Listen to U.S. Bank experts share their insights into unique cyber risks in your smart home.

PDF download

View full screen

View transcript

 

 

Cyberfraud – work smart in your smart home

And with that, I'd like to welcome everybody to our March webinar focusing on the important topic of cyberfraud work smart in your smart home, hosted by your U.S. Bank Global Treasury management partners. My name is Brianna Dunn and I'm from U.S. Bank's global Treasury management learning and development team and I'll be moderating today's webinar. Now, before we go ahead and get started I-- as per usual, I like to typically introduce our speakers which today is Nina Hanselmann and David Morris. Nina is a working capital consultant who brings 25 years of financial expertise in treasury management within senior roles in sales management, payments product development, strategic partner alliances, and correspondent banking. Here at U.S. Bank she provides clients with counsel and thought leadership around business process optimization.

David Morris is our additional speaker today and is our cybersecurity executive here at the Bank. In his role. He's primarily responsible for managing the cybersecurity exercise program and leading activities to help teams be better prepared in responding to cyber incidents as well as protect customer assets. And prior to joining U.S. Bank David was the chief technology officer for the state of Washington's office of cybersecurity where he managed teams focused on response, threat intelligence, and digital forensics. He has more than 15 years of cybersecurity experience and training with expertise and certification in cloud security, incident handling, digital forensics, and ethical hacking. And as you all, I'm sure-- we're very excited to have these two individuals leading today's conversation.

Just a quick few final notes about today's format. First, all participants have been placed in listen-only mode to prevent any background noise. Secondly, we will be using audio, PowerPoint, and polling to support today's webinar. So just a quick heads-up, when using the polls, we're actually going to be pushing them out using the right hand panel within your WebEx window. We will announce when we're sending the polls through the presenters. At that point in time, you will see the question with the options of responses appear on your right hand pane. Please go ahead and select the answer that most applies to you and then click Submit.

Now, polls do go pretty quick so it's good to stay alert and focused on your screen so that you don't miss out. And, lastly, we do invite each of you to please continue sharing your feedback with us directly following our session today using our post webinar survey. And that's going to pop up within your internet browser upon exiting today's call. So without any further ado, I'll actually hand it over to you, Nina.

Great. So to start off our discussion today we're going to send out our first polling question. And I designed this a couple of weeks ago. So not to be Captain Obvious, but with the current situation excluded, say a few weeks back, think about this question and please respond? So do you work remotely more now than you did five years ago? So as more of us utilize our devices to work remotely, whether it's from home-- previously hotels, coffee shops, even clients offices-- the fact is that there is really no longer a bright line between business and personal cybersecurity. And so what do I mean by that?

So it's-- think about this. At what point does your organization's expertly architected security for mobile access to your network end and your personal or your home network begin? Very important question to think about? And so we ask David to join us today because I really wanted him to talk a little bit about his experience and his responsibilities here at the Bank with helping to protect our organization from the blurry line. So, David, could you talk a little bit about your experiences with this and where you are focusing your activities these days.

Sure, thanks, Nina. As Brianna mentioned, my main role here at the Bank is with the cyber exercise program. That is what I manage. So that's where we evaluate our detection response capabilities and to, in fact, we just had a big exercise yesterday that sort of sorting through all the details of-- and to remain objective in that role I'm part of the security awareness program. And so that's what we do with a lot of the education of the lates cyber threats and social engineering practices, and so this conversation's part of that. One of the fun things that we did was-- I designed and built a cyber security-themed escape room at our Strength in Security conference last fall. So--

Oh, yeah, that was a big hit.

It was. Yeah, it was super cool. It's fun. With security awareness you can be a little more creative. And then another role that I have here at the bank is with the executive security program and that's where we're talking about that blurry line. I developed and I oversee this for executors of leadership in their personal lives.

Huh? Can you tell me a little bit more about that because I bet people on the line are maybe considering something like that?

