomware attacks because it just perpetuates the cycle. It emboldens criminals to launch even more attacks.
And here on this slide, you can see some of the trends. Some of the hardest-hit industries have been government, healthcare, and utilities, and especially those in the supply chain. I come from a government background, as mentioned. And certainly, I had many different incidents that I was dealing with on ransomware and targeting for state and local government.
These groups are targeted most frequently because they have very little tolerance for downtime. With some, public health and safety is at risk, and especially in government space. It's mostly about money for the criminals. So they look to see, if you can't take the downtime, then you're felt to be more likely to pay the ransom. And also, many of the smaller local governments and health care, they've been underfunded or under-resourced in their ability to defend themselves to these attacks.
In the left column of this slide, you can see that the latest trend is to not only hold that data for ransom, but to publicly threaten to release the data. Sometimes, these threats are made on social media for everyone to see. And this is just a way to publicly shame the organization into paying the ransom. And we saw this in a couple of the local government attacks that happened in the last couple of years.
Another new tactical shift is for criminals to increasingly target shared mailboxes in phishing attempts versus individual mailboxes. So be on the lookout for that if you are a person or an organization who has access to a shared mailbox.
There's also been a shift to the increased use of text messages, messaging for sending out links to try to get you to click and then download malicious software. Studies have shown that users are just a little bit less cautious responding to messages on their mobile devices, because you tend to associate them with your personal device and less so an organizational device. So there's a little bit of a more casual attitude there.
Now, your mobile carrier may have free services available to help block some of these unsolicited calls and messages. These leverage crowdsourcing, where individuals are reporting that there was a fraud or some other scam in play. So check your mobile carrier and see what might be available to you to help limit this activity on your mobile device.
Here at a high level, this is what a typical ransomware kill chain looks like. And with this crime, it's just like with kidnapping, the actual demand for a ransom happens last. That's the last thing that occurs, which means that you might have ransomware already on your device, on your network, and not even be aware of it yet. So you have to be proactive at all times to make sure that you're backing up your data that's critical to you and to your organization.
So just briefly at a high level, I'll move from left to right on the slide. So there's a series of events needed to get to that ransom demand. It typically starts with that trendy phishing message. I mentioned that most of them now are COVID related. Or there's some other lure that is looking to get you to-- the malicious software installed on your device.
That software then calls back to an attacker-owned system. And it generates a unique encryption key. That key is what's used to encrypt your data. And it's using security industry standard encryption, that same encryption that's protecting us when we shop or when we're storing or our data on an endpoint device. That encryption is typically what's being used to lock up and hold your files for ransom.
That key is kept on an attacker-owned server. And it might be provided paying the ransom. But there's just no guarantee. And also, many of the ransomware variants, they'll have a countdown clock. Originally, we've seen that splash screen of the ticking timer for paying the ransom, otherwise the decryption key will be destroyed if the ransom isn't paid.
Thanks, David. That's great information. Charles, it feels like there's always someone looking to make a profit at someone else's expense. How can our audience avoid being a victim to these threats?
Good question, Courtney, and good information, David. I'm going to follow up on some of the points that David just made, especially when we start to talk about and identify those ways that the threat actors will actually approach their attempted to com-- or attempt at compromising your information. But the one key word-- this will be my information security word for the day-- the one key thing that you need to do in order to protect yourself from these threats is to be diligent. What that means is that we have to be diligent in our education and awareness. So protect your information online.
As David mentioned, understand the trends that are where you are. So if there are trends that are showing up via text message, understand those trends. If there are trends or threats that are showing up on social media, be aware of those.
Be proactive. Become an informed user of any platform that you're using, whether it's email, text, even accepting phone calls. And you'll see some of the examples that we're talking about on this screen here. I'll give you definitions of that. But be an informed user of that platform.
Understand the trends and the threats. And if there are threats that are trending upwards, it's because we're hyper, hyper-connected at this point in time. And understand that. We're working from home more.
We're using our personal cell phones, our work cell phones, our laptops, our tablets. We're hyper-connected. So again, understand that connectivity can lead to more compromise. And then continuously raise your awareness.
The information that we we'll talk about today from a threat perspective may become outdated or change by next week. There may be a new approach to all of this. So the first thing to do is, again, understand those strategies through awareness that the cybersecurity criminals might attempt to use.
