Cyber Security with Rob McQueen

Cyber Security with Rob McQueen: Audio automatically transcribed by Sonix

Cyber Security with Rob McQueen: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Katie:
Welcome to a City of Redding podcast. We're talking cybersecurity today. If you have a computer, a phone, a bank account, or a Social Security number, or you aren't just living under a rock somewhere, this episode is for you. Cybersecurity is something everyone is worried about but might not know where to start or what to watch out for. This is why Rob McLean, cybersecurity officer for the City of Redding, plays a key role in making sure that city data is safe and secure.

Steve:
He also has a lot of great tips and tricks for the community phishing malware, ransom attacks, and your basic scammers are unfortunately all around us. How should you keep yourself and your family safe online? What should you look out for? Just in time for Cybersecurity Awareness Month, which happens nationally in October each year? I will answer these questions as well as talk about the future of cybersecurity in the age of self-driving cars and AI technology.

Rob McQueen:
My name is Rob MacQueen and I'm a cybersecurity officer with the City of Reading.

Katie:
I'm actually not sure if cybersecurity is necessarily a new position for the city, but it definitely seems to be a growing industry and something that people are paying more attention to now. What is cybersecurity and why is it important?

Rob McQueen:
That's a great question. Yes, cybersecurity is it's it's a really hard thing to define honestly because it involves more than just bits and bytes and ones and zeros, as they say. Cybersecurity, it's technology. It's things that we hear in the news, like ransomware attacks. It's things that we hear like phishing attacks, phishing and spam, email, those types of things. But but it's also controls around security and controls around information technology and data and how we protect data and that kind of thing. So it's really hard to put cybersecurity in a box. It's kind of a vague term, honestly, technological ways of potentially doing harm, causing a data breach, causing ransomware attack and encrypting everyone's data and then not being able to get it back. So it's a combination of a lot of things.

Katie:
Maybe this is an obvious question, but it's worth asking Why does the city of Redding need a cybersecurity officer? What is it that the city is using this role for?

Rob McQueen:
Well, I'll tell you, when when I started, a lot of the need for this position was related to the electric utility. The electric utility is facing a pretty rigorous certification process that they've been undergoing for for several years now, which is going to come to completion, which is actually the starting line soon for the utility moving forward. So a cybersecurity officer in that part of the city's role is kind of looking at the critical infrastructure protection, they call it, and standards It's NERC is is the acronym. It's a lot of standards and processes and governance and ways of protecting the critical infrastructure, which is the electric utility and how it interconnects with other utilities. So that was really, I think, the push for for this position initially. But as I've as I've kind of settled in a little bit and seen other other parts of the city, we also have two airports here and one that we that we're moving quite a few passengers through. And we have the integrated public safety with with the police and fire and the challenges that go with protecting that data and governance around those.

Steve:
I'm curious on that on that same thread, how does cybersecurity differ in local government than it might say in a university setting or in banking or in the private sector?

Rob McQueen:
I will say that in the school setting, I've been around education for quite a while. Also, I teach part time and I've done that for about five years at the community college and then and then worked full time for the CSU. So seeing kind of the standards and the regulations that they adhere to versus the city, they're very similar. Some of the oversight is different in how often city is being reviewed or IT processes and procedures are being looked at really strictly might differ a little bit, but there's just there's only so many people to go around. And the more that cybersecurity and these kind of issues come into the news, the more emphasis there is on it. So I guess I'd say the city level versus the CSU is pretty similar as far as the regulations and the requirements that we're trying to follow overall on a higher, higher level.

Katie:
And I think when people hear the term cybersecurity, they think of like hackers and big data breaches and all the stuff that pops up on their computer, like the ransomware, all those things, is that really what it is? It sounds like there's a lot more regulation and a lot more, for lack of a better term. Checking the box, making sure that you're installing the right things and working to proactively. Prevent attacks more than you are actually, like fighting back against attack. Is that right?