Sure. The threat landscape, of course, continues to evolve and it's changed to include attacks by criminals and nation states against industry and political leaders. And certainly we've seen this threat heightened in election years. And so our program was developed to analyze and defend against these risks that are specific to our executives and to their families. And it helps to ensure that they don't incur damage-- sort of personal brand damage as a result of either a targeted attack or just an attack of happenstance when they're at home or on the road. Because they work frequently from various locations and there isn't that bright line between their personal lives and their work lives.

That's true. That's true. So it seems, though, that there's been a lot of change from probably when you and I were kids. Who would have thought that we would all be able to work so easily from other locations besides our office?

Yeah. So the shift now, of course, is to look at getting your personal data-- because data is such a commodity-- outside of the organization because we've gotten pretty good at security in the organization. So look-- they're looking to commit fraud or generally monetize with that low hanging fruit wherever possible. So the simplest and easiest way is always the way they're going to look at first and foremost.

Now, we have these connected homes and our exposure is now much greater because our home has so many devices are connected to the internet. We have all these smart devices out there. And we were talking about sort of the past depiction of the current home in pop culture. And oftentimes pop culture talked about all these whiz bang things that were going on, but they never really talked about security.

And so this conversation about smart home and working smartly from your home is specifically about security and not necessarily about privacy. There's a lot of privacy concerns and I think that's a whole separate conversation. I often say that privacy and security, they're sort of two sides of the same coin. But we'll focus on security for this conversation.

So, yeah, when we're developing this, some of the fun things that we talked about-- past depictions that you may remember from pop culture-- there was a House of the Future at Disneyland in Tomorrowland that was sort of showcasing use of plastics and building and design. Their kitchen was touted to be able to cook foods by atomic energy and the dishwasher would clean the dishes with ultrasonic waves. One that's also popular-- depiction in the past was The Jetsons, this was aired in primetime in 1962 and it depicted the year 2062. George Jetson because of all the automation that they have, he just worked an hour a day for a two-day workweek because of the push button technology conveniences that he had for getting dressed, and eating, and all of those things.

And then sort of a Twilight Zone depiction of the future was one that my wife brought up with a smart house-- the Disney Smart House movie. This is a movie in 1999 where the family wins a smart house and they have that always-on virtual assistant. It gets tinkered with and, of course, mayhem ensues. And then one that I remembered was The Simpsons Ultrahouse 3000 that had the same sort of always-on virtual assistant. It was Pierce Brosnan, yeah, and--

Oh, yeah.

--Homer. Before everything melts down, Homer says, trusting every aspect of our lives to a giant computer was the smartest thing we ever did. And then, of course, all the problems happen.

Oh, yes. So when we think about all those things you just discussed-- I'm still laughing about The Jetsons in my own mind. I have a new puppy and I really would love it if I had that dog walker that George had. So how many things do you think that they got right, David?

Yeah, thinking about our current homes and where we sit with our devices, the one thing that they all wanted was automating meal preparation. You probably remember all the push button things and then the meal would pop out. But what they-- we might get there in 2062 [INAUDIBLE] time for The Jetsons vision to come true, but one thing in each of them that they had right-- the house the future it had the variable lighting. We are seeing that. The Jetsons, you probably remember the robot assistant Rosie. There was a robot vacuum that was smaller that was very similar to a Roomba. And then they also had the flying cars. And at the Consumer Electronics Show this year we had the Hyundai car that was being used for the Uber air taxi that we showcased. With the Smart House and with The Simpson, they had that always on virtual assistant that could control the temperature, the lights, the alarms, wall displays. So that's something that I think they got right and we're seeing that.

So when we look at this, what really came to be? And I was thinking about this. Like, how quickly did that happen?

It's been quick, really, since the advent of the smartphone. The smartphone was used as that hub for controlling various devices. And once the smartphone became ubiquitous with everyone, we're seeing more and more of these devices. And then, in the last few years, we've seen that shift from the phone and controlling it by hand to controlling it with virtual assistance by voice, so exponential increase in the number of things that are being put out for consumers and simplicity of using your voice to be able to control these.

