Hi welcome to the Ohio Arts Council's
Monthly webinars sessions, my name is Ted Hattemer. I'm the IT strategist here at the Ohio Arts Council and today. We'll be talking about
Don't get hacked steps to protect you and your organization. Just a little bit of housekeeping if you're having any technical
difficulties, or if you have questions, please use the chat function
Within the WebEx, and I will answer
questions at the end of the session rather than asking them or responding as they come in so
With that if anybody if everyone has any questions or anything I'll just jump right into it
So I want to start with is a
Getting hacked occurs in many forms and
We'll talk about prevention but first
We'll talk about the different methods
criminals and others used to hack your computing devices
First of all if we have something called malware and that software programmed performs some sort of malicious task
something like capturing usernames and passwords
most of the time the antivirus software on your machine
Will prevent you from opening those types of files, but occasionally something is brand new, and it'll get past your malware
Malware also happens when you're running old operating systems like if your your organization still on Windows XP
or
Vista or something like that then it which is 30% of most computers online
You'll be very susceptible to
to
Getting infected with malware, but either
Vulnerable but public computers computers that are used by the general public in a cafe or something like that
also another vulnerability
some
Unencrypted Wi-Fi so at a coffee shop or something like that you're very vulnerable there
Another type of hack that occurs is something called
"man-in-the-middle"
Where requests made to a website from your end or filtered for another state without you knowing it
That's called man-in-the-middle where you click on a link, and you don't realize that you're not actually on Amazon site
But you're on some other site
Another type of hack that we'll be talking about or that will try to be preventing a phishing and
That's handing over your your credentials to a fake website or a fake
contact person via an email solicitation and
another
Vulnerability and something to prevent you from getting hacked is using the same password on many sites
So don't use your banking an email path letter for an online newspaper or for buying something on someone's website
Because if they get hacked then your username your email account is then associated with that
password depending on how they stored it so
Right when I started off
I mentioned criminals and others and I wanted to just make sure that everyone understood that not all hackers are trying to steal
information or money from you although the vast majority of them are
so for fun
So
Some hackers some hackers are doing this for fun
So they make attempts on computers and servers and networks just for the personal gratification and others feel
That they need to prove something to their peers or friends, maybe they're a young person in college or in high school
And that's they're doing that for fun another reason people
Hack is
is to steal your information and
Maybe it's to steal information from
company or to steal information from you in order to get to a big a larger system or
To infiltrate your personal information or steal money from you another reason people hack is to disrupt
So some hackers including hacking groups
Target a company to disrupt business create chaos or just be a nuisance these groups
They're often trying to make a statement with their hacking to demonstrate security inadequacies or to show general
disapproval for the business itself
Example these hacking groups are like anonymous or LulzSec and then the last reason most people
find that they've been hacked or
succumb to hacking is to discredit so
politics, religious belief, social beliefs
Can lead one group to try to silence another group or
intimidate or discredit another group
And we largely see this in when someone takes over a social media account or takes over a website and replaces the
Content there or the impersonation of someone so that being said those are all the different
reasons and ways people
Get hacked. Let's jump right into
prevention.
So the number of one thing I want you to take away from this webinar
Is that you need to stop sending an opening email attachments.
And this is probably the most difficult message to hear and
But if implemented it would make the most difference in how we view
potentially dangerous online situations
Most phishing attempts and
Spreading of viruses those are the two most common ways people get hacked and more often than what not it
begins when someone clicks on an attachment or a link that they've received an email message
from either someone they thought they knew or someone they thought was safe, so
Imagine if when you received an email attachment, you immediately assumed it was malware or phishing no matter who it was from
So even if it was from your boss if someone sent you an attachment or
Something that looked like an attachment
you just immediately assumed that it was a phishing attempt, and that would go a heck of a long way of preventing hacking.
So but email super useful, but it wasn't designed to be the end-all for
workflow situations. So that being said
What can we do?
So email attachments
Even though they're super easy to use and share and create and everything and
Even if you go an extra step and zip up your files you're still creating problems.
Sending a zip file that used to be a great solution. You can take all your files and put them into a zip file and
it would be super easy to send it along and that would protect it and
indicate to the person you're sending it to that it's a safe file
you can go ahead and open it up in the files that are contained within or the attachment.
But anymore, a
virus or a piece of malware can can
be any type of file it can be it can be part of a zip file it can be a
JPEG it can be an mp3 file it can be absolutely anything else.