So on this screen, you'll see three different approaches that we'll define. So the first is phishing. A lot of us are extremely aware of what phishing is. But it's an email scam that attempts to, and appears legitimate, and attempts to, by appearing to be from a trustworthy source or a company or organization, it's attempting to entice you to provide personal or account information or authorization for some type of transaction or process, right? So again, its approach is through email where we are.
This second is smishing. David mentioned this in the fact that we're all so hyper-connected and we all have supercomputers that we all carry, our cell phones, we're all using supercomputers and we're communicating more through text. For instance, I can't get my sons to call me. But they'll send me a text message in a heartbeat, right? That's where we're communicating.
And so the cyber criminals understand that. So smishing, or text message, let's call it social engineering, is on the rise. It's any kind of phishing involves a text or an instant message.
The next would be vishing. And vishing is the practice of making a phone call or leaving a message that claims could be from a reputable company or someone that you expect a phone call from in order to induce you to reveal personal information about yourself. Hey, this is a call from your IT department. We need to reset your password. We just need to confirm some information from you.
All three of these approaches, they will have very similar red flags. And a lot of these we've all-- we're all familiar with, just based on our education and awareness to phishing. But all three of these threat vectors, let's call them, they all have very similar approaches.
They have a sense of urgency. You have to act immediately. So if you look at this example that we have pulled up, there's that urgency, respond now or the consequence of not responding now is that you won't have access to your email. There's an immediate action that they're wanting you to take.
Next, they're asking you for sensitive information, whether it's your PIN number, it's your password, or if it's for you to approve a wire transfer as a part of the authorization that you perform every day in your day-to-day job. It's asking for you to either share sensitive information or perform a task that could have sensitive information attached to it. The messages typically will have a shortened hyperlink or some type of link attached. Now, we all know, simply hover over that link, upper left-hand corner of your screen-- that's my left, I think, today-- it will show you exactly where that link might take you.
So hover over that link. Typically, it'll have a link attached. But you want to look for the HTTPS, right? HTTPS is what you should be looking for to let you know that it's a secure link.
Another tip is to look for that "reply to" address. Typically, there may be a simple variation in the "reply to" address, where simply one letter has been changed, right? So if I send you an email from U.S. Bank and my email "reply to" address is to a Gmail email address, then that's a little fishy and you may want to take a little more diligence to understand that it may not be truly from Charles Banks. So again, pay attention to those keys. Those things that we're used to, pay attention to those as well for phishing, for smishing, or for a phone call you might receive if it's a vish, right?
Courtney? All right, so Courtney just let me know that her-- her Webex is offline. So I'm going to take the ball on this one. So improving our social media-- our social engineering techniques continues to be the trend for criminals to meet their objectives. So Tyler, Tyler, what have you seen lately related to these new social engineering techniques?
Absolutely. So we can see a number of trends and really common phishing scams we see out in the cybersecurity landscape. And here in a moment we'll have that on the screen. But I can detail that out before you pop in there.
So Charles just gave us the definition of the three different types of phishing scams. So let's go through and actually talk about the ones you guys will see and our audience will see in a day-to-day. I'd imagine some of these you've either heard about the news and/or actually experienced firsthand.
So we see a lot of telemarketing fraud that comes through on all forms of phishing, smishing, or vishing. This is an extremely common case. And when it comes to telemarketing fraud, the number one rule is if it seems too good to be true, then it most likely is.
We might remember the Nigerian prince scam from two decades ago. Someone would get a letter in the mail and/or an email saying that there is $10,000 sitting in an account. If you want access to it, simply send us $500 and we'll give the rest of that money to you.
A 2020 version of that, and we see these through smishes, through text, is a foreign country lottery winner. You may receive a text that simply says you won the Lottery of Canada. Please click here and give us your routing and account number and that money will be put into your account immediately. Again, if it seems too good to be true, then it most likely is. And Courtney, are we able to go to the next slide forward?
OK. I'll continue on. Government impersonation-- another scam attempt that we see in the current landscape. Governmental impersonations typically happen during the election season, which we are currently in the midst of right now. It is October 2020, after all.
Threat actors have a political agenda that they are trying to push. They do this by putting out misleading information and/or slander against specific candidates that might not fall within the realms of their political agenda. I actually talk about that more here in a moment. Charles, give me a thumbs up if you can hear me.
I can hear you. Can you hear me?
All right, perfect. Absolutely.
