February 23, 2017

Data Security Part 3: Don't Click Don't Open!
Trey James, Co-Founder & CEO Xcentric

John Monahon:

Hello and welcome to In Process, conversations about business in the 21st century presented by Trusted Counsel, a corporate and intellectual property law firm. I'm John Monahon.

Evelyn Ashley:

I'm Evelyn Ashley.

John Monahon:

We are partners in Trusted Counsel. Evelyn, today we are going to do a review of 2016, security issues, particularly a review of the data breaches that have gone on and what steps business owners can do to protect themselves and where the trends are going in technologies as well for that. It was a pretty popular show that we did last year, very similar but things are constantly changing. We've been fortunate enough to have Trey James of Xcentric to come back in to talk to us.

Evelyn Ashley:

I think it'll be, it's both scary to hear about these things but if you can have some practical ideas and facts on how to actually resolve or protect yourself from these things, critical to every business owner.

John Monahon:

It's something that's exploding even more. I think we are hearing about it in the news more and more every day just some quick I guess high points on 2016. We've seen some pretty major breaches of some well-known companies and organizations. Democratic National Committee, Department of Homeland Security, Verizon, Cox Communications, TaxSlayer, University of California. This is just a few of some very recognized names that have been breached in 2016. As well as the cost of data breach have gone up. Now IBM is reporting cost of a data breach is average four million dollars. That's up 29% from 2013. Of course that's taking into consideration some very big high profile breaches that was not necessarily representative of every small breach either. They are saying the average ...

Evelyn Ashley:

Just proportionately it could be devastating.

John Monahon:

Right, and then the average cost per record breach is 158. That's according to IBM. There is other statistics out there. They are saying that 48% breaches are via malicious attacks. Welcome to the future.

Evelyn Ashley:

I think the other thing that is kind of interesting too is you are seeing more kind of spam emails being sent to lawyers particularly. I've seen the ABA do a lot of article posting on how lawyers need to actually be careful. They show just how potentially greedy they are. When they get these emails from unknown sources that basically want to transfer funds into their escrow accounts or lockdown their server systems. Everyone has to actually be wise to these things.

John Monahon:

Greed and gullibility isn't a great combination.

Evelyn Ashley:

It's true. Never has been.

John Monahon:

It hasn't. We will without further ado, let's introduce Trey, since he's our expert today. Trey James is the co-founder and CEO of Xcentric. Xcentric is a national hosting provider based in Georgia. The company is focused on providing dedicated virtual servers exclusively to tax and accounting firms. The organization also provides traditional IT infrastructure, maintenance and support of on premise servers. Trey was selected as one of the top 100 most influential people in the accounting industry for 2009 and 2010 by Accounting Today and as a top 40 under 40 honoree for 2006 and 2008 by the CPA Practice Advisor. Trey, welcome to the show.

Evelyn Ashley:

Welcome back.

Trey James:

Thank you. Glad to be back. I'm glad to be with you.

John Monahon:

2016 as we were going over sort of the list of companies and the breaches have been a pretty big year. What's the current environment for I guess security and data breaches for this past year?

Trey James:

To sum it up in a word, scary. It's probably better just not to pay attention so you can sleep at night. Practically speaking I think the cloud is ever increasing. Amazon says there are just that one, their web services equation of their business is growing 67% over last year. We've looked at a number of different verticals, a number of different industries. You have the marketing industry where software in their industry alone since 2011 has gone from 150 brands to 3,500 brands. As they change, that's just one example of an industry.

All the industries are doing similar things. All these industries are putting their technology on the web where it's prone to security issues. We've seen it. You have accounts at home that you never had before, and they are growing exponential. The websites you sign up for and the tools they you use online, it's ever increasing.

Evelyn Ashley:

The fact that you download apps and lots of people don't realize, I need to take care of privacy elements in there because it's tracking you and it knows exactly what you are doing all the time.

Trey James:

It says that, when you say I agree to download this. It says you might be exposed in the nine pages are ...

Evelyn Ashley:

Everyone reads those terms and conditions.

John Monahon:

I read every word.

Trey James:

Every one of them. I send them all to you guys.