And also these files can come from
someone who appears to be your colleague or maybe it is your colleague. So a lot of times
in an organization one person clicks on a link and it's a virus and it ends up sending email
with that same virus to all the other folks with an inviting
invitation to click on this Microsoft
document.
So another reason that we need to stop sending email attachments is that it's an inefficient use of bandwidth and file storage.
So sending an attachment across the internet
when that happens what happened what happens behind the scenes that that the attached file has to be encoded
so that it could travel with a
integrity from one server to another server.
So the email message that you're sending doesn't go from your computer to the person's computer that you're sending it to
instead it jumps from
your email
account to your email service provider and then that service provider forwards the message along to
the next email relay, and then it bounces along relays until it eventually finds the servers host for the recipient.
Then finally the recipient downloads the message from his or her email provider.
So on an average 33 percent increase in file size is necessary to encode
the average attached file. So when you do the math you can immediately see the inefficiencies.
Each email message creates unique copies of the shared file as well. So each person on the recipients list gets a unique copy.
Then this ends up eating valuable mail server space and bandwidth.
And then here's the kicker it. Also is that email becomes a really lousy project management tool.
When multiple copies of files are distributed knowing which
version of which file is most current or accurate becomes next to impossible.
So hackers are getting more sophisticated with subject lines and fake email addresses in HTML formatted email
messages in order to deliver the malware
So what what is your business to do in order to stay on top of this and how do you stay
working with other people? You know if you're not supposed to use email to share files work library
collaboratively with the rest of your organization
So first off creating a purposeful space to share work documents helps on two fronts first
people stop sending email attachments and
Second the work becomes more accessible
discoverable and shareable
Onedrive and OneNote
Microsoft's solution for this work together to provide sort of a whiteboard
smart board type experience.
Pages the basic element of a OneNote are collected into larger sections and shared within a team notebook
secure collaborative software and cloud storage servers and chat tools are gaining
A lot of users across the internet
While email will never fully be replaced anytime soon its position is the primary means of sharing internal company data, if being
recognized for how unsecure it is an email is actually on the decline ever so slightly though.
So here's an example of a team notebook and
a
Example of how one might share files rather than sending them as email attachments.
Files stored on Onedrive they can be inserted directly into the OneNote and
OneNote provides meta information around the work product in addition to the file name and file type.
Meta information is really useful to have when there are multiple versions of the same file and multiple files within a project.
Often when you're looking for a file on a file server or on someone's hard drive
it's difficult to find that exact
version or file name, but when meta information
surrounds the document it becomes very discoverable and
the relevance of the project or the file becomes very easy
to understand.
And
instead of sending this PDF
The PDF that I just had on the previous slide
Instead of sending that file as an attachment what we end up sending is a link from the OneNote.
So that way there's only one copy of the file it remains on the Cloud Drive where it's getting backed up and multiple people can
Comment and suggest improvements or work product within the whiteboard environment or project management environment
So if you're not on the Microsoft platform Google provides a similar service
This was originally developed as a personal application suite rather than a full-fledged collaboration platform
But Google's pretty much ubiquitous
And you'd be hard-pressed to find somebody who wouldn't be able to share a Google Doc with you so collaboration
Comes pretty easy to this platform
The way Google handles this is that they use an internal way of sharing files
Selecting files and folders to share with your contacts is a simple way to collaborate when you share a file file or folder
Google sends the link to your colleague colleagues Google inbox
They also have a robust list of applications to develop content
sheets
It's drawings and forms are all easily created and then shared within the Google platform
Downloading the desktop or mobile app gives you access to your files and familiar File Explorer kind of way
And it also gives you online access
When you don't have offline access when you don't have an internet connection
Another tool if you're not using either Microsoft or Google
is box
Box is a good contender to OneNote onedrive it has sharing capabilities within for
Almost every Microsoft product and the free version although. It's not as robust as the paid version is
Pretty intuitive to use and pretty and easy to get up and running with
Box also creates a collaborative environment
each of the files shared with inbox can access previous versions of the file lists of people of viewed or download the file and
A section for collaborators to leave comments about all the files that are being shared
Box like Google Drive both sync to your hard drive and have mobile apps as well and
box from internal
Microsoft Office documents box can be launched or
box can launch Microsoft Office documents within its internal interface and so the integration between the two platforms
becomes pretty easy to get back and forth and
finally there's Dropbox, which is very ubiquitous a lot of people use Dropbox and they
Just begin to roll out what's called paper
Which is their?