OK.
Good. Cool.
And then Tyler, can you or David take the ball if possible?
I will do my best.
And then that way, we'll be able to advance the slide. And in the meantime, while Tyler is doing that, what I'll do is reinforce the point that Tyler just made in that there has been a level of sophistication that we've seen on the rise, even from five years ago, in the types of phishing that we see. So the phishing emails from five years ago are very different than the ones that we see in 2020. And a lot of that is based on there being open-source intelligence that is available and a larger degree of our sharing information about ourselves that is now being socially engineered and pulled together to craft a more sophisticated message. Whether it's a phish, a smish or a vish, all of those approaches are now pulling up information about us that we've shared online.
Whenever we accept cookies when we visit a website-- one of the things that you'll notice, especially probably today. Today is Amazon Prime Day, day one of Amazon Prime Day. When you accept a cookie on a website, what happens is that information is then used to pull together targeted information or advertising toward you.
So if you think about it, if you visit one website and you're looking to purchase shoes, now every other subsequent website you visit has an advertisement for shoes. That's because you've accepted a cookie. Understand that. Understand that we're going to see a level of sophistication with all of these social engineering exploits, simply based on the amount of information that we share.
And one of the things that we see on the rise because of that, because of the information that's been gathered about us, is that there is a rise in business email compromise. So if we look at the next slide, what we'll see-- there are some very interesting numbers that have sprung up simply based on the amount of information that we share. The one that jumps out at me in the middle of our screen is that $1.7 billion. I'm going to define first what business email compromise is. And then I'm going to attach a bit of information to that very large number in the middle of the screen there.
So BEC, or business email compromise, is a sophisticated scam that targets either a business or an individual who either performs or authorize the transfer of funds. Some type of authorization takes place. So whether it's a wire transfer, an invoice payment, or a direct deposit, routing for direct deposit, the scam is often carried out when the threat actor compromises a legitimate business email account and then through social engineering or computer intrusion technique, what they do is they attempt to conduct an unauthorized transfer of funds.
Hey, we need you to authorize this wire transfer for $1.5 billion. Did I say billion? That's a lot of money. But $1.5 million authorization that could potentially result in the loss of a venture. So you want to make sure that we're aware of what they're trying to do.
So business email compromise is constantly evolving as scammers become more and more sophisticated. So that number in the middle of the screen, for the last full year of finalized numbers, there was loss to the tune of $1.7 billion, simply based on business email compromise, whether that's a click on a link or if whether that's an authorization for a wire transfer. It's a very lucrative business for the cyber criminals.
And you heard David mention early on that they run this like it is a business. And that's because it is. If you're making $1.7 billion in one year simply based on compromised information that people share knowingly, then you're going to do this in a highly sophisticated way. So we have to expect that.
Now, the scams-- typically what we'll see, especially in today's heavily connected work-from-home environments, the compromises have evolved to include the compromise of your personal emails, the compromise of vendor emails or customer requesting emails, even spoofed lawyer emails. Hey, your lawyer who's working on your tax return case, whatever the case might be, they've sent you an email, and that's a possible spoof email. There can even be requests for W-2 information.
Or right now, we see the trend of the real estate sector being heavily targeted by cyber criminals. And that's simply because in most cases, there's a heavy reliance on wire transfers in order to close some of these deals rapidly. And there's even fraudulent requests now for large amounts applied to gift cards.
So what's next? What are we going to see next? If we look at our next slide, all of this social engineering has, again, followed us to where we are. We're currently super-- let's call it hyper-connected to all things online.
And that includes social media, especially now, even the environment that we're in. So the criminals have gone the way of manipulating our social media use and even gone as far as taking that very next step of creating deep fakes. So we're going to talk about what you can do to both recognize and protect yourself against that.
So a recent breach that you'll see on the screen and I'm sharing now, earlier this year, an Instagram influencer-- I'm sure we all know what those are these days, that's actually a career choice-- but an influencer went through the process of asking her followers to send her their account numbers. And then what she would do is she would make the promise of depositing a large amount of money into those accounts. And all they would have to do in order to be paid a certain portion of that deposit, all they would have to do is send her the remaining funds.
Just take the money from the account. Once you deposited this check, send the remaining funds to her and then she would pay you a portion of that. So that's a very old scheme that found a very new way of actually being perpetuated, so again, following up to social media.
