HackTalk is a long-running monthly podcast with Sean Bailey and Devin Kropp, co-authors ofHack Proof Your Life Now!, which covers the latest cybersecurity threats and issues advisors need to know to protect themselves and their clients. You can listen to the full broadcast in the video below, or you can get just the highlights by reading the article, where the transcript has been edited for length and clarity.
Sean Bailey: Hi, everyone. Welcome back to HackTalk, your monthly cybersecurity podcast. I’m Sean Bailey, editor-in-chief at Horsesmouth. And I’m here with Devin Kropp, co-author of Hack-Proof Your Life Now!, and co-creator of the Savvy Cybersecurity program. Devin, in today’s episode we are going to be talking about something we were discussing all the way back in 2016, maybe even 2015—this issue of updating software. Tell us what’s going on with all that and why it’s important.
Devin Kropp: Right. So, this continues to be an issue. We continue to see people resisting this idea of updating software in a timely fashion. So, when we are talking about updating software, we’re talking about updating programs and operating systems on all of your devices: your smartphone, your tablet, your computer, your smart T.V., any other smart item you have in your home. We’re encompassing everything underneath that.
And updating your software is actually one of the most important cybersecurity actions you can be taking on a regular basis. It’s something that security experts themselves do all the time in a very timely fashion. But when you ask the general public about their habits when it comes to updating software, it’s usually not as good.
We usually see a much longer lag time between when the update comes out and when people actually complete that update. And that is for a number of reasons, but it also causes a serious number of problems, too. We do know that outdated software oftentimes is one of the number one ways that hackers are able to get into different devices.
So, usually when we get an update for software on our computer, on our phone—I mean, I’ve fallen victim to this too, where you’re in the middle of something and you just don’t want your computer to restart at that moment, so you keep hitting snooze and all of a sudden it’s been two weeks and you haven’t updated your computer. And sometimes people think, “Oh, that’s no big deal. It’s probably more of an aesthetic update,” or, “It’s not really going to affect my security.” But that, most of the time, is not true.
Most of these updates contain security patches for different software or operating systems on your devices that are closing holes that hackers are knowledgeable about. So, these are things that are usually being exploited in the wild already. Hackers know they exist and they use them to be able to get into your system, download some sort of malware, whether it be ransomware or any spyware on your machine, and then are able to collect information that way.
The recent Apple and Chrome urgent updates
It can also cause issues with your device in general, where it stops working, because malicious apps are installed. A whole range of things can happen while leaving different software outdated. And this past month we saw two examples of outdated software that hackers were actively exploiting. Number one was the big Apple update. That was a few weeks ago now. This was classified as an emergency update for all iPhone and iPad users.
Basically Apple came out and said, “We discovered this security vulnerability that’s allowing this Israeli group called the NSO Group to basically spy on journalists and other human rights advocates.” Now, you might be listening to this and say, “I’m not either of those things. Why do I need to update my Apple device? I’m clearly not their target audience.”
Apple issued this emergency update for everyone because once this is out in the open, other hackers are able to take the information and the exploit that the original group used and target it to a greater population of people. So, they wanted everyone to update immediately because they knew that other people might use this to their advantage to create new hacks that they could use to get into a regular person’s phone.
So, again, you might get that update on your phone and think, “Oh, it’s just getting the aesthetic update on my iPhone and I don’t want how it looks to change, so I’m just going to delay it.” But this is an example of why it’s really important that you update it as soon as possible.
And Apple really pushed their language with this, too. Usually we don’t hear a ton from them directly about updates. You’ll get the notification. Maybe some security experts will explain it. But in this one, Apple came out and said, “Everyone needs to update right away.”
And then a few weeks after that, Google actually did the same thing with their Chrome browser. They have updates pretty regularly, but they came out and said, “This is a very important update and everyone needs to update now, including if you use Chrome regularly, obviously you need to update. Or if you use another browser but you just have Chrome installed on your machine, you still need to go in and update.”
So, the updates that they were fixing were currently being exploited by hackers. People were falling victim to it. So, it was another example of why we need to be really timely when it comes to updating the software. Because it’s not just that aesthetic change to your favorite browser or your device. It’s all about real security.