So we've got this depiction of a modern home. And a recent Deloitte study found that, on average, there were 11 connected devices in every home. I've seen this in just looking at other research that it's been as high as 20 connected devices in other homes. And so Brianna if you won't mind, we have a poll that's ready to go.

How many devices, just generally speaking, do you have in your home? And if you don't mind, I'm very curious to see what the numbers are here. So Nina, if you wouldn't mind, while people are doing the poll, answering, kind of walk us around some of the devices that we have in this house.

OK. So first of all the view is great. It's not like at my house. But I imagine you could probably even virtually do that, as well. But take a look up there at the top.

We've got lights. And that lighting is able to be controlled from a smart device hub. So it's no longer clapping your hands. You can just have them set up or you can tell them to turn them on or turn them off. The television-- fairly simple there, but that streams content and it browses the internet for you. I mean, like a Fire Stick, you can just tell it what to do.

The speaker there that's sitting on the table, that plays music. Right? But also, it could be integrated with the virtual assistant. And that personal assistant provides information.

I can ask her in the morning about what's the weather, what's the news. And I can have her turn on my music, on my Sonos, those types of things. So it controls those smart devices.

Over there on the wall, think about the thermostat using sensors to determine if the home is occupied and also for temperature control. So I'm guessing with those windows there, that might be a challenge to keep the house at the proper temperature. Another thing there is that smart telescope. And they're using that for galaxy tracking.

So Dave, what was that article you sent me the other day about the candle? They had a Kickstarter for a smart candle. But actually, I really don't think, well, no security threat there, right? I mean, just might light the house on fire.

It wasn't an LED candle. This is an actual flame-based candle. So yeah.

Yeah. That was weird.

No security concerns there. Are you close? I've seen a lot of people 10 plus, 5 to 10. Where are you on this scale? Are you closer to 11 or are you closer to 20?

I'm over 10. I'm at 13. And it keeps multiplying, because I have generous children that bring things to me to try out. So is that 13-- is that average?

I think although the poll showed 11, I think we are somewhere well ahead of that. And clearly there's an insatiable appetite for automation in the home. And some of the things that are in the pipeline are depicted in this screenshot here.

Gartner famously, in 2010, estimated that there would be 50 billion internet of things devices, or these smart devices, here in 2020 and a 50-fold increase in the amount of data as a result. And the point here is that all these technology advances, they're great. They make our lives easier. They provide us with information and services at our fingertips.

But of course, it broadens our attack surface and opens us up to more vulnerabilities. Brianna mentioned that I have some offensive security training and certification. And as someone of that mindset, sort of that hacking mindset, they're always looking to move from cyber to physical. CtP is often mentioned. And in 2017, the FDA recalled 500,000 of these internet-connected pacemakers over that same fear-- that they could be hacked.

So these products continue to come out. In some cases, they're minimally viable products. But in this screenshot, I'll just talk through a couple more that are in the pipeline here as these things continue to roll out.

There's smart doors that have facial recognition as part of them. Water purifiers that have leak detection. The fridge now has an internal facing camera that tracks your food items and suggests recipes.

We talked about Alexa and other voice assistance being integrated with the speakers. There's now smart shower heads that have lights and a speaker.

Are you kidding me?

And you can sort of call out what song you want to play and go ahead and do your bad karaoke from the shower.

And if you don't have a virtual assistant in all of your rooms in your home, now they have them on a ball, almost like the BB8 in Star Wars. It will roll and come to you.

So they have Ballie that's out there. Yeah, Google that. It's B-A-L-L-I-E. It's kind of a fun one.

So of course, with all these things, they're great. But you have to balance. There's a trade off, of course, with security.

And these things have grown organically in homes over time. And as you mentioned, oftentimes without careful planning for being able to balance that security. They just sort of come with birthdays and Christmases and sort of other remodel opportunities in your home-- slowly, but here they are.

Yes. So they do all sound great. I'm really liking some of these ideas. A smart refrigerator really would have saved me a lot of time when I had those four kids at home. And so they all sound great. But let's talk a little bit about what are the risks for this situation?