Evelyn Ashley:

Give comments back, right?

Trey James:

I think just the pure volume of things that we are adding to our phones and technologies that we are logging into on the web and on our devices. There is no time to do proper research to understand what you are really exposed to.

John Monahon:

What you are saying this issue is not going to decrease, it's increasing as we go on with time.

Trey James:

Like a rocket.

John Monahon:

Some of these companies, they are great, they are very growing companies and when you sign up as a consumer you are really not sure of what their actual policies are behind the face. They could have some very sleek marketing or a very sleek app or a great service, but you are not really sure of their I guess sophistication in technology behind the scenes and what's actually happening to your data. That's another I think '] there.

Trey James:

It's a move target. The best of the organizations that provide security on their platform or around their business, it's an ever-changing game. It's cat and mouse. They protect as best as they can and they find out that there is something they need to protect. Better against it’s constantly moving.

Evelyn Ashley:

Constantly changing.

Trey James:

Constantly trying to keep up.

John Monahon:

How do you personally feel about it considering ... It seems like a tradeoff, on one hand. Maybe it's not even a tradeoff it just seems like if you want to move into the future you just have to go with the flow. Should people be worried about it or is it sort of not as, maybe not as scary as if you give it a lot of thoughts? Sort of what you were saying at the beginning. It is scary but don't think about it too much. Do you think a lot of this stuff will get sort of worked out as the industry continues to grow?

Trey James:

Yes and no. I think the practical approach to anything in life is to be educated and then to use common sense. In the security realm you've got to have some understanding of what kind of risks exist without being a security engineer or some kind of security consultant. Going that far would be tough for all of us. You've got to be educated to some extent and then you've got to be wise about how you approach those things, being practical.

Evelyn Ashley:

I think 2016 was interesting. There is a couple of high profile ones that I think are of particular interest. The one was the DNC hacks. That one was obviously very high profile. I'll bet they might not have gotten the most records out of all the security incidents that happened this year and obviously it was a very important one there. Might have had some effect, we'll never know what it was but maybe the republicans had better security? No, I'm kidding.

Trey James:

We won't know until the next election. It's interesting to me because I think for the longest time people have said, "That's a security hack. That doesn't really relate to me because that doesn't impact me. Yes Target was hacked. Now I've got to change some things and get some, maybe change my password or a new credit card." In terms of the election and the impact that all of this has had, it's relevant to everyone. I think that was one of the first times it's been front and center to the entire country.

Evelyn Ashley:

That's true.

Trey James:

That hacking. I always look at motivations. Why would someone want to do something, why would someone want to hack or steal information? I think this is a great example. Politics. There is a lot of stake for either party. Who knows if Assange and whoever else, the WikiLeaks group got what they wanted out of the equation or whether it was Russia. Now that we know that fully.

John Monahon:

You have to look at it, you roll back further to when, supposedly North Korea hacked Sony Pictures because of the comedy film that was put out. You do look at that I think as a consumer and think, "That's terrible. It affects a private business and why would a country be doing that?" Then when you start looking at it from, it used to be they just wanted my financial and personal identifiable information, now they want to control my country too. That for the future seems pretty. That is scary with a capital S.

Trey James:

It is scary though but it's interesting to me that we might look at one pack and go, "That's really bad," and another and say, "That's great." If you are a Republican this year, you are going, "I kind of like this." If you are a Democrat then maybe not.

Evelyn Ashley:

But that's naïve isn't it?

Trey James:

It is. We are all exposed.

Evelyn Ashley:

Because that which happens to one can always be turned on the other.

Trey James:

Stuxnet, S-T-U-X-N-E-T was an amazing study of hacking. That was the US government. Have you all heard of this? The US government created a virus that then was installed on all the computers in Iran in their energy industry. These computers ran a virus that literally told the centrifuges that they were supposed to have, to spin too fast and it physically destroyed the nuclear centrifuges. It's a phenomenal story. That's the case where I'm like, "I'm really glad people are hacking," because it benefited us. I think we probably ...

Evelyn Ashley:

Yeah, but it's just a matter of time before that gets turned on us.

