Cybersecurity

Awareness
Tips To Protect You And Your Data

CONTENT BY PRESENTED BY
DALLAS HASELHORST
FOUNDER/OWNER, TREETOP SECURITY
www.treetopsecurity.com GSE #231, MSISE, CISSP, SANS/GIAC(X9)
From the makers of Peak. Protecting small businesses using
affordable, comprehensive, and common sense defenses.
1
TreeTop Security - CAT - v1.0
 # whoami
● 20+ years of IT & cybersecurity experience
● Consulted for companies all over the US
● Multiple computer-related degrees from FHSU
● Master’s degree in Information Security Engineering
from the SANS Technology Institute
● Alphabet soup of security-related certifications
○ CISSP, GSEC, GCIH, GCCC, GCPM, GPEN,
GMON, GCIA, GWAPT, GSE #231
● Co-organizer of BSidesKC security conference
● Founded Sicoir Computers in 2003, sold in 2016
● Lead design on Peak, the SMB cybersecurity platform
2
TreeTop Security - CAT - v1.0
 3
TreeTop Security - CAT - v1.0
 Overview
Why security awareness?
Patching your devices
Backups are a must!
Passwords
2-factor authentication
Internet safety & email
Privacy concerns
Phone scams
4
TreeTop Security - CAT - v1.0
 Why is
cybersecurity
awareness
important?
5
TreeTop Security - CAT - v1.0
 Awareness training is a must!
● Technology alone cannot protect you from everything
● Attackers go where security is weakest
● People -> a link in the chain & maybe the last line of defense
● Essential to reducing cybersecurity risk
● Cybersecurity awareness is for...
○ Employees ○ Parents ○ Seniors
○ Business owners ○ Kids ○ Everyone!

Reminder: Many tips that keep you safe

at work will also keep you safe at home!
6
TreeTop Security - CAT - v1.0
 But an attacker isn’t interested in me...
Wrong!!! You are exactly what an attacker wants!
● Credit card and financial data
● Medical data
○ Prescription, insurance, or identity fraud
○ Far more valuable than financial data
● Computer resources
○ Cryptomining ○ Ransomware
○ Advertising ○ Jump point
● User or email credentials
○ Sending spam ○ “More” access
○ Recovery/reset other accounts
7
TreeTop Security - CAT - v1.0
 HELP!!!
Ways to protect
yourself!
8
TreeTop Security - CAT - v1.0
 Backups
● NO level of protection is perfect
○ Backups are frequently overlooked
○ Only “guaranteed” protection against ransomware
○ Backup media should not be connected at all times
● If you backup, have you tested them recently?

35% 20% 14% 6%

Users that Users that Users that Users that

have never backup backup backup
backed up yearly monthly daily
9
TreeTop Security - CAT - v1.0
 Updates are essential to security

• What was secure yesterday may not

be secure today
• New software vulnerabilities found
every day
• Over 360K new malware (viruses &
ransomware) released every day
• Nothing is “Set & Forget”

10
TreeTop Security - CAT - v1.0
 Keeping your system up-to-date
● Operating Systems
○ Microsoft Windows, Apple MacOS, Linux
○ End of life? Windows 7 - January 2020
● Anti-virus
○ Update to the latest definitions to ensure
protection against the latest threats
○ Symantec/Norton, McAfee, Windows Defender,
Avast, and many others!

11
TreeTop Security - CAT - v1.0
 Don’t forget!!!
● Browser - your portal to the internet
○ Chrome, Firefox, Opera, Edge, Safari, etc.
○ Internet Explorer (Not recommended)
● Mobile devices - cell phones & laptops
● Internet of Things (IoT) - Alexa, Google Home,
thermostats, doorbells, surveillance system, light
bulbs, smart locks, pet feeder, health monitors...
This could keep going forever!

