Cyber Crime Took Center Stage at Last Year’s Annual Conference
At the 2019 SDA Annual Conference, former FBI agent Michael Bazzell gave two presentations on the risks of cyber-crime, teaching his audience how to protect themselves from cyber-extortion.
The first presentation, “Protecting Your Organization from Cyber-Crime,” focused on the nature of modern cyber-crime and best practices to lower the risk of being hacked.
The following day, Bazzell gave a second presentation geared toward individuals called “Securing Your Family’s Digital Life.”
We learned that one common method that criminals use to gain access to an organization’s data is password hacking. To prove how simple it is for a cyber-criminal to hack into an organization’s network, Bazzell demonstrated how hackers could use social media accounts to steal an employee’s work password.
First, he ran a reverse search of the organization’s name in Facebook to find the personal accounts of the organization’s employees.
Then, he looked up one of the employees’ names in LinkedIn and was able to view the individual’s profile through a simple Google search, despite it being set to private. Once on the profile, he opened up the web developer tools (which is like looking under the hood at the code) and found her unique profile number.
He then searched this number in a program containing leaked data from past LinkedIn breaches to find her encrypted password and plugged it into a decryption website, revealing her actual LinkedIn password. For convenience, most people reuse passwords, including across work and personal accounts.
As a result, hackers can easily steal an employee’s LinkedIn password and simultaneously gain access to that individual’s work account. To avoid this problem, Bazzell advised the audience not to reuse their passwords and change them regularly. He suggested that if you can remember your password it isn’t strong enough. Recommendations included the use of password managers such as KeePassXC or LastPass or, ironically, keeping them in a paper notebook.
Another common technique to access data is known as phishing. Phishing occurs when hackers send email messages to employees impersonating a coworker, organization, or authority. These messages often times contain a link or attachment that downloads a virus into the organization’s network.
Phishing emails often come from obviously deceitful email addresses, but Bazzell demonstrated how hackers use certain websites to spoof an email address to make it appear to be coming from a trustworthy source.
To protect yourself from getting phished, Bazzell says to inspect messages with links or attachments carefully and to ask yourself a series of questions: Was I expecting this email? Do I know who the sender is? Does the content of the email read as if written by the known sender? Does the email have a sense of urgency? He also warned the audience to be wary of zipped files unless you are certain that they are legitimate.
The last tactic that Bazzell discussed during the keynote address was social-engineering telephone calls. Social engineering is the art of manipulating someone into providing confidential information. Bazzell allowed the audience to listen to recordings of a series of telephone calls that he made to an organization in which he posed as an employee in the company’s IT department. With this disguise, he was able to learn the names of the newest employees who were most vulnerable to such an attack.
The new employees quickly divulged their usernames and passwords to him without catching even a hint of deception. Bazzell urged the audience not to give out confidential information over the phone without having absolute certainty about the person on the other end.
Back for Round Two
Bazzell’s presentation was so compelling that we had numerous request to bring him back for an expanded workshop for boards, managers, and supervisors to take his demonstration to an even higher level.
On May 12, that presentation will take place in Aurora at The Summit Conference and Event Center. This event will dive deeper into how members can remain protected. Since all Colorado entities are targets, members need to know and have enough protection that hackers go somewhere else. Tickets are available for a discounted price of $50.00, and members can sign up here.
As board members, managers, and supervisors, it is up to you to impress upon employees the threat of social engineering and your district’s cyber security policy. So mark your calendar and watch for more details as class space will be limited, or contact the Pool to secure advance space for your district employees.