Twitter, earlier today we heard about the-- or earlier this year, we also heard about the Twitter breach. So they've been past presidents or current political candidates and even CEOs that have fallen victim to the Twitter breach, where their accounts were taken over. Now, what can this lead to? What's the impact there is, well, your followers can be moved to make a financial decision or form opinions about how they should vote.
So again, social media is a big target now. Mark Zuckerberg has actually been a recent victim of a deep fake. And I'll define what we mean by deep fake. But he was a victim of a deep fake video.
So a deep fake, that is a synthetic media in which a person or an image-- and it sounds like I'm reading it, it's because I am on this one part-- a synthetic media in which a person or an image or a video is swapped in another person's likeness. So deep fake, they leverage powerful techniques from machine learning and AI or artificial intelligence to both manipulate or generate visual and audio content meant to deceive. So there's a deep fake video created of Mark Zuckerberg making statements about his wealth, right? That could possibly cause the stock of Facebook to fall because of the way that deep fake video portrayed Mark Zuckerberg. And the other thing that we've seen is that TikTok has actually gone so far as to put a ban on deep fakes or deep fake videos or media because of how big of a threat it has become.
Now, there are a few ways that you can spot this. One of the things that you can do is pay attention to the facial features on those videos. Typically, there will be an unusual feature, either rapid blinking or a misaligned eyebrow or eyebrows. Also, the audio typically doesn't match up quite the way it should. There may be a stutter and a cut.
So let's say a political leader is coughing on the screen, but that cough is cut out. And there's an abrupt connection or re-edit, where you can tell something is missing. The other difficulty with deep fake video is that the lighting can be difficult to really truly represent the natural physics of light.
So those are the things that you should be on the lookout for. Be a responsible digital citizen. And again, remain diligent and aware of the social engineering that is following you to where you are, whether it's social media and someone asking for you to perform a particular task, or whether it's a deep fake video that's wanting to manipulate you into thinking a certain way. And then I don't know, Courtney, are you back on?
I think so. Can you hear me?
I can, Courtney. Great. So David, how are organizations teaching people to be aware of these different things to look out for?
Yeah, thanks, Courtney. There's certainly been a shift here in the last five years or so towards embracing gamification. And on the next slide, Tyler. Thank you.
And, of course, I, as a security practitioner, I would love it if the technology simply blocked every malicious message. And unfortunately, there's a few that slip past the goalie, so to speak. So there's still remains a strong human element to detect and avoid cyber attacks and scams.
Now, many organizations, they've shifted to using gamification to simply incentivize individuals to consume products. And I certainly do this. And there are these schemes and apps that track points towards progress and rewards in airlines, in dining and exercise, all sorts of different industries.
Now, the steps depicted are effective in creating active participation. And the reason that it's so effective is because it creates individuals who want to do this. So they're rewarded for positive behaviors.
And that's why we're also seeing this now with security awareness. And it's been very effective in creating a security-minded organizational culture. It gives us a sense of accomplishment and helps us and the organization to just generally raise the bar.
It's a very different culture than in the past security awareness, where maybe there was an electronic whip or some other stick method to simply enforce those mandatory trainings that you have to do once a year. So certainly, this has helped. And if you or your organization is interested in just general free security awareness resources in addition to those that we have published that USBank.com. For example, that's a live phishing demonstration that I think is fantastic from one of our red team members that's on there.
There are also these great resources online that allow you to speak to individuals, families, or organizations, available from the National Cybersecurity Alliance. And this month, of course, is Cybersecurity Awareness Month. So there's lots of material that's out there right now. The Center for Internet Security has a great number of materials that are freely available and newsletters that you can subscribe to.
And then one that I like to use when doing school outreach to middle and high schools, Netsmart. They also have a security awareness that's available for family members. That's fantastic, so highly encourage you to check out these as free resources that are available to you, either as an individual or as an organization.
Yeah, and David, to your point, Tyler and I, I mentioned the out community outreach that we do. We use a lot of those resources that you mentioned in both our process to gamify our approach to cybersecurity or information security for our younger partners. Netsmart is a really good one for even children as young as third grade. My fourth grade daughter, we found a lot of interesting information that helped her-- helped her wrap her hand around information security on that Netsmart site.