12
TreeTop Security - CAT - v1.0
 All
About
Passwords

13
TreeTop Security - CAT - v1.0
 14
TreeTop Security - CAT - v1.0
 Managing Passwords
● Keep your passwords in a secure location
○ Don’t use paper or sticky notes
○ Don’t store passwords in clear-text on
your computer - Word, Excel, etc.
● Utilize a password manager (aka vault)
○ LastPass ○ KeePass ○ 1Password
● Benefits of a password manager
○ Single password to remember them all
○ Encrypted storage of passwords
○ Auto-fill username/password on websites
○ Sync between desktop, laptop, and mobile
15
TreeTop Security - CAT - v1.0
 Password Tips
● Avoid using items that can be associated with you
○ Address ○ Child names
○ Phone numbers ○ Birthdays
○ Pet names ○ Sports teams
● Separate passwords for every account Possible with a
● Auto-generated, unmemorable password manager

69% 95% 59% 86%

Passwords shared Passwords shared One password for all Passwords are too
with colleagues with household accounts “simple”
16
TreeTop Security - CAT - v1.0
 Passwords vs passphrases
● Useful when passwords must be typed in
● Should not be easy to guess
○ 12 Characters or more
○ Length is better than complexity (passphrases)
○ Bad password (8): P@ssw0rd
○ Great password (24): MysonwasbornNovember1995!

61% 9.6 6.1 0.2

Passwords exactly 8 Average Length of Average number of Average number of

characters Password lowercase letters special characters
17
TreeTop Security - CAT - v1.0
 Top 25 passwords by rank & year
Rank 2017 2018 Rank 2017 2018
1 123456 123456 14 login 666666
2 password password 15 abc123 abc123
3 12345678 123456789 16 starwars football
4 qwerty 12345678 17 123123 123123
5 12345 12345 18 dragon monkey
6 123456789 111111 19 passw0rd 654321
7 letmein 1234567 20 master !@#$%^&*
8 1234567 sunshine 21 hello charlie
9 football qwerty 22 freedom aa123456
10 iloveyou iloveyou 23 whatever donald
11 admin princess 24 qazwsx password1
12 welcome admin 25 trustno1 qwerty123
13 monkey welcome

If you use any of these, change them NOW!!!

18
TreeTop Security - CAT - v1.0 Source: Gizmodo & Fortune
 2FA - two-factor authentication
● What is 2FA?
○ “Beyond” a username and password
○ Second form to prove it is you
○ Typically out-of-band
● “Your one-time code is…”
○ SMS ○ Email
○ Phone Call ○ Snail Mail
○ Phone pop-up ○ Carrier Pigeon
● Applications
○ Google Authenticator
○ Authy
19
TreeTop Security - CAT - v1.0
 Just
A Little
Click

20
TreeTop Security - CAT - v1.0
 Is the link safe in 4 steps

1. Verify 4. Click
Were you expecting to 04 If it passes the three
receive a link? previous tests, it should
○ Not just email!
be okay to browse to
○ Social Media
○ SMS/iMessage
01 03
2. Hover 3. Sniff test
Hover over the link to Is it a site you recognize?
ensure that it leads Does it feel “familiar” to you?
02 Be skeptical my friends
where it says it does

21
TreeTop Security - CAT - v1.0
 Easy to recognize email example

○ Viagra <- ?!?!?! ○ Domain name

Red flags? ○ Strange wording ○ Expected email?
○ Email address ○ Interesting link
22
TreeTop Security - CAT - v1.0
 Known email account example

Hacked or
spoofed email
from someone
you know

○ Email address ok ○ Expected email?

Red flags? ○ Name ok ○ Link - .fr is France
○ Odd “signature”

23
TreeTop Security - CAT - v1.0
 SMS “hidden” link example

Hacked phone
of someone
you know

○ Phone number ok ○ Domain is textwon.com,

Red flags? ○ Expected text? NOT apple.com
24
TreeTop Security - CAT - v1.0 Source: Sophos
 Hover before you click
Desktop - Hover
● Why hover?
○ Blue text can be deceiving
○ Underlying URL may be
different Mobile - Long Press

○ Foreign domains - .uk, .cn, or .ru http://www.evil.com/

● Numbers instead of letters
○ Example: 192.168.1.1
○ Don’t trust it!
● Hover on mobile/tablet?
○ Long press (hold)
● Any doubts? Don’t click it!!!
25
TreeTop Security - CAT - v1.0
 Hover example

○ Email address ok ○ Sense of urgency

Red flags? ○ Name ok ○ Hover -> Not a Microsoft link
○ Expected email?
26
TreeTop Security - CAT - v1.0
 Shortened or obfuscated links?
● Instead of 300 characters, the link is reduced to 15 characters
○ Bit.ly
○ TinyURL
● Extremely common and helpful, but...
● Abused by criminals to hide malicious websites

Link expander
www.linkexpander.com

27
TreeTop Security - CAT - v1.0
 More email attacks
92% of malware is
delivered by email

28
TreeTop Security - CAT - v1.0 Source: CSO Online
 Email Attachments Attachments in Microsoft Outlook

● Stop & think before you click!