Trey James:

It has been, we just don't know it fully.

Evelyn Ashley:

I guess, no one discloses. Is that right?

John Monahon:

That's the one thing I'm trying to realize is, even when they reveal breaches or reveal it now .

Evelyn Ashley:

Very minimally.

John Monahon:

Then we find out it happened three years ago. You live with these hacks without ever even knowing until maybe years later which is interesting. We have to take a quick break and we'll be back with more from Trey James.

John Monahon:

Welcome back to In Process, we are here with Trey James, the co-founder and CEO of Xcentric, talking about data security in 2016. Trey, when we left we were talking about some of the security incidents that have happened in 2016. One of the more interesting incidents that happened was actually the Dyn cyber-attack which some people might remember just because they could not access the internet at that time. Can you tell us a little bit more about what that was and what was happening?

Trey James:

Yeah, for sure. Put your technical hat on for just a second. The internet, if you think about a website that you go to, you type in www.amazon.com, to pick on Amazon. That is not understood by computers natively. What happens is it converts it into an IP address. It's the same way, if I call John on my cellphone, I don't really know what your cellphone number is, I know to call john. Then my phone handles the phone book and then calls your number. That function is called DNS, domain name serving. That function can be attacked in the case Dyn, DYN is a provider of internet phone books or DNS services. In this case the hackers installed agents through malicious websites. You go to a website to buy something it says, "Do you want to do this?" You say, "Sure." It installs something malicious on your computer. That propagates to other computers and literally there are thousands if not tens or hundreds of thousands of computers that are infected with a device with an agent that's unknown to the computer's owner, that sits there waiting, it's an army waiting for a command. Where does it come back to Dyn. Dyn is this provider of phone book services for the internet. I can type in a name I can understand and it converts it to web address. If you take that down then you can't effectively get to amazon.com because it doesn't know how to get there. The computer doesn't know how to get there. In the case of dyn, this botnet attack was performed, and they called it a denial of service attack. All these, one instruction is sent out to multiple groups of these agents, and they simultaneously overload amazon.com in this case or all the other providers in this case who are a whole heap of them, they were simultaneously attacked. You have this army of devices all attacking and in that effect is, the service that's trying to respond to those attacks, or to the use of them simply can't respond. In essence it shuts down. When you and I trying to get there, we can't find it anymore. My question really is, why would someone do this? I don't have an answer on the Dyn.

Evelyn Ashley:

Did anyone come forward and claim it?

Trey James:

I believe they figured out who it was. I don't have that top of mind. The interesting thing about it was it was widespread and it was so orchestrated. I've got some stats on it. There were so many people affected, so many different organizations. Netflix was down; Twitter was down, National Geographic, Salesforce, Trip Advisor, and LinkedIn. All these households brands that we know. There could have been extortion involved saying, "If you pay us some money we'll let your site start running again." The takeaway for me on it is that we are very accustomed to having very quick access. My kids today say, "Hi day, what does a blobfish look like? What is a blobfish first of all?" I can hit the web and find out hundreds of pictures instantly.

Evelyn Ashley:

Instantly.

Trey James:

That's what the younger generations are expecting is the instant information. With denial of service attacks like the one that was done on dyn and others we've seen. I think as a consumer of those things we just have to be prepared in the realm of security but we have to be prepared for the inconvenience, because they are going to happen. There is virtually no way to stop that.

John Monahon:

I thought the shocking thing was the scale of the attack. Although most people didn't suffer terrible inconvenience this time, this was the first large scale one and it seems like as you were saying something which could be, something that we have to get used to in the future perhaps or at least prepared for.

Trey James:

The interesting thing ... The thing here that was so interesting about Dyn is that in the past they've gone after amazon and they've overwhelmed, they've used these botnets to overwhelm amazon.com. What they did this time is they overwhelmed the internet phone book, which affects every customer that uses Dyn. The customers I mentioned and thousands of others. In fact, all of them were taken down. We are prone to that.

John Monahon:

I think it's interesting too, a littler earlier before we actually started recording you were talking about how you use a Nest system in your house to actually manage your lights and your heating and air conditioning and everything else.

Trey James:

Yeah, it's nice.