online collaboration tool
in addition to the file storage so that they allow you to upload and share files, but then provide a
brainstorming and collaboration space where you can generate ideas and
Leave comments on other people's files
So there are a bunch of free and reduced
Cost services out there for nonprofits, but if you're not aware of this one. This is called TechSoup, and it's a great resource
It's tremendously discounted software
That's available on the site and signing up is pretty straightforward
Microsoft for example is
$40 per user through TechSoup, so if you
Need upgrades you're not on
Microsoft 2016 on
the office 365
Check out TechSoup before you go anywhere else and see if you can get some savings there
And
Then if you're ready to take the next step
There's another complete other higher level than what I just went over and those are true the true
project management platforms
beyond Google Drive and box and OneNote onedrive
these platforms
such as Basecamp JIRA, Microsoft Project asana
and others they provide things like the ability to create Gantt charts and
Document flow timeline project resource timeline deadlines notices
People on certain discussions archiving discussions over a long period of time in order to create
Documentation about the project so if you're ready to take that next step
You've got a lot to choose from
Basecamp is probably the easiest to start with and if you're if you're interested in just true
communication collaboration check out slack
So that's all about stop sending email
the next
tip that we have
Is encrypt your hard drive if you're not doing this is pretty simple to do and whether you're on PC or Mac
You can accomplish this pretty easily
What it does is it encrypts it?
It protects your hard drive by creating a username and a password and without that username and your password
None of the information would ever be accessible to anyone and basically the hard drive would just have to be reformatted in order to
to access it
So if your laptop or stolen or somebody gained access to your laptop if they don't have your username and password
They'd never be able to get to any of your information
So for the PC it's called BitLocker, and it's found in your system preferences on
The Mac side it's called File Vault, and it's in the security and privacy section on
Under system preferences as well
Pretty easy to turn on kind of a no-brainer we use here at the Ohio Arts Council
Another thing that you'd want to do in order to decrease your
Vulnerability for getting hacked is manage your passwords in a in a better way
A simple tool for that is called LastPass
LastPass is a browser plug-in
it's for both Chrome and
for
Firefox and
It manages your passwords by storing them under a
central password
So you can pick really complicated passwords for the sites that uses it often?
so here are a bunch of sites that I visit often and
My very complex passwords are being stored within
these
buckets and
LastPass
Has my the one password that I have to remember day in and day out?
So if I can access LastPass that I can get to all of these other
services which have super complex
You know 14 17 18 character long passwords
So these sites end up becoming super
secure for me because they're not none of them are sharing a password and
And that all of the passwords are very very strong
Another thing you want to consider is turning on two-factor authentication
with the services that you're using a
two-factor authentication is combining the traditional username and password that we're all familiar with
with something you either know
Have or are
so things that you know are the city you were born in and the
last four digits of your social security number
things that you have are a
cell phone
So when enabled for a site to factor will text you a code that you can use?
logging in for additional information
above and beyond your username and password and
things that you are are like your thumbprint or your iris or
Even your face for facial recognition software
so two-factor
Creates a bit of a hassle when logging in to some of these sites you use frequently
But it also ensures that no one is ever logging in to the site that you use without your knowledge
so if you
forget your password for Facebook for example Facebook
Automatically uses two-factor, and won't let you change your password for less you can authenticate
Not only through
Facebook, but also through giving them a code. That's linked to your cell phone
Google and Microsoft and Apple a lot of banks use this some have it on
By default and others like Google require you to turn it on
yourself it's it's a
Truly a great thing to turn on and it does create a little bit of a hassle sometimes
But it's well worth the hassle to know that no one can gain access to some of these very sensitive
Accounts that are under your name
Another browser plug-in is called HTTPS Everywhere and
So I'm going to get a little geeky for the next couple of slides, but bear with me and we'll all learn something so
HTTP is
hyper it stands for hypertext
Transfer Protocol and
The way it works is it uses a once and done approach to communicating between the browser and the server
It's what's called a stateless protocol
Meaning that your browser makes a request and the server responds and then between the Brooke server and the browser it's as if you've never
Communicated before you make another request and you're a brand new connection all over again
So every image every element every script every file or separate requests when serving up a web page
Enabling
HTTP or hypertext
Transfer Protocol security
creates an encryption
Tunnel between the browser and the server
So when you do online banking without?