And then Tyler and I, with our teenage groups that we talk to, the Department of Defense actually has a web page that allows you to manipulate building your own network and securing your data in various points along that network. So there's a lot of information that can be complicated for some. But when you're able to gamify them and give hands-on interaction and manipulation of that information, it is absorbed much easier. And then Tyler, I think Courtney wanted to take the ball back for our poll. I think we have another poll question.
All right. Or if you--
[INTERPOSING VOICES]
Let me make Courtney the host here, if I can-- I'll tell you what, Courtney, are you able to steal that back? I'll stop sharing.
And it would be great if any of you have any questions about those platforms that allow you to experience the gamification of the information that we share today, absolutely reach out to us for that.
When I think to that point-- and I'll add this in there while Courtney takes that over. The topic of cyber security-- Charles and I, our outreach groups are high schoolers. There are fourth and fifth graders that are Girl Scouts. We have high schoolers. And we work with Northern Kentucky University on a regular basis as well.
Cyber security is a complicated topic. You go in. You hear a whole lot of acronyms real quick. It's hard to kind of wrap your head around that. What we found with gamification really is kind of get into the nut of this is a topic we want to share.
But gamifying gets that buy-in, even from a student that may not come in there really willing to learn about cybersecurity. Once we've used gamification, it's made that complicated topic that much more digestible to kids that are into it, or even the ones that might have an interest. But it helps get that out of them.
Absolutely.
I think Courtney it at this point, I believe. All right.
Thanks, Tyler. [INAUDIBLE] Can you hear me?
We can. You cut off there--
Better now.
--just a little-- a little bit, Courtney. But I can read off the next poll question.
Tyler, can you hear me?
Yeah.
Yes, I can.
I can hear you. Can you hear us OK, Courtney? All right, so here's what the poll's of--
OK.
So we're going to take five minutes to complete this poll. But what we want you to do is to answer that question. How many devices--
Yes, I can hear you guys.
--are connected in your home right now? Sorry, Courtney.
So that poll, we will-- we will open that poll now.
You do have five minutes, correct. And then we can fast forward to the next slide. All right. Let me take the ball back if need be. Ah, there we go.
OK. Yeah, it's unfortunate that that poll may not be released, because it will be interesting to see just how many devices are in your connected home right now. I've seen industry estimates anywhere from 5 to 20 in connected homes. And I know we, in our practice sessions, we were talking about how many we had. And we are all upwards of 20, I think, if I remember right.
But I mentioned earlier that criminals are now targeting the connected home. And for many of us, that means we need to step back and look at not just how many connected devices we have, but how these devices are configured. The internet of things, or IoT, as we refer to it, these are physical objects that now have embedded technology to allow them to connect to the internet.
A common example is the smart TV, which are so common now, I don't think you can walk into an electronics store and purchase a TV that's a non-smart TV, one that's not an IoT device. One of the most famous predictive numbers was put out by Gartner in 2010 that there would be 50 billion IoT devices with a 50-fold data increase in 2020.
Now, I think we're well short of this mark. And it depends on who you ask. But I do think we're somewhere between 25 and 35 billion. And there's certainly an upward hockey stick trend of these devices as we move through these next few years. So certainly, there's going to be a massive increase in the number of connected devices.
And with every holiday, birthday, et cetera, we certainly seem to accumulate more and more in my home, at least. And these advances in technology, they're great. They make our lives easier and they provide us with information and services at our fingertips or even by voice.
However, of course, with all this connectivity, it does open this up to more vulnerabilities. On I think the next slide, but these devices, they do get attacked within five minutes of being connected to the internet. And so there are scans that go on all hours of every day. And they will fingerprint these devices and know that they have a specific exploit that they can then target within 24 hours of being connected.
And now in the smart home, of course, we've shifted to working from home, which, of course, gives a great opportunity for cyber criminals. It couldn't have happened at a better time for them, really, with all the devices now in the home. And not to pat ourselves on the back too much, but enterprise systems, they've gotten stronger.
But the home has gone through this rapid increase in the number of connected devices. And many of these devices are vulnerable to attack, which makes that home a great target. So it's not a time to panic. But it is a time to step back and take caution.
Look at all the devices in your home. You might have as many as most small businesses. But in your home, you could have very limited security controls in place.
It's estimated that 80% of these products are vulnerable. And many of them ship with embedded vulnerabilities in both hardware and software right out of the box. Also, many of them do have a default setup that leans towards being overly permissive than being restrictive.
