The Langley Files podcast FILE 017-features the CIA's Chief Information Security Officer, Jennifer Link, to discuss her background and how she goes about keeping herself cyber-safe in everyday life. From mystery phone calls and online pop ups to the increasing world of cyber-enabled home appliances, this is an episode chock full of CIA cyber safety news you can use.
At the CIA, the Chief Information Security Officer is wholly responsible for the cybersecurity of the agency's data and its information systems. The goal is to ensure the resiliency and the survivability of the mission that we're responsible for by:
- understanding what all the devices are on every single one of our fabrics
- understanding what the health of those devices are, working to ensure that they are kept up to date
- being responsible for assessing systems to understand what new risks it may bring into the environment
- working closely with system owners to ensure that they have an understanding of what cybersecurity policies are in place, understand what cybersecurity risks there are, and then work to balance that risk to ensure the agency is meeting its need
What would a CIA Cybersecurity Specialist do in the following situations, this Q&A is a combination of quotes and summaries derived from the podcast, take a listen sometime as its a fun way to learn a lot:
- Q: Internet of Things (IoT) devices applications can be downloaded from your app store or a website you have used before, can you trust the security of those applications? A: NO- when you think of things like smart devices, sometimes referred to as digital assistants like Alexa or Google Home modules, light bulbs, plugs and thermostats. All of these devices come with their own set of benefits but also challenges. There is some risk that comes with them, if your installing apps on your phone, you need to understand where that app comes from. Reading the Terms of Service and the Privacy Policy to learn where the app is created and published, and how much information are they collecting about you! Many apps require way too much information, downloading your contacts, location awareness, your browser history, which has nothing to do with your devices! Think about understanding the company, where the information is being stored, and how long its being stored. Sounds like a pain but you will have to put in the time when your data is stolen as a result of some nefarious app or something that you didn't bother to check in the beginning.
- TAKEAWAY #1: READ THE PRIVACY POLICY AND MANAGE THOSE SETTINGS APPROPRIATELY.
- Q: Most of your devices are connected to your home network, so as long as you have basic password and all of your family and friends who regularLy visit all have access to the password, there should be any security concerns, right? A: ABSOLUTELY NOT- the days of basic passwords are well behind us. The ability of a cyber actor, with a relatively low level of knowledge or sophistication, can crack passwords now. Very complex passwords need to established for your Wi-Fi systems. For many, you may have a Wi-Fi router that you got from your telecommunications provider. It probably has a standard password on the back. Recommendation is that you change thta to something that is very complex. And, in the same way that you may have one Wi-Fi network in your home, imagine having one room in your entire house and you do everything in that room. It might serve a purpose for a brief period of time, but as you have different living experiences, that's no longer sufficient. Best practice is to setup different networks for each purpose. For example, a IoT devices can only communicate with a designated Wi-Fi network for IoT. A separate network for guests that may contain restrictions on what sites they can go to and what they can download. Other networks for work, for family members, as a way of segmenting the different activities.
- TAKEAWAY #2: USE COMPLEX PASSWORDS AND CREATE DIFFERENT NETWORKS FOR DIFFERENT USES.
- Q: You pick up your tablet and start scrolling and all of a sudden, a pop-up comes up from your browser telling you that there's a virus and you need to click on this link right now, or all your files on that tablet are going to be deleted. Your pretty sure your up-to-date on your antivirus on your device and your pretty sure that no software updates were shown to you or needed to be installed. Should you be clicking on that pop-up link? A: ABSOLUTELY NOT- this false sense of urgency really drives quick behavior without thinking. Best to pause and think, do I really need to click this link and does it seem strange to me? Clicking the pop-up link is a huge security risk even if your device is secure, often referred to as phishing attempts. Sometimes we get emails, sometimes a pop-up like that. This is pretty typical way that a cyber criminal is goingt o design a way to essentially scare you into taking action and leave your critical thinking skills behind. That link is going to most likely lead to some sort of malicious outcome. It's going to be a redirection to an unsafe website. It might actually result in the encrypting of your data that's on the device through some sort of ransomware, where a cyber actor demands payment before releasing that data back to you. This is why backups are so incredibly important even today. It's also important to remember that security doesn't mean impenetrable. They only have to be right once, and we have to be constant in our vigilance in terms of making sure that our devices are protected and up to date. We all bear the responsibility to ensure the health and safety of the tech that we use.