Rob McQueen:
It is. And it's a blend of both of those things. I talk about governance and stuff. I'm really a risk nerd, I guess. I think can't really make a decision about any technology or anything you're doing unless you kind of take a look at the risk that that's going to pose to your customers or people you're trying to serve. So I always approach everything with a risk mindset. What's the potential risk of making this decision? And then I like to ask questions and survey it out a little bit. If we implement this technology or do this thing, here's the potential risks of doing that. Here's how we would handle customer data or here's how we would do these types of things. So first and foremost, I think risk is kind of where it all starts. And then you take a look at the tools and the things you have to stop ransomware and pop ups and spam and phishing email and those kinds of things. Look at the risk you are in the overall scheme of things. What do you have of value? What does someone have to gain from attacking you or taking your data or whatever that is? And then you kind of put controls around it based on the amount of risk that you're willing to accept or not accept. I mean, everybody naturally would say, Yeah, we want zero risk. Our appetite for risk is absolutely zero. But realistically, it's just not realistic. If you're if you're going to connect a computer to the to the Internet. So you kind of have to factor that out a little bit and ask yourself, why am I doing this? Do I really need all of these services and things turned on on this computer, or can I get away with maybe just a few things that I need just to do this job and then have some good controls around it? So that's kind of what I'm always looking at.

Steve:
I'm curious, as the resident cybersecurity expert, we as a society are so connected now between phones and computers and stored credit card numbers and Social Security numbers. What should the community know about their own cybersecurity?

Rob McQueen:
I would say the phrase zero trust is one that's being thrown around a lot right now. And there's actually a directive from the president that's wanting all federal agencies to adopt a zero trust frame of mind or architecture. I guess I'll say so. And that goes for everyone. I mean, essentially saying, you know, you can't really trust anyone 100% completely. We do to a certain degree based on based on the risk we're willing to accept. But that zero trust mentality is think about when you're on your mobile phone maybe and you're logging into your banking site. It's like, are you connected to a wi fi? Any coffee shop where they offer a public wi fi? Maybe that's not a good idea. You can't really control who has access or control of that wi fi router. So there's things that can go wrong there. There's also a lot of resources out there for the public to take advantage of free stuff and kind of guidance and Cybersecurity Awareness month that's going on right now. It offers a lot of free tools and things for people to take a look at and it's really helpful stuff.

Katie:
And we wanted to mention Cybersecurity Awareness Month. October is Cybersecurity Awareness Month, and I was not aware that October was Cybersecurity Awareness Month. Has this been a long standing thing? Is it new and why are we celebrating it or I mean, that's a bad term. We're not celebrating. You don't celebrate. Why? Why is there a month that's dedicated to cybersecurity?

Rob McQueen:
It's actually been a thing for, I believe, about 19 years now. Yeah. So it's it's always the month of October. And in the past it's been theme based. They've had a theme for week one and a theme for week two, week three, week four. This year they kind of threw the theme thing out the window and just kind of said, We're going to stick to kind of four key topics. It's basically the whole theme. The overarching theme for the month is see yourself in cyber. And it's it's talking about things like using multifactor authentication. A lot of your sites now, your Netflix or your banking sites are saying, you know, add that PIN code to go with your password. And just simply doing that, it really, really increases your chance of not getting your password, getting compromised. Password managers, those things where you can store your passwords. We have so many passwords we have to remember now and how many people remember all of their passwords. It's impossible. So we tend to reuse the same password for multiple things. So that's where that password manager comes in. Personally, I don't know a lot of my passwords. They live in a password manager and I get them from there and I use multifactor every chance I get. That's that's a simple one. People just using, just adding. I know it slows things down and security tends to slow things down sometimes. And we all have things to do. We have we have a million things to do during the day.

Rob McQueen:
But just taking that extra step with your banking site or something that you feel. What's the risk you're willing to accept here? Is it my bank account? Well, yeah, I think I want to add multifactor to that versus maybe if it's a library card or something or something and maybe isn't as valuable. Maybe I don't. I don't need that. But. But definitely the password managers are a really good way to go. And the multifactor is a really good tool to use.

Steve:
How do you handle the ever evolving technology? And I'm sure those that have nefarious means online or the dark web, whatever's out there as far as these negative technology advances around cybersecurity are ever changing and evolving. How do you ensure on the other side of that that you're doing the same matching, you know, blow for blow, if you will, so that we're best prepared as possible?

Rob McQueen:
Always trying to stay ahead of it is so important and it's a challenge. Honestly. Security is has been referred to as an onion. It's several layers deep, the outer shell. And then I'm pointing at the screen. I know you can't see me but the outer shell. And then if they get through that defense, you're on to the next defense and the next defense. It's always having these redundancies in case something bad happens. And then for myself, I love to learn. I'm constantly reading, I'm constantly researching.