Sean: Right. And of course, to use a biological metaphor, which we use quite a lot in the online world, your update is like a vaccine against the virus. But if you don’t like that, you can view it as a new force field to protect from whoever attacks you in Star Wars or Star Trek!
Updates easier than in the past
Sean: The updating seems less burdensome than it used to be. Is that your take as well and if so, why?
Devin: I do agree with that, I think, depending on the device or program we’re talking about, definitely. For example, the Google Chrome, which I was just talking about, they’ve made their updates, really, a seamless process.
You’ll get a little notification on your browser. It changes colors as the update gets older. So, the longer you wait, you have a visual representation that you are delaying this update. And what I particularly like about their update process is once you hit update, it will close all your browsers that you have open. But when it restarts, it will save all of your tabs. So, if you’re someone like me who has 50 tabs open at a time, you don’t have to worry about losing them all.
So if you are in the middle of working on something and you need those tabs, you can update and have everything restart that way, too. When I think about the Windows PC, I think they have gotten better with it too, because instead of just allowing you to snooze an update, meaning that you’re putting it off forever, you can choose a time for it to restart automatically.
So, if you get that update and you really are in the middle of something, because Windows updates can sometimes take some time to go through, depending on what is being updated, you can set it for a time where you know you’re not going to be actively working on something and it will restart, say overnight, or whatever time you choose.
Same thing, I think, with Apple. The iPhone, too, they just automatically do it overnight now. So, people don’t have to worry about that. You get the notification, “There’s an update available. We’ll restart overnight.” So, I think they have made improvements to it where people don’t feel as much like, “Oh, I’m in the middle of something. I’m going to miss a call. I don’t want to do this right now.” You can choose times that are better for you.
And of course we’re talking about operating systems mostly right now, but all of your other software needs to be updated, too. So, if you use things like Adobe, Microsoft Office is usually included in that Windows update, but if you’re an Apple user using Microsoft Office, those things need to be updated as well.
Auto-update everything you can
And best practice is really to set all of those for auto-updates as much as you can. Again, when you do that, you can usually select, you want it to be done overnight or at a certain time, so it won’t happen in the middle of your day. But we do say that best practice is to set those to auto update, especially if they’re things you don’t use on a regular basis. Because you could be having outdated software sit on your desktop that is just opening you up to hackers.
Sean: Right. I do feel personally that I’ve done a better job of updating when I made the connection to Zoom not running as well as it ought to for a variety of reasons, mostly with having too many tabs open and stuff, but it has generally led to me updating more frequently. Just rebooting my machine, so if the update is set to go, if there’s an update out there, that’s going to happen too. But just to have the cache cleared so that I’m not worried about freezing in the middle of a Zoom session.
Supply chain security
Sean: So, let’s move on. Supply chain. That is a word that has become very big in our local vernacular in the last six months or so relating to concerns about inflation and chips not being available and lumber or wood not being available and all that sort of stuff. But now it has entered the world of cybersecurity as well. What’s going on with that?
Devin: I feel like every night on the news we’re hearing about supply chains. And in addition to things being just delayed, news has also come out that now hackers are exploiting various parts of the supply chain, which is leading to other delays. This was, in particular, I’m talking about the vaccine supply chain and how hackers were targeting different parts of that chain, which has led to delays in shipments or production. But I would not be surprised if we start to see this in other industries as well, if it doesn’t already exist. I think it probably does.
But it’s just a reminder that all various parts of our society are effected by cybersecurity in ways that we don’t even think about. Because again, when we’re hearing about supply chains, we’re just hearing about these delays. But most of these supply chains are controlled online by machines which could be vulnerable to attacks like we were just talking about. If any part of that supply chain is running outdated software, it is vulnerable.
If anyone is using a bad password, it is vulnerable. If things are not being secured with good Internet protection, it’s vulnerable. And so I think it’s important that we do think about things that we see in the news through the lens of cybersecurity as well, because there are many situations where hackers are exploiting these really important parts of our society that help keep things running. And we are vulnerable to these attacks because often we don’t have federal standards in place to protect these things. There isn’t as much punishment when companies are found to not be up-to-date on their cybersecurity.