● Recognized sender?
● Expecting attachment?
● Is it normal for that contact to
send attachments?

Macros
Enable Macros <- NOOOOOO!!!!
● Step 1: Don’t do it!!!
● Step 2: See step 1
● Found in downloaded files too

29
TreeTop Security - CAT - v1.0
 Other Email Scams Wire transfer

● Can be “non-technical”
● Spear phishing & whaling
○ CEO <-> CFO
○ Published organization chart
○ Policy requiring phone call?
● What they want Gift Card Scam
○ Gift & prepaid cards
○ Wire transfers / account info
● Sense of urgency

Technical safeguards cannot help

30
TreeTop Security - CAT - v1.0
 Reach Out
& Scam
Someone

31
TreeTop Security - CAT - v1.0
 Phone Scams
● Social engineering, what is it?
○ Make the caller provide verification
○ Call back a published number
● Phone numbers can be easily spoofed
○ Banks & credit card companies
○ Medical & insurance
○ IRS or past due account balance
○ Robocalls
● Other common phone scams
○ Grandparent Scam
○ Tech support - Microsoft, Apple, Dell,
etc. will never contact the average
user “out of the blue” 32
TreeTop Security - CAT - v1.0
 Phone scam example
Hi! This is Kathleen from Microsoft. We have been trying to get in
touch with you. However, we will be disconnecting your license
within 48 hours because your IP address has been compromised
from several countries. So we need to change your IP address and
license key. So please press 1 to get connected…

○ Sense of urgency
Red flags? ○ Purposefully confusing
○ Expected call from Microsoft?

Technical safeguards can only do so much...

That’s why security awareness is a must!
33
TreeTop Security - CAT - v1.0
 General Tips
&
Privacy

34
TreeTop Security - CAT - v1.0
 USB Drives & More
● Do NOT connect unknown or
unauthorized media (or devices)
● Programs can run when plugged in
without you doing anything
● Examples
○ USB/flash drives
○ SD or micro SD cards
○ CDs or DVDs
○ External hard drives
○ Cell phones <- Often forgotten
35
TreeTop Security - CAT - v1.0
 Encryption
● Can help protect your data
● Can also help an attacker, e.g. ransomware
● Protecting data sent or received
○ HTTP vs. HTTPS
○ Wireless -> WPA2 (AES) recommended
● Protecting devices
○ Helpful if device is lost/stolen
○ Often associated with phone PIN/passcode
○ Microsoft Windows - BitLocker
○ Apple MacOS - FileVault
36
TreeTop Security - CAT - v1.0
 Internet Safety Quick Tips
● Never install anything based on a
Do NOT assume a site is legitimate
pop-up when visiting a website simply because of the green padlock
● “Trusted” websites can & have
hosted malware, aka malvertising
○ Local news
○ WSJ, Forbes, ESPN, Yahoo, etc.
○ Limit browsing to business
relevant sites?
● Be careful using Wi-Fi hotspots
● Avoid public computers
● Social media links - Facebook, Skype, Instagram, & more!
37
TreeTop Security - CAT - v1.0
 Internet Privacy
● Data is the new gold -> your data is valuable!
● If you’re not paying for it, are you the product?
○ Data analytics & predictive results
○ Examples: advertising & insurance rates
● Are you oversharing?
○ Default privacy settings on social media
○ Vacation photos & “checking-in” (location sharing)
■ Thieves see that information also
■ Would you be comfortable telling people on
the street?
38
TreeTop Security - CAT - v1.0
 More Resources
● Don’t stop here!
○ Attacks change, continue learning
○ Help educate others
● When in doubt, ask questions
○ Your IT department? ○ Me?
○ Your IT provider?
● Additional Resources
○ SANS Ouch! Newsletter (free)
https://www.sans.org/security-awareness-training/ouch-newsletter/
○ TreeTop Security - Cybersecurity Awareness Training (free)
Feedback, awareness quiz, training dates, slides, video
https://www.treetopsecurity.com/CAT
39
TreeTop Security - CAT - v1.0
 Questions?

https://www.treetopsecurity.com
Ask about Peak. The only comprehensive and affordable
cybersecurity platform for small businesses.

785-370-3444
Dallas Haselhorst
dallas [at] treetopsecurity.com

40
TreeTop Security - CAT - v1.0