John Monahon:

More and more, we have a similar one. We don't use Nest but I think that when you start seeing the level of control that hackers can actually take over systems you realize that the more we move everything into the cloud, the more at risk we actually are because it would be incredibly upsetting to me to go home and try to turn on the lights and suddenly nothing goes on and unfortunately we don't really have that many physical lights anymore. You rely on that system to actually take care of that. You can literally be in that dark.

Trey James:

We are trading conveniences for security. Unknowingly we are giving away security in trade for these conveniences. I mentioned earlier, I leave the house and my phone is in a geo-fence that when I get a mile from the house, it says, "You didn't alarm your home system, your alarm system." I set it. The cameras turn on and everything is set up. The thermostat reduces the temperature depending on the time of the year. Very convenient. You guys have probably seen this. There are websites out there, most of them hosted in Russia where you can go out and look at thousands of cameras, that are those $49 webcams that are nanny cams that you hang over your baby's crib or whatever. There are websites that just post those. They scan, there is something called mass scanning, they can scan the entire internet. Every addressable IP address, it takes about a day and a half. Every single IP address that exists and they probe every one of those. If there was a camera on it, or an exposed, whatever it is that's exposed. They can determine what that is, and then they are right in through the known exposure.

John Monahon:

What about the camera on your laptop? Can they go through that or is it just the nanny cams and things of that nature?

Trey James:

I'm going to say yes, it's possible but I think you would probably have to do some things, get a virus or what have you. There is a lot of that that goes on. Yeah, these websites are hosting links to cameras that are fully open to the internet. To me we are back to the consumer, we are buying things that we don't fully understand the risk. In many cases, this is probably where you guys come in from a litigation, legal standpoint, the businesses who are selling these technologies have a responsibility. As much as we do as the consumers of their service.

John Monahon:

I've heard some blackmail scams about the webcams, people not resetting factory settings and then being subject to extortion. A scary world I guess that we are living in. Talking about 2016, I think we went over the big events that happened. A lot of sort of the security incidents, security breaches that happen to people or businesses are not as sophisticated as some of these other attacks. They are not necessarily the subject of it. They are smaller scams and I think that was one of the interesting segments we talked about last time you were, what are some of the common scams, common mistakes that are going around that people fall prey to that puts their information at risk?

Trey James:

From an individual standpoint, what's most frequent is phishing. Where you get an email, my wife just forwarded one to me yesterday, from Bloomingdale's. It is a perfect rendition of a Bloomingdale's email. It says, "Your password changed, please click if you," whatever. It's perfect. Even though URLs, the links in the bottom of it point back to Bloomingdale's but the link that you are supposed to click, if you hover it, it says Bloomingdale's in there somewhere, so your eyes go, "Look, that's Bloomingdale's," but it's actually sending you to some other country. Living with me for 12 years she knows that is ...

Evelyn Ashley:

She's reasonably paranoid.

Trey James:

I got that email pretty quickly and went, "Good job. Thanks for not clicking that." I think phishing is one. You just have to be mindful of it. You can screenshot anyone's website and then drop that right into an email, and it takes no time to create that kind of content. Another is attachments that come in that are, they call them weaponized attachments. Where you get an email from someone that says, "Here is your invoice. Here is your bank statement or what have you." It's inside of a zip file, and you open that zip file and the next thing you know, all your data has been encrypted. This is called ransomware. This is very prolific, we see this in our client base all the time. There is virtually no way to stop it. The user gets an email, they open the attachment, they think they are reading an attachment and the next thing they know, a couple of hours later they have got a message on their screen that says, "You've been hacked. You now have 24 hours to pay us or else we are going to destroy all your data." That's called crypto locker and there is a number of variants, very hard to stop. There are some things you can do to stop it. The number one thing you can do is insert this little bit of logic in your brain that says, "If I didn't expect this email or it's not coming from someone that I know and trust ..."

Evelyn Ashley:

Why would I open it?

Trey James:

Don't open it. It's the human component that can save us most of the time. The technical stuff we can deal with only goes so far. That's interestingly enough on crypto locker. 85% of the time that you pay the ransom, the ransom is usually $300-400. For a business it's virtually nothing, you pay it, 85% of the time you get all your data back.