Rob McQueen:
I think having something they call a threat intelligence program is really important. And threat intelligence is just all of those news bytes and blurbs and different reports of zero day vulnerability was found in Microsoft or this vendor or that vendor. There's a zero day out there. So always every day daily, I'm researching that kind of stuff and listening for what would impact the city the most. First and foremost, what are what are the most critical assets we have? How could they be impacted? And then looking for these threats that are out there that could possibly get to us. So the threat intelligence program involves memberships and a lot of different organizations. I belong to several of them by nature of my job and some of the certifications that I have allow me to have these memberships to threat intelligence programs where we information share that's not being shared with the public more or less, but be shared within industries. So information that is only shareable within the utility industry or maybe the Transportation Security Agency, the TSA, the information there for airports or other arms like that. So I'm a big fan of gathering that and kind of looking at trends over time and then just doing assessments locally, taking a look at what's our risk posture, what is doing an internal penetration test and seeing where we may be vulnerable and then looking at threat intelligence and making good decisions about what we do.

Katie:
And kind of on that note, are there some scams going around right now that people should be aware of? Like if you could probably talk to your friends and your neighbors and your family, like, hey, watch out for this or this? Scams gaining popularity. What are a few of those that you would tell the community about?

Rob McQueen:
Ransomware attacks are really prevalent right now, and the reason is, is because they're successful Ransomware is somebody infiltrating your network and they encrypt all your files and then hold it for ransom. You have you have to make a payment. And the popularity of Bitcoin and that kind of thing makes these transactions pretty much untraceable. So people are able to pay in Bitcoin and get their files back, but it doesn't always work. I've heard some horror stories about people who ended up paying a ransom but didn't get the data back. You're kind of you're at the mercy of people that are doing these kinds of things. So phishing email and social engineering attacks are really prevalent. Social engineering is that everyone has a public footprint on social media sites or whatever you choose to share about yourself, and then bad guys kind of leverage that information and try to gain your trust somehow. That's a pretty good one. Something called smishing attacks, like phishing attacks, but it's text based. So you're getting these SMS text messages. There was a Venmo or a money sharing app issue not too long ago where text messages were coming and saying, Did you authorize this transfer? Please contact us and would add a number or something. But it wasn't Venmo number. It was some call center somewhere where people are trying to just grab information from people. Phishing, 90% of ransomware attacks, I would say still around 90%. Every data breach is ransomware attacks, malware that gets launched. Those kind of things are coming through phishing attacks, through email attacks. And the reason is it's easy to do and it's still working. Spammer can send 500,000 emails and if they get 1 to 3 people to click, that's all they need.

Katie:
So and maybe you could just describe phishing just for people who might not know what some of these terms are. Ransomware. You got a description in there. Someone's holding your stuff for ransom. What's a what's a phishing attack?

Rob McQueen:
Phishing is just somebody trying to fish for information from me, basically, is kind of where the term comes from. It is someone sending you an email that says you have some action to take, you have a pass to balance, or your email server is going to be taken down for maintenance tonight. Please click here to make sure that you understand or something. Phishing emails are always trying to get the person to take some action or they are trying to create some kind of kneejerk reaction all the time. That is really, really common. They're all the same. They use tactics to defeat these spam filters that we have. One of them that we're seeing right now is just misspellings in in typical keywords that that the spam filters look for, like any of the typical keywords like payment payment, invoice or invoice due that will misspell invoice and misspell the word due in order to trip up this keyword tool to finding keywords like that. So so it will pass the email and hopefully get a hit. So and they're very, very clever, the people who do these kinds of things because it's lucrative, they make a lot of money from it.

Katie:
What would you tell people who are maybe now like nervous to open emails or nervous to click on links because maybe they have been phished before or maybe they know about these phishing scams. What do you tell people? How can they protect themselves at home?