As I mentioned earlier, because our enterprise systems have gotten stronger, the criminals are now focusing on this as the easy path. And I don't want to talk about this being a type of panic. But just be aware and be cautious with all these devices in your home.

It used to be really simple when you had two or three computers, and you knew what you had. But now you have 15 and 20 and 10 plus from a lot of people online. So in 2019, when we really had some of this data, there were three times as many attacks in the home in the first half of 2019 as there were in all of 2018. So we're seeing this parabolic curve of this uptick in attacks and targeting the homes.

And oftentimes your home, it might have more devices than some small businesses. But there's limited security there because you didn't have someone to come and help you like a small business might. And these threat actors are looking for your data, of course, each group, like a nation state or a financially motivated individual, they have different motivations.

But in most cases, I would say they're looking for fraud. They're looking to use your sensitive data for their financial gain in some way, shape, or form. Now these smart devices, IoT devices, there's a lack of maturity with some. I'm generalizing, obviously-- some, but not all. They just don't have that capability like your phone does to get patches and updates on a regular cycle.

And in some cases, they have embedded vulnerabilities in both the hardware and the software. And as we were talking in that last slide and mentioning the refrigerator, there's also smart washers and dryers that are out there and that smart barbecue that my friend has that I'm very envious of. Some of these products that are out there you don't refresh them very frequently like maybe you would your phone.

You have your phone for sometimes two or three years, I'd say, on average. But how often do you replace your fridge? And how often do you replace your washer and dryer-- much longer.

And when you think about these things now being internet connected, they may not have a support for the software that's in them after a certain point. And so they become highly vulnerable. And I've seen in research that it's estimated that 80% of the products are vulnerable just that ship.

In the fall of 2016, there was an attack on Dyn DNS. And you may not know them. They're a name provider for a lot of the big services. That name provider was attacked by security cameras and cameras and baby cameras and things like that because there's some code that was out there that talked about embedded hardware vulnerabilities in these devices.

And so Dyn DNS took the hit. And therefore, people couldn't get to Amazon and Netflix and Microsoft Xbox 5 and some things that we use as consumers. And so that was a pretty big thing, all from these small cameras that are in the homes.

I do remember that. I do remember that. And that video that went viral?

Yeah. As we were developing this webinar, I remembered seeing on The Today Show that there was a security camera breach. And a video went viral where a child was being told by the person on the other end of the camera that Santa was watching them. And it was really creepy.

And in fact, just a couple weeks before we put this out, there was a popular brand of smart lighting that showcased [INAUDIBLE] from attacking the smart device to getting to the home network. And so that was also published just a few weeks ago.

OK. So now I almost want to disconnect all 13 things. So what can we do? What can I do?

Because at work, we have people helping us. We're on the front lines. But we're aware of what we need to do at work. But at home, now we're on the front lines, as well. So what do we do?

You have to start by practicing that good cyber hygiene in your home. And all those devices, you have to be aware of. The easiest thing to do is start with your network. Because everything is going to go through your network.

So here's where you want to really take a look at your Wi-Fi security. And for me, as someone who has that mindset, when I'm out and about and I see that someone is broadcasting a Wi-Fi ID or SS ID of a default router name, I know they haven't fiddled with their security settings at all. So that's the first one I'm going to look at to try to see if it's open and I can get into it.

So simple things are to change your network name, change your default passwords. If you can on your wireless devices, set up a guest network. So treat all these internet of things devices as guests in your home, just like I would invite one my friends over. You know, they're a friend of mine. I trust them.

But I'm not going to let them onto my internal security zone, so to speak, my personal information with them. So do that same mindset with your internet of things devices, especially knowing how vulnerable a lot of these are. Put them out on your guest network and reduce the abilities for people to make that jump to your personal home network.

Dial down the signal strength on your Wi-Fi antennas to just your home, so people aren't able to connect outside of your home. This is tricky. Obviously, not everyone has the same living situation. So people have apartments or condominiums, and that gets a little tricky. And just make sure that those things are being patched regularly.

Start with the network first. Then move to all the devices that are connecting to it. Ransomware is a big thing in the homes. People just shotgun blast out ransomware to try to encrypt data and then hold it for ransom.