So take the time to pause and look at these devices. And disable any unnecessary functions, things that you're not using that's enabled on them. Also, take a look to make sure that the automatic software updates are happening on those devices.
Generally speaking, they have a lack of system maturity compared to other computing devices in your homes, such as your laptops or your phones. And they also will have a very limited software recycle. Some devices, such as a smart refrigerator, which is pictured on this slide, or you can have a smart oven or I'm very envious of my friend, who has a smart barbecue, they might have an expected lifetime that far exceed the software support. You probably don't replace your fridge every five years. But the software support for that device might end in five years. So you have to make a decision. Do you buy a new appliance with all these wonderful smart capabilities or do you turn off the internet connectivity of that device much sooner than you'd like?
A couple of infamous cyber attacks with IoT that have happened in the past-- they happened with web cameras. So that was a lesson learned, to change the default passwords on those devices, and also to implement any strong authentication that's available, such as adding a step to have a text message sent to you when you log in or anything similar to that to simply reduce your risk. Earlier this year, attackers were able to make the jump from a popular smart lighting hub over to a personal home network to steal information.
So you have to be careful to treat these devices as if they're guests in your home. Place them on a separate guest wireless network if you have one configured with your home versus having them on the same internal network as your other devices. Keep those IoT devices away from your personal information as much as you can. And Charles, I remember you had an interesting recent issue with an IoT device in your house.
Yeah, I did. And to reinforce your point, David, about the-- getting rid of the old, older technology that might be a part of IoT, remember that today's smart bulb is tomorrow's dimly-lit paperweight, right? You may not always update those systems.
But I recently bought a set of motion and sound-activated lights from a company called Nanoleaf. And what I didn't know out of the box is that when I connected those lights to my home network, the lights themselves actually became a Wi-Fi extender or a node. And what that means is that those lights rebroadcast my Wi-Fi signal, so that if someone was near those lights, they could actually go to their Wi-Fi settings and they would see my Nanoleaf lights as a hotspot. And that particular hotspot had zero, had zero password protection on it. So it was a free access to my home network.
And so what I simply did was I went and I turned off that node. But that's one of the things that you have to be aware of. And in a lot of cases, these newer devices, they're actually extending your Wi-Fi and they're not doing so in a protected way. So that Wi-Fi light bulb or your oven or your refrigerator that you're hoping maintains its levels of security five years from now, they're also putting out an extension of your Wi-Fi network, your router, Wi-Fi. And in most cases, it's not doing that with password or security protection in place.
And some of the logical next steps and some of the things that we want to talk about and think about-- Tyler, I know we've talked about smart homes and protections in smart homes. What are some of the trends that we're seeing when it comes to entire cities?
Sure. Absolutely, Charles. So the natural progression from the smart home is to the smart city. And there are a number of cities within the United States that have smart city initiatives. So I'll take us through two.
Two that I find pretty interesting-- one is based out of New York. It's called LinkNYC. And what this is, the program is replacing 10,000 payphones across the five boroughs throughout Manhattan. It's a first-of-its-kind communication networks that that's allow free gigabit-encrypted internet access to anyone within the five boroughs.
So what are Links? Links are 9-feet-tall structures. They have two 55 inch HD displays on either side that's putting out information about the area you're in, as well as advertisements. The good thing about LinkNYC is it's completely paid for by advertising. It's free to sign up for.
On these Links, on these 9-foot structures, there are Android tablets. You can pull that out and browse areas of interest around you and gives you a location map as well, USB charging stations-- you can charge your phone, your tablet. There's even a phone connected to them that allows you to dial any of the 50 states for free.
But it also has, as I stated, free encrypted-gigabit Wi-Fi that's being broadcast across the five boroughs. So now how is this encrypted? How are they making sure that this is protected?
They're using what's called Hotspot 2.0. So you have to, as a user, go to LinkNYC.com, simple enough. Sign up for a free activation code.
And anytime you're near one of the Link structures, it gives you a one-time use token. That token allows you to access their internet and make sure that you're not, then, joining a malicious network impostor that could be around the corner. The idea is they want you to be up and running and safe for all users.
This has been in practice since 2015. They currently have 2,000 of these throughout New York City. There will be 7,500 by the end of it. So that's a pretty big global scale. This is a big initiative.