John Monahon:

We need to take a quick break but we'll be back with Trey James of Xcentric.

John Monahon:

Welcome back to In Process. We are here with Trey James of Xcentric and we are talking about data security in 2016. Trey, we were going over some of the common scams that people fall prey to which will lead to some of the insecurity. I believe that you have a couple more. We were talking about some of the social engineering and emails that go around. What's been your experience with those?

Trey James:

I want to go back to the prior segment before the break because we finished that segment with me saying, if you pay the ransom you get your data.

Evelyn Ashley:

You mostly get it back.

Trey James:

I'm not saying pay the ransom. I'm saying if you pay the ransom there is an 83% chance that you'll get your data back. There is a whole, do you want to fund these guys? For most small businesses where their entire dataset was encrypted, if it's me I'm paying the $400 to get it back. I don't think it's very practical ...

Evelyn Ashley:

A practical way, what is a practical way for businesses to avoid that if it happens, doing regular backups of their data?

Trey James:

Backups about, if you are not going to pay the ransom, backup is the only path. The other ... It's blocking and tackling. You've got to have up to date antivirus. You've got to have anti-malware, email services, preferably cloud based, so they are not something you have to manage and keep up with. I think the biggest thing is being smart, using common sense about what you should open. If you don't know who it's from and you weren't expecting it, don't open it. Call them and say, "I got this. What is this?"

John Monahon:

Then also I guess that goes along with the emails and the social engineering. There is a lot of emails that are coming out to that, very real from the inside.

Trey James:

Yeah, every month I get this email from our director of finance. I'm the CEO, I get an email from Tim that says,"Hi Trey, can you wire these funds?" It's a bit ironic because it never says where to send the funds to. It tells me they are probably not a really intelligent hacker. The interesting bit to me is that they have hit our website and they've made a connection between me being a leader and Tim having authority to push funds, and they are looking for approval. Somewhere in that process, if we respond they are going to learn that they've got us. To me this means that they are actively looking at our website to make that human connection to figure out how to compromise our funds. It's scary. You've got to be thinking. Tim just walks in email the email, it's funny but it's amazing, scary.

John Monahon:

It is really scary because a lot of people are very busy during their day too and a lot of people aren't looking very closely. There might be some other reason, people respond to this. We've seen it happen, it's ...

Trey James:

The email is completely legitimate looking. It's from me, it's from Tim. It's actually from me to Tim. All the addresses match, and all that's right.

John Monahon:

Very scary.

Trey James:

It just takes that brain component again. Tim has got to think about it.

John Monahon:

Maybe we should cut that off.

Evelyn Ashley:

Oh my God it's a data breach.

Trey James:

There was a slight pause there.

Evelyn Ashley:

That was just a little instant test to see if everyone is listening.

John Monahon:

There is even more elementary things covered though, what about passwords? People are not very creative with their passwords, people aren't taking care of their passwords. What are some security elements around that?

Trey James:

This is funny to me because I think when you start talking about security, people are like, "This is all star trek stuff. Blinky lights and boxes and data centers." At the end of the day, security is really about being smart. The least intelligent thing that I still see today is sticky notes on monitors with last ... Passwords, to be smart about passwords, they should expire. You should create new ones so that they are not out there for too long. That creates this human behavior that says, "I can only remember so many things." Eventually they put a sticky note on their monitor with last month's password and they scratch through it, and they write the next one right beneath it.

Evelyn Ashley:

Then they write a new one. You've been in our office.

Trey James:

Exactly, I'm not going to mention your name Evelyn. We work with accounting firms and what kind of data do accounting firms have? This is literally you walk in and see these things. My favorite is, we have a drive that we have that's encrypted that a client will send us when they are moving into the cloud. We'll send them an encrypted drive, and separately we'll send them a passcode. They'll put all their data on it, they'll use the passcode to open it up, they put all the data on it, and ship it back. In the box with their data, their whole firm's data ...

Evelyn Ashley:

Is the passcode.