When it comes to something as important as getting the vaccines out to people who need it, that’s a pretty scary thought—to think that such an important industry is being targeted and they’re succeeding at targeting that area. So, just something to be aware about when you’re hearing about supply chain and what that means.
And obviously for the majority of us, it’s not something we can go and take action about, but we can be reminded that every part of our life now is online and it’s affected by things that are online. And so cybersecurity is so important for every aspect of our lives, not just protecting our email and our phone, but everything we do online needs to have that cybersecurity protection as well.
Infrastructure security and national standards
Sean: Right, right. Yeah. So, well, this leads us up to this discussion of the infrastructure bill. And when I was a kid, infrastructure bills were roads, sewers, bridges, airports, super highways, port facilities. But now there has been, probably rightfully so, an upgraded notion of what infrastructure is and what it means to our society. This infrastructure bill has bipartisan support. It’s being debated in Washington. What’s going on there relating to cybersecurity? Because we have, since our book came out, we have been saying that this country needs a full court press on this issue of cybersecurity, and I haven’t really seen it that much.
Devin: Right. So, yes, again, great point about how infrastructure has changed over time. And now I think, especially through the pandemic, but even before that, we were seeing that access to an Internet connection is necessary for people to be able to participate in society and is part of our nation’s infrastructure that we rely on this Internet connection. And with that comes security risks if we’re not educated about it.
The infrastructure bill that we’re seeing right now in particular is focusing mostly on the idea of ransomware hitting our pipelines, energy companies, things that we’ve been seeing in the news in the last year. So, the Colonial Pipeline, if you remember, it was a huge ransomware attack, cost a ton of money, caused gas shortages in parts of the country. It was a real mess.
And we’ve seen instances like this before. Earlier, there was a water supply in Florida that had been hacked into, and that was causing issues, for instance. And we’ve seen it in other places. I think the Colonial Pipeline, because it was so big and cost so much money, this was really a wake-up call to Congress that they needed to do something about how to protect our infrastructure like this from cyberattacks.
And we’re still talking about traditional infrastructure here, but updating it to be, how do we protect it, not from someone just literally coming in and hacking away at it, but going online and hacking into it. So, we’re seeing, in this infrastructure bill right now that they want to pass, part of the bill will be to, number one, have federal mandates about how these different companies need to protect infrastructure projects in the United States, what security guidelines have to be in place that they need to follow to make sure that they are being as secure as possible.
There’s also going to be some information on what they need to do if they do fall victim to an attack. So, in the past, we’ve seen some federal mandates on how companies are supposed to respond to data breaches and things, but they haven’t really been well executed and people aren’t following up on it as well. So, this idea here is that there would be federal mandates in place that everyone would have to follow, and it would be passed into law through this bill. And it would also extend to whenever the government is trying to partner with a third-party vendor to build infrastructure in the U.S., that they need to be vetted from a cybersecurity standpoint, again, following whatever mandates they end up putting into law.
So, it is a really good step in the right direction of starting to have cybersecurity mandates and building the idea of cybersecurity into our infrastructure, because we do know that one big attack can cause ripple effects in our society. And so people now have seen that some of our infrastructure is vulnerable to these attacks and we need to do a better job at protecting it. So, this is a really good first step in protecting our infrastructure from these kinds of attacks.
Sean: I think the statistic I’ve seen is that there are 300,000 cybersecurity jobs unfilled, and it just seems like that number will continue to grow. It’s a great opportunity for younger people as well
Devin, well, thanks so much. Thanks everyone. That does it for this month’s HackTalk. I’m Sean Bailey, editor-in-chief at Horsesmouth, here with Devin Kropp.
And let me remind you financial advisors out there, October is cybersecurity month and the Savvy Cybersecurity program includes an excellent presentation to give to clients and prospects that literally, the main presentation, literally boosts their cybersecurity right in the presentation. People start out by making an initial analysis of their own cybersecurity by answering 10 quick questions, and then you step them through the rest of the presentation.
And by the end, they’ve identified three big steps they can take that they can complete, usually within 48 hours, and will dramatically boost their cybersecurity. So, keep that in mind as well, October being cybersecurity month. OK, everybody. Thanks so much. We’ll see you next month. Take care.