I wanted to also bring to our attention something a little closer to home that's here in the state of Ohio. And this is, actually, Columbus's smart initiative, which they've labeled Smart Columbus, Smart Columbus. It's being put together by the city of Columbus in partnership with Ohio State University, the American Electric Power Company, and many others.
In 2016, Columbus was actually the winner of the US Department of Transportation's first-ever Cyber Smart City Challenge. And Columbus won it. They were awarded $15 million in grant funding and were given the designation of America's smart city.
So what did the challenge ask? The challenge called on midsize cities to really reinvent metropolitan transportation by doing more than just introducing technology on the streets. That wasn't good enough. What they wanted to do, and they called on cities to boldly envision new solutions that would change the face of transportation in our cities by bringing together technology and actually putting that together with the transportation system itself to meet all the needs of the city residents.
Columbus is a city that has a lot of single-car commuters, meaning one person and one car is driving to work. How do they get around that hump? So here's what Columbus intends to do. They intend to address it, emerging transportation, using data, technologies, applications, and integrate that all within the new and existing transportation systems.
Columbus will help define what it means to be a smart city and become the country's first to fully integrate innovative technologies within the transportation system. Here's their plan-- they're going to have connected vehicles run by the city of Columbus. They'll have automated buses that will actually shuttle you from the airport to Ohio State football games.
They'll also use the Smart Columbus Operating System. That's actually going to be in the background. It's going to store all the data sets that they have, and then puts that information out so they can make these decisions in an informed way. So those are just two of the large smart city initiatives that we actually have happening here in the United States.
Quick question-- do those include scooters?
Sure.
Although, are scooters--
So they don't necessarily include scooters. The idea is they want to pack buses that are to be driven automatedly-- have automated busses. They're self-driving buses. That's the idea.
I think it's clear. Cool.
Right, well, it'd be you and a whole lot of people at a football game on a scooter, for sure. OK, let's see some poll results. Let's see if that last poll went through.
And Tyler, it may not have. So I can answer--
Yes, and I can answer it, yeah.
I can answer that poll--
And I'll jump on this one, too--
--question for me. So just right now--
Yeah, go for it.
[INTERPOSING VOICES]
--at my desk right now, I have seven devices connected to either the network or to Wi-Fi. I have my work phone, my personal phone. I have a personal Chromebook. I have my work laptop. I have an iPad. Actually, I have five iPads behind me.
But again, if I just think about this in my workspace, and this is not-- this is by no means a smart area, not like my home might be-- just here alone, I have seven devices or more connected to some form of either Wi-Fi or the network.
And here in our house, I am-- I think I'm sitting around six right now myself. My house, with myself, my fiancé, and our seven-month-old son, we have 26 devices that are all connected to our Wi-Fi. To David's point, I do have my Wi-Fi split right down the middle. So I have our Wi-Fi and a guest network as well. Most of these devices are on my end, which is encrypted.
Deloitte, which is one of the companies we actually work with, say most houses on average have about 11. To David's point earlier, it seemed like all of us had well over 20.
Are some good results. And then Tyler, additional resources for people to share?
[INAUDIBLE]
All right, so some additional resources for everyone, if there is a site with tips, articles, and videos that are available for you to view at usbank.com/financialiq. So again, that's usbank.com/financialiq. Here, you can learn about how to avoid fraud and scams. And then you can also take the lesson Protect Yourself Online, where you can go through and see how well you would navigate those things.
Then on the next slide, we've also partnered with the American Banking Association to share in part with their program #BanksNeverAskThatQuestion. It's an anti-phishing campaign for Cybersecurity Awareness Month, which October is. You can take a quiz at BanksNeverAskThat.com. And there's a chance for you to possibly win $1,000.
So more information for you to actually extend some of the information that we've shared today. So further educate yourself. Remember, we are all diligent cyber citizens. And there's always more that we can learn.
All right, so as a part of our Q&A, we got a few really good questions that we'd like to answer. So these questions came to us during our registration process. So what we'd like to do is to answer a few of those questions. So the first question I'm going to pass over to my colleague, David.
Mhm. Yeah, how do you recognize a cyber threat at first glance? And we talked about seeing those red flags and hopefully armed you with some of the awareness to be able to recognize that when you see one, two, three, five red flags, certainly that's an important time to take that message and pass it along to your security team to let them know that there is something suspicious going on there. Always err on the side of caution. And seek out a second opinion from a trusted advisor.