Trey James:

On the actual USB drive is the passcode sticky note, in the mail. Again, human behavior. Related to passwords. I can tell you exactly how many passwords I have to manage, because I use a password manager and there are hundreds of passwords that I use on a monthly basis. It's like, that doesn't make sense. Amazon.com, my banking, multiple banking relationships, work things, newsletters. Everything out there requires a password.

John Monahon:

I can't ever remember my password, I constantly forget them.

Trey James:

What do you do then? Then you use the same username and password for everything so you can remember it.

Evelyn Ashley:

Exactly, which is worth the risk.

John Monahon:

I'm not going to answer that.

Evelyn Ashley:

No, I don't anymore but I realized that that's really the only way that you can remember them if you use the same one.

John Monahon:

I've constantly been locked out of my accounts because I've changed it and then ...

Evelyn Ashley:

I know, it's very frustrating.

John Monahon:

I realize I can't remember this.

Evelyn Ashley:

It's frustrating to be you and not be able to get into your account.

Trey James:

I think the key is just making the decision and coming to the realization that it is impossible to remember all that needs to be remembered. You are going to use technology to do that.

Evelyn Ashley:

How do those password applications actually work? You load all of your passwords into it and then you actually have to open to it up and go pull it out or how, what happens?

Trey James:

If I were to boil down all the value in this whole show today, I would point the listeners to one website. It's lastpass.com. We don't sell Lastpass. I think it's $12 a year, it's almost free in my mind. There is actually a free version as well. The way it works is you install a piece of software on your phone and on your laptop or the computers you use. As you go to a website, when you enter your credentials, it knows, the fields on a webpage are coded so that it knows this is the username field and this is the password field. That's kind of behind the scenes. When Lastpass sees that those are credentials, it will prompt you at the top, there is a little bar across the top that pops up that says, "Do you want to remember the site?" I tell people, every time it says, "Do you want to remember the site?" Say yes, just yes. Don't change your behavior at all. What happens is as you use these sites, it starts creating what they call a vault. Every single website you go to it creates this vault, it creates an item in this vault. It remembers, the next time you go back to that website it gives you the ability to fill in that password for you. Now I don't need to remember the passwords anymore. That's really insecure because now if someone else goes there, they are going to have access because my credentials are already filled in. You don't auto-fill and Lastpass times out, so if you close it on your laptop or you reboot it, lastpass, you have to log back into your master password but this vault is protected behind what they call a master password. I'm going to shock you real quick. All this data, all these websites and your usernames and passwords are stored at Lastpass. Lastpass has been hacked two maybe three times, scary.

Evelyn Ashley:

As it would be.

Trey James:

Very scary, but here is the deal. The way Lastpass works is it, as you are storing those sites, it stores the information locally on your computer. It does not go across the web. It encrypts that information locally and then transmits the encrypted data to be stored online. If you call Lastpass because you can't remember, they can't get into your data either. The only thing the hackers have gotten each time they've broken in is this stored harsh of junk that they can't read, so it's not been of any value. There are some, again security in being able to encrypt all those things. Here is the next level, first thing is you record every site you go to, and now you can easily remember all of your passwords because you don't remember them anymore. I would show you this but this is radio. My password for my most sensitive sites, they are usually 20 to 25 characters long, and they look like some kind of hieroglyph. it's hieroglyphic. There is no way I can remember that, so I don't. I use randomized passwords. Lastpass, every time you create a new website or log into a new account, it will say, "Do you want to use a randomly generated password?"

Evelyn Ashley:

That's great.

Trey James:

Literally I do not know.

Evelyn Ashley:

What your password is.

Trey James:

There is maybe two passwords that I know what they are, in addition to my Lastpass vault, master password. The key is not to remember but to use technology. There is the app, the app runs on my phone. Like anything else it's an inconvenience beyond just going to the website, but it's actually a lot more convenient because I don't need to know what my passwords are anymore. That to me is a huge takeaway, talking about using the same username and password everywhere. I can go, if I can find out your email address, I can then hack your email account and get access to everything else. I can get access to Facebook and now I know all of your childhood friend's name, I know your first dog's name, first pet's name.

John Monahon:

Security gate, answer the security questions.