HTTPS your username and password would move between the server and the browser is plaintext
With the encrypted tunnel created. There's encryption between your browser and the server while you're communicating
While they're sending that one-off communication of like here's my password
It's not sent as plain text, but as encrypted data
Not all web sites use HTTPS
including our website here at the Ohio Arts Council
But if you have a website, it's recommended that you turn it on
it's pretty easy and straightforward to turn on and most web hosting providers can help you do this a
free
Certificate
For turning on secure your website security is called. Let's encrypt, so if you contact your web hosting provider
Ask them to check out let's encrypt because it's free and it will provide you with that extra H
Ts protocol
to
secure your website
That's very useful when you log in to change the content of your website so that that username and password are not
Going over the Internet free and clear as text, but rather as an encrypted data
additionally
the major search engines like Bing and Google
Improve your rankings on their results page if you're using
HTTPS instead of just straight
HTTP
So that's a side benefit to
Turning encryption on for your website
so here
I just wanted to show you that there's quite a bit going on behind the scenes when you connect to the internet and start making
requests between two or more computers a
tool like Wireshark, which is available for both Mac and PC can monitor traffic and
Analyze the traffic for signs of hacking so this is really far into the weeds
But I just wanted to give you a feel for
How much is going on in the background when you connect Firefox to your online bank account?
All of these are transactions that are happening
within loading one web page and
they're all separate requests and
There's a lot going on so
there's a lot of information here that hackers could use and
I just wanted to give you that sense of that. There's a lot going on that you need to protect
so just a tip never log into your most sensitive accounts while on free public Wi-Fi a
Hacker could be running software like this on that free public Wi-Fi and watch you
Log into your banking site and the connection between
Your computer and the Wi-Fi is not encrypted, so they would just see your username and password
coming across as
free text and be able to grab it
Another except that you want to do is when you're not using your webcam
To put a piece of sticky note or tape up there and cover the camera
This doesn't happen very often, but it has happened and people like Mark Zuckerberg
the owner the CEO of Facebook
Puts a piece of tape over his webcam
so
you can tell that it's a
It's something that other people are doing in so you might want to consider doing it as well
What happens is that somebody can if your?
computer is compromised somebody could then take over your camera without your knowledge and
understand some of your habits and
Then be able to place a phone call to you or something like that and gain access to other information
Because of things they've learned by watching you
Okay
Other tools that you might want to consider is things like a browsing
Extension called my Wat or web of trust
this is another layer that exists between a
requested URL and
serving up a website so that this service goes out and just make sure that the
site that you're accessing is actually the site that you're trying to access and it hasn't been hacked and
another one in that same
Vein is called WebAdvisor, and it's the browsing companion. That's got
free download and it it'll alert you to when
when
Websites aren't who they say they are or they are infected with malware
So one of the things that we're recommending is that your office have a we got hacked plan
If you don't have a what you should do after you get hacked you should start on that today by asking
yourself and answering the following questions
What has been affected so
You feel like you've been hacked what has actually happened. What what?
Services have been compromised
After we take this hacked resource offline
How will that affect our business?
Can we wipe clean an infected machine, or do we need to resurrect the data on it
The following steps should be taken if you feel you've been hacked you need to shut system's down quickly pull them off of the Internet
That is basically shutting them down you don't need to turn off a machine but
eliminate its connection to the Internet and then work with either a
security firm or your IT person and determine how
Intruders got in and fix that first so if there was an update to Windows and it wasn't applied then
That's probably how the intruders got in and you need to fix that first
you need to understand where your data is being backed up, and how quickly it can be restored and
Then you also need to alert the FBI and the local police it is a federal crime for
to hack into somebody else's computer and
If it's not reported then
The authorities don't have all of the best information about how many computers in our area are being hacked and what the local threat is
And what the regional threat is and then you also need to have a backup work plan
Exactly how you're going to get business done without these systems that you rely on
Here a couple of
Resources that you might want to become familiar with one is a stay safe online org there are a lot of tips there and
the other is a
consumer FTC gov
Goes are both
Sort of tip collection
Resources that you can use in order to
Stay safe online
And so I
Sort of to close this out I wanted to just address that
Being safe online is really a trade-off between security and convenience and the more you're willing to slow down a bit
jump through a couple of extra hoops
Work in a slightly different way
The safer you'll be in the long run
Nothing can completely protect you online, but being where the most basic hacks will keep you relatively safe
And that's about as most much as we can hope for in this new digital world so
That's my presentation for today I
Appreciate you attending and learning if there were any questions I could answer them now through the chat for
Well if there are no other questions I
Thank you for attending today and just letting you know that these
webinars are on the third Thursday of each month at
two o'clock and
We will be sending out an email message as far as the topic of the next one if you have an idea for a topic
Feel free to send that to me via email
to the address on the screen and
Do not include an attachment
Thanks for your time today and
Talk to you soon, thank you
No comments:
Post a Comment