- TAKEAWAY #3: THINK BEFORE YOU CLICK, KEEP YOUR SOFTWARE UP TO DATE AND MANUALLY CHECK THOSE UPDATES.
- Your about to head out the door when your phone rings. Now, it looks like a number from work, but your not sure. Do you answer that phone call or do you let it go to voicemail? A: Let that call roll to voicemail! Especially with the age of AI that is upon us, where with very small pieces of information, audio or video, can take that information and really use it for malicious purposes. Its really important NOT TO SAY HELLO first, but stay silent. Impersonation is on the rise for sure, not just the person who's calling you, but using your information to potentially impersonate you later on. If your getting phone calls from numbers that you don't recognize, best to block that number.
- TAKEAWAY #4: LET CALLS FROM UNKNOWN NUMBERS GO TO VOICEMAIL, BE WARY OF SPEAKING FIRST, AND BLOCK SUSPICIOUS NUMBERS.
- Q: What are you conscientious about with this new AI technology and how our mobile devices are continually adapting? A: One of the things that is concerning is also one of the things that we appreciate about our device, and this is the mass amount of storage. Your information is no longer just local to that phone, it is being stored in the cloud wherever that might be. So, that means your information is in places where you may not understand where that information is being stored. Understanding the privacy policy of the applications that you download, understand where that data is being stored, who has access to it, who maintains persistent access even to information that's on your phone is incredibly important. If you download a free app to use, then you are the product. They are selling you, they are selling your habits. They are selling your data. Being mindful of when we use that app and deciding when it does make sense to use this kind of technology and when the risk is simply too great. It all goes back to cybersecurity practices, keeping your software updated, reviewing and managing data sharing settings.
- TAKEAWAY #5: BE MINDFUL OF WHAT INFORMATION YOUR APPS HAVE ACCESS TO, CONSIDER CHANGING THOSE SETTINGS AS APPROPRIATE AND UNDERSTAND THAT INFORMATION MIGHT BE STORED OUTSIDE YOUR DEVICE.
- Q: Is there ever a situation where you might be concernted that something suspicious is happening with your phone? Are there signs that you look out for or steps that you take when something just doesn't seem right? A: YES, ABSOLUTELY. Sudden or drastic changes in your battern drain, that could be a sign that your battery is actually being used or drawn from apps taht you may not be aware of, because maybe there was a malicious link that was clicked without you intending to do so. There may be apps or malware consuming those resources, you might have unexpected data spikes, or frequent apps that crash or freeze on you. Deleting the app and re-installing it, rebooting your phone are great options. Unexpected pop-up ads or redirects, that's another sign that there might be an actor that's trying to push you to click on or to go to a particular site. Strange noises and vibrations can also be a sign of poorly designed malicious code.
- TAKEAWAY #6: WATCH OUT FOR ABNORMAL PHONE BEHAVIOR, WHEN IN DOUBT, REBOOT AND REINSTALL APPS THAT ARE ACTING STRANGE.
- Q: You head to your favorite Internet browser, and search for an item, and you click on the link of a site that looks legitimate, but you notice the URL or web address seems a little different that what you would have expected. This is probably just some update done to the official site, right, and you can continue with your purchase? A: NO- you have to trust your gut with things like this, especially if something seems off, you know, something that's counterfeit. A malicious actor, a cyber actor or scammer, they want to be as close to the real thing as possible. They want you not using your critical thinking skills, not pausing, they want you to click, click, click. We have actually seen a rise in "sponsored links", actually being malicious links. We see some interesting mis-spellings in URLs often. There might be an extra period, extra dash, extra odd character. You have to be mindful that your banking information is valuable for that third party. Not using your debit card as an example, not using things like routing and bank account numbers. Certain pay methods like Apple Pay and Google Pay, do provide some level of anonymity.