The best protection is to have good back ups. So make sure you have good back ups. You can store that on external media and put it in a safety deposit box outside of your home, which is what I do because I'm a security person and feel very hesitant with some of these cloud-based services out there. [INAUDIBLE]

Or you can do the cloud-based services that I mentioned. There are some very good ones out there that you can use. But that's the best thing. And then focus on your device security.

Do you need a special router in order to be able to set up a guest network?

Yes. It's not necessarily special. But I would say that most of the ones that are now out there for sale have that capability. And oftentimes, they can separate multiple wireless networks and make those available for you. So there's a lot of tools and sort of buttons and knobs now available at your fingertips with those.

I think someone said to me the other day that they had a network just set up for their kids. And they just shut it off when their--

Yeah. That's smart.

--end of time to be on that.

And for me, when we're looking at vulnerabilities in the home, talking about devices, now I came up as a gamer. And so when we're looking at vulnerabilities in the home, look no further than that gaming laptop or device in the house. Because as a gamer, we're always trying to tinker with things to get a leg up in our games. You can modify some code and have a better car, a faster car, those kinds of things.

So there's all sorts of code that are on these gaming laptops and gaming devices. And if possible, buy your kid a gaming device and keep their gaming off of the same box that you use for doing your accounting, your tax filing, your banking. Keep all of those things separate.

And then take a hard look at what's on that gaming device. And make sure you've got some good protections on it. And then, as we're talking about devices, these often come out of the box highly permissive. So you have to walk through and take steps to disable and harden those devices.

Make sure that automatic software updates are happening on them. And of course, keep an eye on how long in the tooth they're getting. They have an end of life, and end of support that may come up on you much sooner than you plan on using your fridge or your washer, dryer, things like that. So you really have to be careful with that.

I didn't even think of that. You know, we think of computers like pizza boxes, right? But if you don't use it very often, it's probably getting older. So you've got some of this old technology that's not supported. So what kinds of things are easily available to us, what kind of tools?

Here's a short list of some really nice things that I think you can use quickly and easily and at no cost to really raise the bar in your home. One of the things that I like to tout is Quad 9. It helps with blocking out bad sites when it goes to resolve the domain name to the IP address.

So there's a guide that's available on quad9.net. You can walk through it and set it up in an instant and have free and private security on your network. So it's just a 9.9.9.9 setting for your DNS, domain name system, on your router. I highly recommend doing that, very quick and easy, no cost, also.

The Center for Internet and Security, if you want to know current threats, get newsletters, or advice-- they have webinars also, great topics each month. And you don't have to be a member to be able to get this information. So that's available from the Center for Internet and Security.

National Cyber Security Alliance-- they have a lot of free tools that they vet and keep an up-to-date list. With all of these internet of things devices in your home, you have to set up an account for them. And having 10, 20, and in the future, multiple more devices in your home, there's no way that you can keep up with having a smart and hardened password unique to each of those devices and just know them.

So take a look at this list. And go and find a password manager. If you don't use one already, I highly recommend that. I think, just with the amount of accounts that you have, that would be the way to go.

And it's suspected in the video that we talked-- or The Today Show broadcast of the children's camera being compromised-- it's suspected that that was because of a password that was being re-used. So if you have unique passwords, that's really encouraged. And of course, a password manager is the easiest way to do that.

And then, if you want to talk to your kids about cyber hygiene, Netsmart has some very nice animated two and three-minute videos that they can use to learn about their digital footprint, how to be careful when surfing the web, things of that nature. I highly recommend showing them some of those videos.

They're fun. They're not a whole lot different, some of them, from some of the cartoons they watch already.

You know, in addition to that, don't forget that there's a lot of live resources here at the bank to help all of you. The Treasury Management consultant, we're always making sure that they've got information at their fingertips to share with you. So I wouldn't hesitate to get in touch with them if you have some questions or thoughts.

If you have time, we're looking forward to having you join us again next month. We'll be having another webinar. It's always the third Thursday.

