Cybersecurity topic of chamber luncheon | News

The luncheon took place Thursday, March 17 at the Centene Center.

“We do a lot of help desk, a lot of cybersecurity, basically small business, city and county support,” he said. “I’m here to talk about cybersecurity and mostly social engineering. The weakest link is people. I kind of geek out on learning the psychology behind social engineering. We have a lot of types of social engineering.”

Key started out with what is called phishing and whaling. “Phishing is where you probably get daily emails that has some bad link in it and somebody pretending to be somebody else. That’s fishing for attempts that somebody clicks on something.

“Whaling is the one we end up dealing with the most. Whaling is going after the top dog or big fish. People will spend a lot of time doing the research on that top person. Unfortunately, when we walk into a company, the top person is the most resistant for all of the security. They’re special and think that this doesn’t apply to them. They are the ones being targeted.”

Key explained that vishing is voice calls. He observed that as Covid cases began to decline, there was a ramp up of scam calls and texts to cell phones.

“Pretexting is someone pretending to be in a powerful position,” he said. “If you are in a large corporation, you probably never met your CEO. If the CEO calls and said they need you to do this, [you] may do something [you] wouldn’t normally do.”

Another hacking scheme Key touched upon is “baiting,” in which a free product is offered — such as flash drives — that are infected with computer viruses.

“I walk into a cybersecurity convention and they’re handing out free flash drives,” he said. “One of the things we talk about is to never pick up a (random) flash drive and plug it into anything. That’s the easiest way to get hacked. There’s something out there called ‘Rubber Ducky’ that I can plug it into your machine and in 15 seconds give myself administration rights.”

Key then explained what the term "tailgating" means in the cybersecurity world.

“Tailgating is any sort of physical security," he said. "You would be surprised how many places I can walk into by looking like a geek. Carrying a bag and a blank badge with a lanyard around my neck that says Microsoft. My techs and I will walk in and out of some of the most secure places. They didn’t know who we were and they let us in the server room and we did this and that without them questioning anything. Somebody comes in and says, ‘I have this Microsoft credential. I’m here to help you.’ Don’t trust them. Make some calls and find out if they are actually who you think they are.”

Another scam is "quid pro quo" where there is a promise of something in exchange for your information. Example: "I’m here to help you and give you technical assistance."

Malicious pop ups are where ‘Microsoft’ pops on the screen and won’t let the user close it. Key says that the elderly are especially vulnerable prey for this scheme.

“Five thousand, 10 thousand dollars, they add them to a list and call them back in a couple of months and hit them again,” he said. “The best thing you can do is hold the power button down and turn it off and start it back up.”

Key said that Microsoft and other big firms are moving away from complex passwords and password changes and applying multifactor and two-factor authentication.

“It is extremely important that if you log in to your email from a different location, it should authenticate to your phone or a physical badge. If your email is not doing that, you’re as high risk as it comes right now.”

Regarding spyware and adware, Key said that pretty much any security software will take care of those issues.

Addressing the major problem of ransomware, where a hacker shuts down your computer until you pay the ransom, Key said the way to prevent the situation is to have secure offsite backups to the cloud and detachable hard drives. He said hackers will look for backup files first and damage them before shutting down your computer.

“It can’t even really be tied to any of your existing accounts,” he said. “They will spend time inside of your network trying to get all of those passwords.”

Key also stressed the importance of performing software updates.

“I get notices from the feds weekly about really big attacks especially with all the Russia stuff going on,” he said.

Panic is a big factor in the social engineering used in hacking computers. Key urges customers to verify unusual utility bills or other firms by going directly to the site and not by clicking on a link in the email.

“If you get a $5,000 utility bill, you’ll probably click the link to look at the utility bill,” he said. “That could open a document that will ransomware your machine.”