- TAKEAWAY #7: BE CAREFUL ABOUT SHARING FINANCIAL INFORMATION, GO STRAIGHT TO THE OFFICIAL SITE, BE WARY OF MISSPELLINGS IN URLS THAT MIGHT BE REDIRECTING YOU TO A MALICIOUS SITE.
- Q: How about your kids and older family members, who may not be cyber aware, how can we help our family stay safe online? A: Parental control software has become really popular in the last few years. Long conversations about what is allowed to do and not to do on a device. Due your due dligience on what settings are available on that tablet that we could use to help our family make good decisions. Many operating systems have taken, significant steps in terms of limiting what content is available, whether its age restrictions, keyword content, not loading certain websites like gambling websites, inappropriate content, high levels of violence, things like that. We need to instill in them a deeper understanding and appreciation for what is out there and how they need to take responsibility for that on their own. Its best to impress on your kiddos what not to share, like never sharing your true name in social media platforms, never sharing personal inforamtion like the name of the school you go to, the grade that your in, what your gender is, what your school mascot is. Don't take photos of any person and upload that to the web.
- TAKEAWAY #8: CONSIDER PARENTAL CONTROLS FOR KIDS OF ALL AGES AND BE VERY CAREFUL ABOUT WHAT INFORMATION ANYONE POSTS ONLINE, ESPECIALLY PHOTOS OR CLUES TO WHERE YOU LIVE OR WORK.
- Q: There are these audio video scams that have been occuring the past couple of years where people might receive audio or video via social media or even direct messages (DMs) of what sounds or looks like a loved one asking for help or needing assistance, what are your thoughts on these? A: Audio and video scams are definately on the rise, this is one of the ways we see AI being misused in some cases. It goes back to the importance of keeping your social media private for sure. Understanding what the settings are on your social media accounts, understanding who can gain access to that information is one way to help minimize the likelihood of something like this happening. Recently, there was a Facebook video scam that was going around where it seems like a friend is contacting you via a video call asking for help. As it turns out, its really just a video that's been pre-recorded based on some publicly available information though social media accounts. It's a reminder that our social media privacy settings what we choose to share through those outlets really an become input for malicious actors who are looking to either get us to click on something or to take an action. Just remembering that is a possibility. If you get messages from friends or family saying, hey, I need to text you this code, I'm trying to recover my email account. That's another way cyber actors try to gain access into people's data. Don't agree ever to receive codes or share codes or clink on a link. In order for scammers to gain access, they have to trick you into sharing taht code with them so that they can essentially take over your account. Best to just call the person directly.
- TAKEAWAY #9: DON'T AGREE EVER TO RECEIVE CODES, SHARE CODES OR CLICK ON A LINK. CYBER ACTORS ARE TRYING TO GAIN ACCESS SO BE CAREFUL.
- Q: It's the end of the day and you're sitting down to watch TV, but is the TV watching you? A: Probably in some way. Its interested in your watching habits. Remembering that data is being collected about your habits. It's a reminder too that devices like TVs, smart speakers and things like that also have to be updated.
- TAKEAWAY #10: REMEMBER THAT DATA IS BEING COLLECTED ABOUT YOUR HABITS AND BE SURE TO UPDATE ALL YOUR DEVICES LIKE TVs, SMART SPEAKERS AND THINGS LIKE THAT.
Check out my first newsletter edition #1 for another episode of The Langley Files: File 015- Spies Supercharged: Talking AI and Digital Innovation at CIA is a fascinating and informative listen to hear from CIA's Deputy Director for Digital Innovation, Juliane Gallina, and CIA's Chief Artificial Intelligence Officer, Lakshmi Raman. Both Juliane and Lakshmi share their origin stories, inspirations, and how AI will help protect America from threats around the world.