Trey James:

All your security questions I can figure out. I can go out and reset your banking account and have them send the new password back to your email account which I've compromised and get access to your banking information. Then change everything as though it was you. What Lastpass does is it allows me to never use a password twice. The tool in Lastpass will go out and look at every single item in your vault and tell you which passwords match, and then gives you the option to go change them all.

John Monahon:

I'm sold, I was looking for this yesterday.

Trey James:

I need to go to work for Lastpass. It's awesome.

John Monahon:

I'm just thinking, this is amazing.

Evelyn Ashley:

You have to have it.

John Monahon:

I can't tell you how many hours I waste on, because it's not just that you have to go into your email. Sometimes when I go to my bank they say, "This is on a device that we don't recognize." Now all of a sudden I've got enter another, I don't understand.

Evelyn Ashley:

Remember your password.

John Monahon:

Sometimes I'm logging into my wife's account because I'm taking care of some finance stuff but I forget some of her personal information. I can't remember do I answer her security question as her or do I answer it as me? I get locked out of many accounts, you wouldn't even believe it.

Trey James:

We were talking before the show. You went to your website to see that you have been hacked and charged where you've been hacked. Lastpass uses those sites to run your known passwords against those breached databases, and it will tell you which of your passwords have been used or been compromised in the past. Now you get full scale knowledge of how exposed you are.

John Monahon:

Technology for good this time.

Trey James:

Finally.

Evelyn Ashley:

Yes, finally.

John Monahon:

Welcome back to In Process. We are here with Trey James of Xcentric, talking about data security in 2016. Trey when we left off we were still talking about sort of the common ways people fall prey to scams or data ...

Evelyn Ashley:

Breaches.

John Monahon:

They make themselves vulnerable, we are talking about passwords. How we could do better protecting that. What about Wi-Fi? What are the dangers in using Wi-Fi for individuals and organizations when you log on there?

Trey James:

If you think about what these hackers are after, ultimately, credentials are the absolute number one thing they are after. If they can grab your credentials, then they can get to places that only you should have access to. Let's talk a little bit about super tech stuff. There is a technology out there, Wi-Fi we all, it's super convenient, go to Starbucks, or whatever in a coffee shop and we are on the web and feel good about it. The reality is it's actually pretty scary. There is a technology called a Wi-Fi Pineapple. They are 100 bucks, $99, you go to wifipineapple.com. If you buy 10 or more you get a 10% discount by the way. This little black box is about the size of a deck of cards and that box if you take it into Starbucks you can bump off the Starbucks' Wi-Fi network and it will assume Starbucks. Now when you log into Starbucks you are logging into their little black box. It's called man in the middle, it's part of the equation. They are now able to see what goes through this box to get then back out to the internet. If you are using your credentials in a decrypted way, in an open way, then they now have your credentials. You can watch it, right there on the screen. As you are going to a website it shows your username and your password in clear text.

Evelyn Ashley:

Just being sucked right by.

John Monahon:

The second I log on to them and they have me sort of hooked into their Pineapple and I stick in my username, and let's say I log onto some site or?

Trey James:

If you do nothing because your computer sitting there checking your email all day long. Every time it checks your email it's sending your credentials to do that. Then you go to your bank, now they've got you. Interestingly enough, and I think they are going too far. You can go too far, it's like Fort Knox, if we want it to be really secure, we'd pour a mile of concrete over the top. Nobody would ever get in but then it wouldn't be useful. There is kind of a practicality to all this stuff. I use Wi-Fi, because you've got to use it, you just have to use it smart. The challenge here is that the hackers have come up with ways to compromise the convenience factor of Wi-Fi. When you walk home, when you walk into your house, your phone connects to your Wi-Fi network at home automatically. This Pineapple, the way it does that is, your phone inside you've seen this list in the Wi-Fi settings that says, "These are all the networks you've ever connected to." It remembers those, so you don't have to go through the hassle of connecting again. That phone does something called a probe request all of the time that it's not connected to a Wi-Fi network. What it does is it sends out this request that says, "Hi, Starbucks are you there?" And it listens. If it doesn't respond it goes to the next one. "Hi, Evelyn's home network, are you there? Hi, Trey's network. Every network, Hilton, are you there?" As soon as something responds it then uses the stored credentials to go right in. This Wi-Fi Pineapple takes advantage of that, the probe request. It says ...