Rob McQueen:
I tell my family, I tell everyone I know if you're not expecting an email from somebody and they're asking you to take some action, delete it. Just just ignore it. Just there's no harm in not responding to an email. Part of most of the success of these phishing scams is them to prey on your your sensibilities. You might be an honorable person. I really want to do the right thing. And this person's trying to lure me into taking some action because they are expecting you to really be an honest person and do these honorable things and they prey on that. So just always keep in mind if you're not expecting it to, there's no harm in ignoring it or if you think it has come from somebody that you know but you're not expecting. I mean, it doesn't it doesn't hurt the column. Just give them a call. I know a lot of us, we don't use the phone much anymore. It's you know, you can send a text really quick. That's what it is. But I mean, you can even send them a text and say, hey, did you mean to send this email? I think your email might have been compromised.

Steve:
And Robert, there are certain demographics or subsets of the community that are more susceptible. I know we hear sometimes maybe some of the older population falls prey to certain cybersecurity risks. Same with. Teenagers who are relatively new to computers or phones or whatnot. I mean, are there certain demographics that are more susceptible? And if so, do you have any tips, tricks, advice that we haven't already discussed that could be helpful for those folks? Yes, there are resources.

Rob McQueen:
When I worked in the banking industry, I did some presentations on elder financial fraud and spoke to these senior communities about some of the types of scams that are out there. These sweetheart scams, they call them, they prey on somebody who may have just lost their their husband or wife, and they see that obituary in the paper and they reach out to them and and want to help them and be helpful, but end up gaining access to their checking account. We saw it in banking a lot. They would elderly person coming in with a new younger man and saying, oh, this is my new my new special friend and we want to withdraw $5,000 because we're going on vacation and that's always a red flag. So, yeah, the elder population, those those financial scams, there is phone scams where they'll call and say, my grandson just called and he's stuck in a prison in Mexico and I have to wire this money or he won't be able to come back. And they just prey on their on their sensitivities. Like I said before, you know, their willingness and want to do the right thing. It's terrible and it's prevalent.

Steve:
And what about the other end of that, too, with children who are experiencing some of this technology, are there certain resources that you can recommend? Or how do you unleash the world of technology on children these days? That is a really tough one.

Rob McQueen:
And I will say, though, that Cybersecurity Awareness Month, it's sponsored by it's called Stay Safe Online dot org. It's a nonprofit and they work with the National Security Agency. They offer a lot of free tools and things that people can use to protect themselves. It talks about how to identify cyberbullying or if if a young person is is just starting to get involved with technology and they're being cyberbullied, what to look for or what to do. Cyberbullying is a really is a really big one. And then for anyone who just has a establishing credit or who has a new checking account or is in college or something, they have to stay safe online. They offer a lot of instruction for how to protect your privacy and your mobile apps. There's a lot of different privacy settings in some of the social media sites that can get overwhelming. Maybe you don't want somebody to see your location or or to know that who you're posting to or certain things. You can hide this site. Stay safe online. They offer ways to help you lock your app down, I guess is what it is. I mean, everything from video sharing apps like Netflix and those kinds of things and a lot of different banking apps talks about how to lock your privacy down there or how to find the settings and how to get to them.

Katie:
And what about the future of cybersecurity? Where do you think we're going? I mean, I know it's all speculative, right? But what do you think the future holds for for how quickly technology's.

Rob McQueen:
Moving, You know, with self-driving cars, refrigerators, with wi fi, that kind of thing. Everything's connected now, everything. And it's not stopping anytime soon. And with the advance of now 5G technology and really, really strong good bandwidth interconnectivity is going to keep going. So the challenge in that is how to protect it. I mean, the Internet really wasn't designed to be safe. It was just meant for a couple of computers to talk to each other and grew from there. So we're kind of bolting on security after the fact almost. So the future is in automation, really. It's in automated processes. You know, cars drive themselves, like I said. So and security should do the same thing. You should automate the movement of data when you can just take some of the risk out of it, some of the potential for misconfiguration with with the amount of technologies out there and the amount of risk there is to other people getting the data. You know, at this point, I would say I would tend to say some people are just pretty much it's like it's no big deal anymore. Oh, there's another data breach. So it happens weekly now, but it is still a big deal. You just got to keep making those risk based decisions. It really comes down to the decisions people make about how you implement tools or the technologies that you use. People are always going to be a part of this, like it or not. But when you can automate some of the decision making based on risk, that's really helpful.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your mp3 files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you'd love including automated translation, transcribe multiple languages, enterprise-grade admin tools, world-class support, and easily transcribe your Zoom meetings. Try Sonix for free today.