Whenever possible, just proceed with caution. We talked about being diligent with your inbox and with the messages that are coming at you. And with the variety and sophistication of these cyber threats, it does take more than a glance to be safe.
So you have to just take that moment and pause. Look at the message in whole. And really see those signs for what they are.
Recognize that it's a trend, if it's asking you to do something urgently or take some other action that just seems suspicious, err on the side of caution. Seek out a second opinion. And report that message as being suspicious.
Yeah, really good point, David. And I'll take the next question. So please address the problem of knowing if a person that you meet on social media is a real person. And how can we protect ourselves from scammers, bots, spies, trolls, and trolls on social media? Can we protect ourselves from getting hacked and/or doxed.
Good question, Veronica. The good news is that yes, you can protect yourself. And that's been a theme that has run throughout our presentation today, of being very diligent and making sure that you are highly aware of some of those scams or some of those exploits that could exist on those platforms that you use.
Now, the tougher news is that it's getting harder and harder to spot the bots, the fake accounts, and the trolls. It can be difficult, even for professionals. The only solutions are to continuously educate and inform yourself. Stay up to date.
And to reinforce David's point, again, become a very diligent digital citizen. It's proactive, right? You have to continually learn.
Frame your use of social media through the same lens of protecting your information online that you might use if someone were to knock on your door and ask you a question about your personal information. Don't overshare. Don't click on a link that's been unsolicited by you. Don't follow individuals who don't have followers or don't accept links that you might see on social media.
I follow a rule on the only social media that I use, which is LinkedIn. My rule on LinkedIn is I will only accept a friend request or a connection request if I either work with you or I have worked with you in the past or I've met you and we've exchanged business cards. So that might be a good rule of thumb.
Also, follow the news related to that platform that you use. If there's an exploit that's hit that particular platform, like Twitter or TikTok, be aware of that exploit and understand what the traits are for that particular exploit. That way, you don't fall victim to it.
Some traits of a fake account or a profile-- if the account is very new, it has a user name that has characters as opposed to a real name, there's no bio, no profile pic. If there is a description it follows a particular pattern, that's how you recognize that. Also, for any platform that you use, ask that the platform provider, whether it's Facebook, Twitter, ask that they police themselves. If there are exploits that are running rampant through their platform, make sure they're stopping that, all right?
And then three words I'll leave you with is multi-factor authentication, more than one way to authenticate who you are when you log in, right? So ask for that. And then we'll take our last question. And Tyler, take it away.
Sure. So the question Tony asked is "what do you know now that you wish you knew 10 to 15 years ago?" And Tony, to that, I'd simply say I wish I knew how overly connected we would be. We talked about IoTs, we talked about smart cities. I said that I have 26 devices in this house, honestly, at any given time. We are overly connected.
And the very things that Charles and David and I did, we talked about what happens in internet minutes, the amount of video that's streamed on Netflix, the amount of money that is spent on Amazon. We are super connected, which is great, right? At the click of a fingertip, I can get a dinner recipe or I can see my son currently napping in his crib in HD. It's a good way to make sure Atlas is OK upstairs.
But with all of that convenience, there is that level of risk that's brought along with it. So the best practices that we've talked about a lot today-- make sure you are, if you're on social media, you're browsing safely, you're talking to the people and the groups that you know. And you can use really tips at home and at work. They both carry over well.
But the best practices we discuss at work should be carried on at home as well. Enjoy all the communities we have, but browse safely. Especially now, we are three weeks to the day away from an election. Make sure you're browsing safely.
Thank you, Tyler. And thank all of you. Thank Courtney, our host today. She did a fantastic job of keeping us on track. We can be a little long-winded. I know I can, Tyler, David, and I. But we want to thank you.
And also, please join us on November 10. We do have our Proud to Support Those Who Serve Program that we will have. You'll simply scan the code that you see on your phone's camera or you can visit USBank.com/WellnessWebinars to register for that event.
And again, we all thank you for joining us today. Hopefully you've learned something. If you do have questions, please flood our inbox. We put enough scrutiny into those emails that we'll know if it's a phish. But again, we welcome your questions. And thank you guys for joining us today.
And thanks, everybody. Thanks to my panel buddies, Tyler and David. Thank you, guys. And thank you, Courtney.
Thank you, Charles. Right, thank you so much.
Thank you.
Thanks, everyone. Have a wonderful afternoon.