It'll be Thursday, April 16. This one is going to be talking about B-to-C payments and how the bill pay is evolving. So I think that's going to be very interesting, because there's a lot happening in the industry right now.

I want to thank everybody for joining us today. And I'm glad that you had an opportunity to respond to some of the polling questions and see what everybody else is doing. And the four people who have 20 plus, you probably knew all these things that David talked about today already. But if not, I bet you that that list of tools would be very helpful.

So thanks again. And David, as always, you make it really interesting to think about all the things that are happening in our life because of technology, not only at work, but at home. So everybody take good care of yourself. Stay safe. And we will talk to you next month.

PDF View

March, 2020

Security guidance for your remote workers


Best practices for financial staffers conducting business at home.

Some companies have sound, well-established policies for treasury employees to adhere to when working remotely. But at others, the COVID-19 crisis has accelerated the migration to teleworking and left them less prepared.

U.S. Bank cybersecurity executive David Morris cites three areas of risk that financial managers should address with staff when they operate from home — data security, the physical security of their work devices, and workspace privacy. Here are best practices he suggests establishing for teleworkers in each of those areas:


Data security

Data security is the number one concern when employees work from home. “The biggest danger for the company comes from employees moving sensitive data from their work environment to their home environment,” Morris says.

A typical dangerous scenario? An employee working at home experiences a problem with his or her business laptop. To meet an end-of-day deadline, the employee transfers confidential or sensitive information from a trusted work device to a personal device to send an email or document to a customer, colleague or bank.

What’s wrong with that is once data leaves the confines of the work network, it’s more susceptible to being breached. The employee’s personal device operates outside of the organization’s security monitoring and control, putting this sensitive data at risk.

With that in mind, here are some important data security mandates for employees working at home:

  • Do not move work data to a personal device. A personal device is unlikely to have the security monitoring, encryption and hardening to keep this data safe. The exception to this general rule would be a case where the company has installed approved email software on an employee’s personal mobile phone, as part of a bring-your-own-device (BYOD) policy.
  • Do not use personal email to conduct work or transmit company information. For instance, don’t send documents to personal email so they can be printed.
  • Do not allow other individuals in your home to use your work computer for any reason.
  • Never use personal storage for company data. This includes personal cloud storage such as Dropbox and Box.
  • Never plug an unknown portable electronic media, such as a flash drive or DVD, into a company device.

Physical security

Employees’ homes don’t have the same physical controls in place as your office environment. This can put the physical security of work devices in jeopardy. Morris says employees need to be advised to screen-lock laptops when they are not in use and either keep them in secure storage or cable-lock them.

Workplace privacy

Each employee has a different living situation, with some living alone and others sharing spaces. Managers need to counsel employees that, when working from home, they need to be aware of their surroundings and keep sensitive information secure and private. The rules for maintaining a private workspace at home include:

  • Keep a clean desktop free of sensitive documents or written passwords.
  • Be aware of the sightlines inside and outside of your home for others to view information on your computer screen.
  • Make sure you don’t have any sensitive information visible in the background if you conduct video calls from home.
  • Establish privacy features in your home office, such as the ability to close a door to have private conversations.

Printing work materials at home is another area of risk to address with employees, Morris says. “Only print out work-related documents at home when absolutely necessary, and when discarding any such documents, use a cross-cut shredder rather than discarding them in the general trash or recycle bin,” he says. “Lock up all sensitive documents until they can be shredded.”


Protect your data and transactions

Technology allows your financial staff to conduct a range of banking and other computing activities outside the office. That’s great for day-to-day efficiency and flexibility — and business continuity in times of disaster — but it also presents risks. You may have strong security built into your employees’ work devices — and physical controls in the office — but what happens when they move the workplace to their homes?

To guard against the risks presented by employees teleworking during the coronavirus pandemic, it’s important for treasury managers to promote the best practices described above. By utilizing these practices, you can help ensure your company’s data and banking transactions remain secure.

 

Visit our COVID-19 site for updates, insights and resources you need to navigate the changing environment.

Scroll to top