Evelyn Ashley:

Here I am.

Trey James:

Is Starbucks there, or your your home network there? It says, "Yeah, that's who I am." Then your device sends its credentials to say, "Let me authenticate with you." It says, "I don't really care what you send me, I'm going to let you connect." Now you are stuck, and everything you type goes through there.

John Monahon:

How do we combat it?

Trey James:

At the risk of losing your I guess ease of use, you turn off Wi-Fi when you are not using. That's a hassle but that's part of it. The only real way to circumvent that is to use what's called a VPN client, virtual private network client. On a phone it's not easy. On a computer it's easier but it's still a hassle.

Evelyn Ashley:

Steal the log in too.

Trey James:

To me, if I'm super sensitive about logging into a public Wi-Fi, I will choose tethering with my phone over connecting to the Wi-Fi. [inaudible 00:40:39] often times faster. That's one you really can't avoid.

John Monahon:

What are some things that, say businesses, some simple things that they probably are not doing that they can do? We talked about sort of the things that individuals are falling prey to, the passwords are obviously something. What about encryption, other things?

Trey James:

Like you said, it's mainly blocking and tackling, what are some suggestions for them? When I talk to businesses about just having a security profile, number one it's having a process that keeps people trained. Don't open attachments. The attachment issue, making sure people know it's not okay to do this in our culture. You cannot leave your laptop in the back seat of your car while you run into the grocery store. Again, pretty simple kind of human behavioral things. If a client calls and says, "I'm a client, can I have this password?" You don't give it to be them. He's got to be challenged. These are process issues. In the terms of the technical side, there are companies out there that will scan your public facing internet, your firewall to validate that it's doing a reasonable job. Again, it's a cat and mouse game in terms of staying up. That's one thing. With the mobile workforce today, very few employees are behind the corporate firewall anymore. Having firewalls enabled, monitored and managed on local computers, we all have local firewalls that run in Windows and on Mac. If that's turned off, then you are exposed. If you've got 100 employees, how do you mandate, validate and control that that's turned on. There are systems to do that. To kind of manage that in a broad way. Encryption we've talked about, all of our laptops, all of our clients' laptops. We mandate that. The laptops themselves are encrypted. Before you can log in, the hard drive is called whole disk encryption. The entire hard drive is encrypted. If someone were to find it and they don't have the password to log into the machine, it's useless. Phones, most of the phones today are encrypted in that way already. You can only control what you have your arms wrapped around. I can control my laptop, I can control that it's encrypted. I can control that it has up to date antivirus on it. I can control that the email solutions that we use go through by filtering mechanism. I think one key thing is. There is a couple of things. One is attachments, these systems Mimecast is the tool we use and there is a whole host of them that do very similar thing. Mimecast, as mail comes in, if it's Mimecast and then they scrub it, and then they deliver it if they determine that it's safe. If they think it's not safe they put it somewhere else and it's quarantined. Then you have the ability to go through it.

Evelyn Ashley:

To go and look at it.

Trey James:

Yeah.

Evelyn Ashley:

We use AppRiver for that.

Trey James:

AppRiver, another great company. You can, it puts those into a queue for you to evaluate because this is iffy. Then the other things they know, this has got a virus. We know exactly what virus it is. We are not going to let you get in the mail. That's another element.

John Monahon:

What about sending email? When you send emails and it has information in it, sending it ... Do you suggest sending it in an encrypted manner or not?

Trey James:

If you don't care about the data being exposed, then sure, send away. If you, I think you've got to encrypt all the attachments that have any kind of private information in them or confidential information. AppRiver has this, Mimecast has this, most of the mail technologies use large file send and attachment encryption technology. Highly recommended.

John Monahon:

We definitely use it for our sensitive communications. We have that ability. Trey, it was very nice to have you back as a repeat guest.

Trey James:

Glad to be here.

Evelyn Ashley:

Great show.